AWS Best Practice: Securely Connecting EC2 to RDS with Security Group Referencing



Hello everyone!

When connecting an EC2 application to an RDS database in AWS, using IP addresses or setting "Public Access" to 'Yes' is highly insecure.

The real, professional-grade solution is to use Security Group Referencing inside a Custom VPC.

In this article, I'll walk you through the exact, secure architecture we just built.

Our Architecture:

  1. The Foundation (VPC): A custom private network named my-first-vpc.

  2. The Application (EC2): An EC2 instance launched with its own Security Group, my-server-sg, inside my-first-vpc.

  3. The Database (RDS): An RDS instance launched with its own separate Security Group, rds-sg, also inside my-first-vpc.

  4. The Secure Connection: We tell rds-sg, "You are only allowed to accept traffic that comes from my-server-sg."

Step 1: Launch the EC2 Instance & its Security Group

First, let's set up our application server.

  1. Go to the EC2 service in the AWS Console - > "Launch instances".

  2. In the Network settings section, for VPC, select your custom VPC: my-first-vpc.

  3. Subnet: Choose a subnet to place your EC2 instance in (e.g., my-private-app-subnet).

  4. Firewall (security groups): Select "Create security group".

    • Security group name: my-server-sg (This is the "badge" for our EC2).

    • Description: SG for my application server.

    • Inbound rules: Add an SSH (Port 22) rule with the source My IP so you can connect to the server for maintenance.

  5. Launch the instance.

Now, our EC2 instance exists in my-first-vpc, identified by the my-server-sg group.

Step 2: Create a Separate Security Group for RDS

Now, let's create the "gatekeeper" for our database.

  1. Go to the VPC service in the AWS Console.

  2. On the left menu, select "Security Groups" ->  "Create security group".

  3. Security group name: rds-sg

  4. Description: SG for the main RDS instance

  5. VPC: You must select the exact same VPC: my-first-vpc.

  6. Click "Create security group".

Step 3: Add the "Magic" Inbound Rule

This is the most important part. We will now teach rds-sg to trust my-server-sg.

  1. Find the rds-sg you just created, go to the "Inbound rules" tab -> "Edit inbound rules".

  2. Click "Add rule".

    • Type: Select MySQL/Aurora (Port 3306).

    • Source: Choose Custom. In the search box that appears, start typing and select my-server-sg (the Security Group ID of your EC2 instance).

  3. Click "Save rules".

Now, rds-sg knows to only open Port 3306 for requests coming from an instance that has the my-server-sg "badge".

Step 4: Create the RDS Instance

Finally, let's build the database.

  1. Go to the RDS service -> "Create database".

  2. Choose your engine, templates, etc.

  3. When you get to the Connectivity section:

    • Virtual private cloud (VPC): Select my-first-vpc.

    • Public access: Set to No. (This is critical! It hides the database from the internet).

    • VPC security group (firewall): Select "Choose existing".

    • In the list, remove the default SG (click the 'x') and select your rds-sg.

  4. Click "Create database".

The Final Result (What We Built)

You have successfully built:

  • An EC2 instance (protected by my-server-sg).

  • An RDS database (protected by rds-sg).

  • ...all living inside the same private my-first-vpc network.

The rds-sg only trusts my-server-sg. This means only your application can talk to your database. This entire connection happens over private IPs within AWS, never touching the public internet.

This is the most secure and recommended way to build applications on AWS!


Comments

Post a Comment

Popular posts from this blog

How to Create an AWS VPC From Scratch (Step-by-Step): A Guide to Public and Private Subnets

Image
Hello! If you're starting your journey with AWS, you've definitely heard the term "VPC." For many beginners, it can seem like a complex and intimidating topic. But in reality, a VPC (Virtual Private Cloud) is just the secure "foundation" for almost everything you'll ever build on AWS. In this article, I'll walk you through what a VPC is and how to build a secure one from scratch, step-by-step, using the AWS Console. What is a VPC? In the simplest terms, think of a VPC as your very own private, isolated piece of land in the AWS cloud. It's your personal network that no one else can access, and you have complete control over it. Why Do We Need Public and Private Subnets? Okay, so you have your piece of land (the VPC). Now, imagine you put your Application Server and your Database (like a secure safe) right in the middle of this open land. If you build a "main gate" (an Internet Gateway) and leave it open for users to come in, that means...
Read more

Bridging the Gap: A Scalable Workflow for Figma and React with AWS Amplify

Image
In modern front-end development, the handoff from design to development is often a source of friction. Designers meticulously craft pixel-perfect layouts in Figma, and developers are tasked with a manual, error-prone translation of that design into React components. What if the design was the component? What if we could create a system that was not only fast to build but also incredibly resilient to design changes? In this post, I'm breaking down the scalable, UI-first workflow we're using to connect Figma directly to our live React application using AWS Amplify. The 4-Step Workflow: From Figma to React Our process turns a static design into a fully functional, data-driven component in four steps. Step 1: Design Components (in Figma) This all starts with the designer. They don't just draw pictures; they build reusable components with variants (e.g., a button with active and enabled states) and organize them in a library. Step 2: Sync to Amplify Studio The designer us...
Read more