AWS RDS Access Issue: Public DB in Private Subnets

When working with Amazon RDS in VPCs, a common issue arises when your database is marked as "publicly accessible" but is actually located in private subnets. This misconfiguration can cause confusion and connectivity problems.

The Issue

• Your RDS instance is set to “Publicly Accessible = Yes”
• But the RDS resides in private subnets
• Those subnets do not have an Internet Gateway (IGW) or route to the internet

🔍 Result:

When you try to connect using the public DNS endpoint (e.g., mydb.abcdefgh.rds.amazonaws.com), DNS resolution gives you a public IP. But since the RDS is in a private subnet with no internet access, the public IP is unreachable.

Also, even if you whitelist a security group or IP in the RDS security group, it won’t help — because the network simply can’t reach that public IP.

Solution Options

Option 1: Make the Subnets Public (Not Recommended)

You can move the RDS instance to public subnets — i.e., subnets with a route to an Internet Gateway.

⚠️ This exposes your database to the internet. It is generally not recommended for production workloads.

Option 2: Use VPC Peering with Private DNS Resolution (Recommended)

Steps:

1. Create a VPC Peering Connection:
   • Between the two VPCs: one where the EC2 (client) resides (requester) and one where the RDS resides (accepter)
   • Make sure the CIDR blocks do not overlap
2. Accept the Peering Connection:
   • Go to VPC Dashboard → Peering Connections
   • Accept the connection from the Accepter VPC
3. Enable DNS Resolution over Peering:
   • Open the VPC Peering Connection details
   • Click Actions → Edit DNS settings
   • Enable:
     • "DNS resolution from the requester VPC"
     • "DNS hostnames" and "DNS resolution" on both VPCs
4. Update Route Tables:
   • In each VPC’s Route Table, add a route to the other VPC’s CIDR block, targeting the peering connection
5. Update Security Groups:
   • In the RDS security group, allow inbound traffic on port 3306 (or your DB port) from the requester VPC’s CIDR block

Why This Works

When DNS resolution over peering is enabled, the requester VPC can resolve the RDS hostname (like mydb.abcdefgh.rds.amazonaws.com) to its private IP — not the public one.

Since:

• The VPCs are peered
• The route is set
• The RDS security group allows it

The connection succeeds securely over private IPs, without exposing anything to the internet.