UPDATE – DECEMBER 2014:
This post is now out-of-date, and no longer follows best practices. The recommended solution is to keep your RDS instance private, and not enable public access. Ideally, you should only be connecting to your RDS instance via a secure bastion/jump host, or via a VPN connection into your VPC.
Need assistance setting up a secure and private RDS instance? Contact us today!
NOTE AUGUST 2013 – NEW SOLUTION:
The old solution listed down below is no longer valid. Amazon has made significant VPC networking changes over the past year, changes which no longer allow you to manually associate an Elastic IP to a the network device of an RDS instance in a VPC.
Instead, new Amazon instances now have a “Publicly Accessible” option for new instances during the RDS creation process.
If you require external access to an existing RDS Instance in a VPC, your only option is to take a snapshot of your current RDS instance, and then launch a new one from that snapshot while ticking the “Publicly Accessible” option when you launch it.
A client brought up an interesting issue today: they were trying to connect to an RDS instance they had launched in VPC, and were unable to connect via the instance’s endpoint address. They had opened up all of the necessary ports in the VPC security group to allow external access to the instance, but they still couldn’t connect to the SQL port.
After thinking it over for a few minutes, I suddenly realized what the issue was: even though the instance’s endpoint address is a standard public domain name( (e.g. rdsname.blahblah.us-east-1.rds.amazonaws.com), the endpoint was being mapped to the instance’s private IP address (e.g. 10.0.0.x).
So what’s the solution? Turns out you can associate an Elastic IP address to an RDS instance, but the process isn’t obvious. The steps are:
1) In the EC2 Management Console, go to Network Interfaces in the left-hand column (last option)
2) Find the network interface of your RDS instance (it will have a description of RDSNetworkInterface). Note the name of the network interface (e.g. eni-ae20b2e7).
3) In the EC2 Management Console, go to Elastic IPs –> Allocate New Address –> EIP used in VPC
4) Select the new Elastic IP, and click on Associate Address. Instead of clicking on the Instance drop-down box like you would normally do, instead click on the Network Interface drop-down box and select the RDS instance’s network interface.
5) You now have an Elastic IP address associated with your RDS instance, which you can now use to access SQL from the outside world.
Have any questions, or need help with your RDS instance on Amazon Web Services? E-mail Casey Labs, we’ll be happy to help!