Getting started
Management
Environments
Compliance
Reference
Troubleshooting
Configuring Private Bastion
Private Bastion configures a tunnel to connect resources to a private or secure subnet in the environment.
Enabling Private Bastion at NX1
Sign in to NX1, navigate to the environment to setup Private Bastion and select “Network Access”.
Click the toggle next to AWS Client VPN to enable it.
Then click “Save” to enable the VPN.
Setting up an RDS connection through a Private Bastion
After enabling the Private Bastion on the NX1, you need to follow these steps to connect to the RDS database through Private Bastion.
RDS Security Group Setup
In your RDS database, edit the security group and add an inbound rule to the bastion host security group:
Make sure to select the security group with “private-bastion” in the name and under Type, the service matching your DB (usually PostgreSQL or MySQL/Aurora).
Creating the Connection
If you use AWS SSO (Identity Center), start a session by getting the credentials from the SSO for the environment to which you want to connect.
- Go to your AWS SSO page.
- Select the environment you want to connect
- Select the option Command line or programmatic access
- Copy the keys in the “option 1 - Set AWS environment variables (Short-term credentials)”
See more details at the AWS Documentation on this topic.
Example for connecting to RDS Postgres by Private Bastion using client AWS.
For Mac, open a Terminal. For Windows, open a Command Prompt window.
Paste the AWS credentials into the terminal and run:
aws ssm start-session --target <private-bastion-id> \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"portNumber":["5432"],"localPortNumber":["5433"],"host":["<rds-endpoint>"]}'
- Private-bastion-id
- Go to the AWS console, select the service EC2
- Select the instance `citadel-PrivateBastion`
- Find the Instance ID. Copy and paste it to the command.
- Rds-endpoint
- Go to the AWS console, select the service RDS
- Select the RDS you want to connect
- Find the parameter Endpoint
- Copy and paste it to the command above
Connecting
In your local machine, open a database client compatible with your RDS DB flavour (usually postgres or mysql) and connect to:
- Hostname: localhost
- Port: 5433 (or another port defined in
localPortNumber
parameter of the start-session command above) - Credentials: Same credentials as your RDS database
← Previous