OpenVPN in AWS with RDS
Posted: Wed Aug 17, 2016 12:37 pm
Hi All,
First post asking for help (in the correct channel at least), can't be that unusual but would be very grateful for some insight into what other people have done.
Scenario:
We have an AWS account, newly opened so it has the default VPC with two default subnets which are publicly open. Inside that VPC, in one of the default subnets, I have created an OpenVPN instance (following the OpenVPN AWS instructions) which is configured correctly to allow an EC2 instance to be locked down using security groups to allow access from specific external ip addresses and from the openvpn box using the internal ip address. The public ip addresses and DNS names are not resolvable when connected to the VPN. This we can live with as it gives us what we want, e.g. protected access for specific applications hosted elsewhere and via VPN for humans.
The problem comes with our RDS instance. It needs to be publicly accessible however the endpoint is always a DNS name. This again is locked down using security groups to allows specific application external ip addresses to have access and humans to go via the OpenVPN box. When it is publicly accessible the end point does not get resolved when connected to OpenVPN, make the RDS instance hidden from the external world and I can connect via VPN. So I have concluded this is to do with the AWS DNS server not being used when connect via OpenVPN.
What have other people done to bring the AWS DNS server into play? A good browse of the internet brings back quite a few solutions but like the new GoogleAuthenticator feature I am expecting there to be an easy way in the latest version. In case it matters we are not routing all traffic through the VPN and this is desired to reduce unnecessary traffic / costs in AWS.
Many thanks in advance,
James
First post asking for help (in the correct channel at least), can't be that unusual but would be very grateful for some insight into what other people have done.
Scenario:
We have an AWS account, newly opened so it has the default VPC with two default subnets which are publicly open. Inside that VPC, in one of the default subnets, I have created an OpenVPN instance (following the OpenVPN AWS instructions) which is configured correctly to allow an EC2 instance to be locked down using security groups to allow access from specific external ip addresses and from the openvpn box using the internal ip address. The public ip addresses and DNS names are not resolvable when connected to the VPN. This we can live with as it gives us what we want, e.g. protected access for specific applications hosted elsewhere and via VPN for humans.
The problem comes with our RDS instance. It needs to be publicly accessible however the endpoint is always a DNS name. This again is locked down using security groups to allows specific application external ip addresses to have access and humans to go via the OpenVPN box. When it is publicly accessible the end point does not get resolved when connected to OpenVPN, make the RDS instance hidden from the external world and I can connect via VPN. So I have concluded this is to do with the AWS DNS server not being used when connect via OpenVPN.
What have other people done to bring the AWS DNS server into play? A good browse of the internet brings back quite a few solutions but like the new GoogleAuthenticator feature I am expecting there to be an easy way in the latest version. In case it matters we are not routing all traffic through the VPN and this is desired to reduce unnecessary traffic / costs in AWS.
Many thanks in advance,
James