# Access a Private AWS RDS Instance via a Jumpbox

Accessing a private Amazon RDS instance is a common requirement in cloud-based architectures — but exposing your database directly to the internet introduces serious security risks.\
To mitigate this, a **jumpbox (bastion host)** is used as a controlled entry point to reach resources within a **private subnet**.

This guide walks you through **setting up and using an SSH tunnel via a jumpbox** to connect to your private RDS instance.\
By following these steps, you’ll be able to **securely manage your database** while keeping it **fully isolated and protected within your private network**.

## 1. Create an EC2 instance

1. **Log in** to your **AWS Management Console**.
2. **Navigate** to the **EC2 Dashboard**.
3. **Create a new EC2 instance** and configure it as follows:

**Configuration Details:**

* **Region:** Same region as your RDS instance.
* **Availability Zone:** Preferably the same AZ as your RDS to minimize latency.
* **Instance Type:** `t2.micro` (1 vCPU, 1 GiB memory) — approximately **$10.80/month**, which is sufficient since the jumpbox only handles **data tunneling**.

<figure><img src="/files/2vhu2VJv3uR64fHfp5xP" alt=""><figcaption></figcaption></figure>

## 2. Grant ssh access to your client service

**Connect to your instance via SSH:**

```bash
ssh <ssh_user>@<jumpbox_ip>
```

* Use **`ubuntu`** as the SSH user if the EC2 instance is running **Ubuntu**.
* Use **`ec2-user`** if the instance is running **Amazon Linux**.

## 3. Whitelist trusted IPs

The most effective security measure is to **whitelist only the IP addresses** that are allowed to connect to your Jumpbox.\
We recommend granting access **exclusively to the IPs that require it**.

You can do this by **creating a dedicated Security Group** under the **Network & Security** section and adding inbound rules for your trusted services or hosts.

<figure><img src="/files/5LNrPdmfxq24Tpze0BFz" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/l1omPv7rdDtkCLaYIb3x" alt=""><figcaption></figcaption></figure>

You can now **attach the newly created security group** to your **Jumpbox EC2 instance** to apply the updated access rules.

<figure><img src="/files/Y6ZBvODUCKbmBLPqJs9o" alt=""><figcaption></figcaption></figure>

You can verify that **only your whitelisted client** can access the jumpbox by running:

```bash
telnet <jumpbox_ip> <ssh_port>
```

If the command **times out**, it confirms that **access from your current network is blocked**, and only the authorized client can connect.

## 4. Grant the jumpbox access to your DB

**Create a dedicated security group** for the Jumpbox to access the database, following the same process described in the previous step.\
Then, **update your database’s security group rules** to allow inbound connections **only from this new Jumpbox security group**.

<figure><img src="/files/a7wiDOETfBk6tuCsdTNo" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/54EdnsGEYZvbYKPVB5bM" alt=""><figcaption></figcaption></figure>

#### ✅ Test Your Setup

You can verify your configuration by running the following commands **from the service or machine you whitelisted**:

```bash
# Create the SSH tunnel
ssh -L 5432:<db_ip>:5432 -N -f <jumpbox_user>@<jumpbox_ip>

# Connect to the database through the tunnel
psql -h localhost -p 5432 -U <DB_USER> -d <DB_NAME>
```

If the connection succeeds — congratulations 🎉\
You can now securely access your **private database** through an **SSH tunnel** that routes traffic via your **jumpbox**.

#### 🔒 (Optional) Additional Security Measures

To further strengthen your setup beyond the steps in this tutorial, consider implementing the following best practices:

* **Use an SSL certificate** to secure all encrypted connections.
* **Configure a firewall** (e.g., AWS Security Groups or ufw) to strictly control inbound and outbound traffic on the jumpbox.
* **Create a dedicated system user** instead of using default accounts such as `ubuntu` or `ec2-user`.
* **Limit privileges:** disable `sudo` access for the SSH user and grant only the minimum permissions required.
* **Change the default SSH port** (22) to a custom port to reduce exposure to automated attacks.
* **Install Fail2Ban** to automatically block IPs that trigger repeated failed login attempts.
* **Deploy auditd** to monitor and log all system-level events for auditing and anomaly detection.

If you have any questions, feel free to ping us at <hello@stacksync.com> we'll be happy to help!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stacksync.com/two-way-sync/connectors/setup-options/ssh-tunneling/access-a-private-aws-rds-instance-via-a-jumpbox.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.