Amazon RDS hostname/IP question

[jamesmacwhite]

At my company it would appear we are blocking outbound connections on TCP 3306 so I am unable to connect to the RDS database through clients like Datagrip and MySQL Workbench. I assume it is our corporate firewall, which I can request an change by adding in an exception rule or allowlist.

I just wanted to confirm regarding the RDS infrastructure, the hostname provided I assume is not a specific RDS instance for just the project and in fact shared across many (looks like a cluster?), is the IP behind the hostname we have been given static or possibe to change?

I'm asking as I'd imagine we will get push back on just opening any external connections to TCP 3306, if however an allowlist of RDS IP ranges is possible, that would likely provide the balance of security, while allowing me to connect to the RDS instance on our network.

I'm aware there are published IP ranges which for us would be eu-central-1: https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-work-with.html#filter-ip-ranges-region but I just wanted to check the specifics before I made the request internally.

[jamesmacwhite]

Looking through things would appear I would need to allow all the EC2 based IP ranges in eu-central-1 to future proof the cluster IP possibly changing. There is no specific RDS service in the ip-ranges.json but based on other sources, it suggests RDS is running on EC2 anyway, so it would be those IP ranges required.

If I'm on the right track or it can be handled differently, do let me know!

[jasonmccallister]

Hi @jamesmacwhite, I'm usually writing the security groups for the other direction ;) but I believe that RDS IP's won't change but there is no guarantee. I'm not sure if the EC2 IP's will align with the RDS IP's but I can test tomorrow to see if that will work.

In the meantime, you should be able to get the IP for the instance using nslookup <rds-hostname> and pass that to your security team.

I'll make sure we update you with what we find.

[jamesmacwhite]

Hi @jasonmccallister. Yes, a bit of the reverse! I need to double check tomorrow when I am on my company's network, but I believe I was getting timeouts due to 3306 being blocked, but it was a Friday, so I could have been having a brain failure. I am pre-empting that the IP could change, so putting in a firewall rule that can potentially handle that scenario is what I'm looking to do.

I don't know if we can do DNS based firewall rules, if so, the hostname would be simpler.

If you find out anything more specific please let me know!

[jasonmccallister]

Alright, I just confirmed this... so I can officially say today I learned ;)

I checked an existing database CNAME => IP address using nslookup against that list and the EC2 IP ranges (this case specifically the 52.12.0.0/15 subnet) and it does indeed line up with the RDS instance. So these should be good to use for your firewall.

Here is the exact command I used (our North America region):

jq -r '.prefixes[] | select(.region=="us-west-2") | select(.service=="EC2") | .ip_prefix' < ip-ranges.json

[jamesmacwhite]

Thanks for confirming @jasonmccallister, that is good the EC2 ranges align, so we can implement a stricter firewall rule to allow outbound without it being for all.

[jamesmacwhite]

Turn out we could do a DNS based rule, so no jq parsing for AWS EC2 ranges, however I do appreciate the insight to note for the future!