I am completely new to Amazon Web Services and I am trying to implement a Virtual Private Cloud with public and private subnets. A private subnet will host my database servers and public subnet will contain my application's web servers. I followed Amazon's own step-by-step tutorial to achieve this:
I have configured all the VPC security groups as described in the tutorial and I successfully managed to get my web servers talking to my database servers. I also want to remotely connect to the database from MSSQL Management Studio on my local machine so I can create/drop schemas and generally see what's inside the database. However, I cannot connect to the database servers at all.
Part of the problem is that I am not sure exactly what I am meant to be connecting to. Prior to doing this tutorial I created a simple database and used its endpoint as the URL and I could remotely connect to it from my local machine. Now, since the database servers are on a private subnet and can only communicate with the outside world via a NAT instance, does this mean that I should use NAT's elastic IP as a database URL and add extra rules to NAT's security groups? My knowledge of networking is somewhat lacking so I am not too sure and the tutorial doesn't help here either.
My security groups contain the following entries:
NAT instance security group inbound:
Port | Source 22 | my external ip 80 | 10.0.1.0/24 (private subnet) 443 | 10.0.1.0/24 (private subnet) 1433 | my external ip
NAT instance security group outbound:
Port | Destination 80 | 0.0.0.0/0 443 | 0.0.0.0/0 1433 | 0.0.0.0/0
Database security group inbound:
Port | Source 1433 | sg-d6ec33b9 (web servers security group)
Database security group outbound:
Port | Destination 80 | 0.0.0.0/0 443 | 0.0.0.0/0
Webservers security group inbound:
Port | Source 22 | 0.0.0.0/0 80 | 0.0.0.0/0 443 | 0.0.0.0/0 8080 | 0.0.0.0/0
Webservers security group outbound:
Port | Destination 80 | 0.0.0.0/0 443 | 0.0.0.0/0 1433 | sg-b5ec33da (database security group id)
Main routing table is associated with a private subnet (10.0.1.0/24) and has following routes:
Destination | Target 10.0.0.0/16 | local 0.0.0.0/0 | i-cf8605ad (NAT instance id)
Custom route table is associated with a public subnet (10.0.0.0/24) and has following routes:
Destination | Target 10.0.0.0/16 | local 0.0.0.0/0 | igw-a4ed3aca (internet gateway id)
So given this setup, what would I need to do to gain an external access to the database servers that are on private subnet an are protected by a NAT instance? Do I need to add/alter the rules in the security groups?
Thanks in advance.