2

I have a MySQL database on a dedicated server, that I want to replicate to Amazon RDS to always have an up-to-date backup.

For this, Amazon RDS needs to be able to connect to my master MySQL server.

I do not want to open the MySQL port 3306 to the entire world, as even though MySQL has its own permissions, I consider it an extra security risk if a security issue gets discovered in MySQL.

So I want to add a rule to iptables to allow all connections from *.rds.amazonaws.com. But as far as I understand it, even though iptables allows a host name to be specified instead of an IP address, it's resolved when the rule is created, not when the packet is checked.

And because of the way RDS is designed, the IP address behind a RDS instance's host name might change during its lifetime, so this is not a good solution.

What alternatives do I have to only open my MySQL server to RDS?

Improve this question
4
  • Did you ever get anywhere with this, other than relying upon mysql's authentication? Thanks. Commented Apr 24, 2017 at 16:38
  • Yes, I ended up adding the full RDS host name to the iptables rule. The only drawback is that whenever the host name changes, you need to update the iptables rule. A good thing to do is to set up a replication event subscription on RDS to get updated by email if for any reason RDS cannot connect to your master. Commented Apr 25, 2017 at 6:24
  • Thanks for getting back to me. And good tip about the changing host name. Hopefully won't be an issue for us as we're replicating in order to migrate our DB to RDS (away from a bare-metal server), and this should happen before a hostname change. Commented Apr 25, 2017 at 8:13
  • I have a very similar problem. I run two AWS RDS MySQL servers, where one is master and the other is slave. However, they are on different user accounts, and neither of us belong to any organization, so the instances can't be placed in the same security group. Commented Nov 11, 2019 at 17:53

2 Answers 2

Reset to default
1

Here is a link to a Unix & Linux Stack Exchange question: UFW: Allow traffic only from a domain with dynamic IP address

TCP/IP-level blocking might not work well with a dynamic IP address. Although the accepted answer mentions a script, it might be error-prone. AWS does post a list of IP ranges, but this can change over time.

Unfortunately, your best option may be user authentication in MySQL. You can limit privileges by user AND hostname: Specifying Account Names.

Improve this answer
0

I believe the most correct course of action would be to use a VPC Security Group. You can write a security group to only allow TCP traffic on port 3306 from other instances that have that security group:

enter image description here

If you have an instance that you actually want to be reached publicly, then add another security group that lists "0.0.0.0/0" as the source for port 3306. That way, both rules will overlap.

Improve this answer
3
  • Unfortunately, the dedicated server hosting the MySQL database in not on EC2! Commented Dec 5, 2015 at 18:00
  • Oh, that's interesting. Are you saying that you have a dedicated instance through AWS? If that is the case, is the host even in a VPC subnet? Commented Dec 5, 2015 at 18:06
  • No, I mean that I have bare metal server somewhere else, and I'm just using RDS as a replication slave for real-time backup. Commented Dec 5, 2015 at 18:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.