Connecting kviklet to AWS RDS PostgreSQL in Private Subnet

[vjmax]

Hi,

We have an AWS RDS PostgreSQL database hosted in a private subnet within one AWS VPC account. We would like to set up a connection to this RDS instance using Kviklet. However, our setup involves the RDS instance and the Kviklet service being in different AWS accounts VPC .

Could you please confirm if this is possible? If yes, could you guide us on how to configure the connection under these circumstances?

Thank you for your assistance.

[Askir]

Hey vjmax, I'm not an expert on AWS networking but as far as I know two different VPCs can't talk to each other by default. You'll need some sort of network setup to make the routing work e.g. vpc peering: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/amazon-vpc-to-amazon-vpc-connectivity-options.html

The more typical setup would be to have a public subnet in which you host the Kviklet container and a private subnet in which your RDS instance is hosted. This then enables you to make Kviklet reachable (e.g. via a load balancer, vpn or whatever else you'd like to use) without having the database directly exposed through the same means.

[teenwolf99]

@Askir, Is it be possible to have a feature like doing a SSH tunnel inside a VM which is in the same network as the database for providing the access, like the one they have in the Pgadmin tool.

Not about AWS itself, for other cloud & on-prem DB. So the database details still be in secure private network.

[Askir]

In general that's a valid request but there is a bunch of different way of how you could "vpn/tunnel" to your database and supporting a reasonable subset would be quite a lot of effort. For now I think the safer way would be to hide kviklet and the DB behind a safe tunnel/vpn that acts as a second line of defense. You can still configure subnets in AWS in a way so that only requests from the instance itself can reach the database. e.g. this is similar to a setup I have worked with before.