简体繁体 English

在没有 EC2 的情况下连接到私有 Amazon RDS

[英]Connect to private Amazon RDS without EC2

原文 2021-09-24 16:03:58 7 3 mysql/ amazon-web-services/ amazon-rds/ amazon-vpc

I see a lot of articles online where EC2 is involved, but since my backend is essentially serverless I have not found much information how to access my RDS once it is turned private.我在网上看到很多涉及 EC2 的文章，但由于我的后端本质上是无服务器的，所以我没有找到太多关于如何在 RDS 变为私有后访问它的信息。 Can anyone point me in the right direction?谁能指出我正确的方向？

Current state:当前state：

Public MySQL RDS公共 MySQL RDS
RDS is accessed by a MySQL client on my local machine (MySQL Workbench) and AWS Lambda functions via my web application (both connecting via SSL) RDS 由我本地计算机 (MySQL Workbench) 上的 MySQL 客户端访问，AWS Lambda 函数通过我的 web 应用程序访问（均通过 SSL 连接）

Future state:未来 state：

Private MySQL RDS私人 MySQL RDS
Private RDS would continue to be accessed by only my local machine and only the noted AWS Lambda functions via my web application (I assume continuing to use SSL?)私有 RDS 将继续仅由我的本地计算机访问，并且仅通过我的 web 应用程序访问提到的 AWS Lambda 函数（我假设继续使用 SSL？）

3 个解决方案

In your scenario your Lambda functions will need to be configured to run in the VPC if they are not already.在您的场景中，您的 Lambda 函数将需要配置为在 VPC 中运行（如果它们尚未运行）。 That is the only change required for the Lambda functions.这是 Lambda 函数所需的唯一更改。

However, When you switch the RDS instance to private, that means it only accepts connections from within the VPC.但是，当您将 RDS 实例切换为私有时，这意味着它只接受来自 VPC 内部的连接。 So you can't make connections directly from your local computer to the database anymore.所以你不能再直接从你的本地计算机连接到数据库了。 You have to go through some sort of "bridge" to get your local computer into the AWS VPC.network.您必须通过某种“桥接器”go 才能让您的本地计算机进入 AWS VPC.network。

In this scenario people either use an EC2 instance as a bastion host , or they create a VPN connection from their local computer into the AWS VPC.在这种情况下，人们要么使用 EC2 实例作为堡垒主机，要么创建从本地计算机到 AWS VPC 的 VPN 连接。 AWS Client VPN is a managed service you could used for this. AWS Client VPN是一项可用于此目的的托管服务。

You'll need to evaluate the Client VPN pricing, but I think you may find that a single t4g.nano EC2 bastion host is probably cheaper, and you can also stop the instance when you don't need it to really cut down the cost.您需要评估客户端 VPN 定价，但我认为您可能会发现单个t4g.nano EC2 堡垒主机可能更便宜，并且您也可以在不需要它时停止实例以真正降低成本.

You can use VPC also with Lambda. Lambda and RDS can be in the same VPC, or in separate VPC's peered together.您也可以将 VPC 与 Lambda 一起使用。Lambda 和 RDS 可以位于同一 VPC 中，也可以位于相互对等的不同 VPC 中。 Aws documentation for this scenario can be found here: https://aws.amazon.com/premiumsupport/knowledge-center/connect-lambda-to-an-rds-instance/此场景的 AWS 文档可在此处找到： https://aws.amazon.com/premiumsupport/knowledge-center/connect-lambda-to-an-rds-instance/

You can use Basti , which is a CLI tool that manages the EC2 bastion instance for you.您可以使用Basti ，这是一个为您管理 EC2 堡垒实例的 CLI 工具。 The tool keeps the instance stopped when it's not used to minimize the solution cost, performs software updates to maintain the bastion instance secure, and provides a convenient CLI that can be used locally and in CI/CD pipelines.该工具在实例不使用时保持实例停止以最大限度地降低解决方案成本，执行软件更新以维护堡垒实例的安全，并提供可在本地和 CI/CD 管道中使用的便捷 CLI。