David Rio

Connecting your RDS service with Tailscale

Tailscale has a document that explains how to privately access a RDS resource.

The steps of the process are:

  1. Spin an EC2 instance and add it to your tailnet.
  2. Add a security group to make sure we have access to the RDS subnet from our node.
  3. Enable split DNS so we resolve AWS queries via an AWS dns server.
  4. Remove public ssh access from the new node
  5. Profit

This is all good and you should set your service this way (private access). But for reasons I am not going to cover here the RDS service I was trying to use had -only- a public facing endpoint. That introduced a few difficulties when trying to set this up.

Setting the RDS service

When you configure an RDS service in AWS it asks you if you want it to be public or private. If you select public, the RDS endpoint will be expose via a public IP. You won't have access (as far as I can tell) to the internal RDS subnet address. How do you route the traffic then? First of all, think about the reason why you are exposing this service publicly. Probably it is a better idea to make it private. Then, you can just follow the Tailscale document. But if you make the service public...

The way to connect the service to your tailnet is to advertise a single host when you add (up) your node to the tailnet:

$ sudo tailscale up --advertise-routes= --accept-dns=false

Other observations

When you make the RDS service public, the dns endpoint maps to a public ip, when you make it private, it maps to a private IP. Makes sense but I wanted to highlight that.

Make sure you check your tailnet ACL to allow traffic between whatever nodes you want access to the RDS service and the routing node.

And that's it. Tailscale is a fantastic piece of technology and I will definitely be writing more about it in the future.