VPN appliance in AWS VPC

Question

I have a VPC on AWS with a public and a private subnet. I've deployed an instance of OpenVPN appliance in the public subnet to access my EC2 nodes in the private subnet. As expected, with VPN I can access (for eg SSH into) any EC2 node that I manually create in the private subnet. But I can't access services (for example Elastic Search or RDS Postgres) that AWS creates in the same private subnet. (I did make sure all security groups are properly configured on the Postgres and RDS). What am I missing?

Answer 1

I use a similar setup when connecting to my private RDS instances via VPN. I apologize, I cannot comment since this account is new and I do not have the reputation, I will have to make assumptions.

Your security groups need to be VPC security groups, not ec2 security groups (if they are not already).

VPC SG 1 ( ec2 Bridge ): This group is assigned to your OpenVPN server and allows traffic on your Postgres port and private IP CIDR.

Here is an example of mine for MSSQL and MySQL (I have multiple tunnels):

VPC SG 2 ( Dev RDS Bridge ): This has to allow traffic from VPC SG 1

Here is an example group I made just made for Aurora MySQL:

Finally, assign VPC SG 2 to your RDS Instance:

Now you should be able to talk to your RDS over your VPN connection while the RDS remains closed to the public. The process is similar for other AWS private resources.

Let me know if I wrongly assumed anything or can help more.