访问 AWS 外部的 RDS 最安全的方法

huangapple go评论65阅读模式
英文:

Most Secure Way to Access RDS from outside AWS

问题

根据我所看到的情况,访问RDS的最安全方式是,如果您的服务(访问RDS数据库的服务)也在AWS上运行。

另一种选择是通过将服务的IP列入白名单来控制访问安全性。但是,像Heroku这样的基础架构上运行的服务通常不提供静态IP(据我所见,只提供IP范围)。

我的情况是,我在Heroku上有一个API服务,我想要让它访问AWS RDS数据库。由于Heroku不为应用程序分配静态IP,因此从Heroku(或其他外部服务)授予访问RDS数据库的最佳和最安全方式是什么?

以下是我不希望考虑的解决方案。

  • 创建一个分配给RDS实例的安全组,允许所有连接(0.0.0.0/0),然后使用密码保护RDS。
  • 将我的API服务迁移到AWS。
英文:

As far I have seen, the most secure way to access RDS is if your service (accessing the RDS database) is also running on AWS.

Another option is to control access with security by whitelisting the IP of services. However, services running on infrastructure like Heroku do not provide static IP (as far as I have seen) only IP ranges.

My situation is that I have a API service in Heroku that I would like to have access AWS RDS database. What is the best and most secure way to grant access to access the RDS database from Heroku (or another external service) since Heroku does not have static IP assigned to apps.

Here are solutions that I would not like to consider.

  • Create a security group assigned to the RDS instance that allow all connections (0.0.0.0/0) then secure RDS with a password
  • Move my API service into AWS

答案1

得分: 1

我建议考虑在Heroku上使用QuotaGuard静态IP地址

QuotaGuard Static是Heroku的静态IP附加组件,允许您通过静态IP地址路由入站和出站流量。您可以将此静态IP地址提供给API合作伙伴以进行基于IP的白名单,并打开自己的防火墙以访问内部资源。

我将使用此插件确保来自我的计算层的所有出站流量使用静态IP,然后可以将其列入白名单以访问您的RDS安全组。

您可以考虑的更安全选项是在Heroku私有空间和AWS VPC之间设置私有网络空间对等连接

访问 AWS 外部的 RDS 最安全的方法

英文:

I'll recommend considering the use of QuotaGuard static IP addresses for Heroku.

> QuotaGuard Static is a Heroku Static IP add-on that allows you to route inbound & outbound traffic through a static IP address. You can provide this static IP address to an API partner for an IP based allowlist and open your own firewall to access internal resources.

I'll use this plugin to make sure that all outbound traffic from my compute layer uses the static IP that could then be whitelisted against the security group of your RDS.

A more secure option that you may consider is setting up a private network space peering between your Heroku private space and your AWS VPC.

访问 AWS 外部的 RDS 最安全的方法

答案2

得分: 1

要么你想要最安全的方式?要么你想要一个相对安全但不需要花费大量金钱和数月时间来实施的方法?

对于后者,使用VPN。

英文:

Do you want the most secure way? Or the thing which is reasonably secure you will actually be able to implement without spending $$$s and months of work?

For the latter, use a VPN.

huangapple
  • 本文由 发表于 2023年6月27日 21:37:31
  • 转载请务必保留本文链接:https://go.coder-hub.com/76565462.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定