How can I connect to an AWS RDS database?

AWS Setup #

Set up a subnet router in the VPC hosting the AWS RDS instance. #

1. Create an EC2 instance running Amazon Linux on either x86 or ARM. This instance must be in the same VPC as the RDS instace. The instance can be in a different subnet than the RDS database.

2. SSH into the EC2 instance and setup Tailscale

sudo yum install yum-utils

# add Tailscale repository
sudo yum-config-manager --add-repo 
sudo yum install tailscale

# start Tailscale daemon
sudo systemctl enable --now tailscaled

# connect the instance to the tailnet
sudo tailscale up

# get the Tailscale IP address
tailscale ip -4

3. Enable IP forwarding

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf 
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf 
sudo sysctl -p /etc/sysctl.conf

If your instance runs firewalld, run this to turn on masquerading:

firewall-cmd --permanent --add-masquerade

4. Connect to the tailnet as a subnet router

sudo tailscale up --advertise-routes=, --accept-dns=false --accept-routes=true

The value for advertise-routes should be the CIDR range of the RDS Subnet.

5. Approve the subnets

Open the machines page in the admin console, and locate the device that advertised subnet routes. You can look for the Subnets badge in the machines list or use the has:subnet filter in the search bar to see all devices advertising subnet routes. Using the more icon at the end of the table, select Edit route settings. This will open up the Edit route settings panel. Approve the subnets you used in the advertise-routes param in step 4.

Doc Image

6. Set up auto-approval

Open the settings page in the admin console and toggle Device Authorization on. On the left side, open the Keys screen and click on Generate Auth Key. Toggle on Pre-authorized (and Reusable if you want to allow multiple machines to log in tailscale with the same key) and Generate Key. Save a copy of this key! You will need this key in the next section.

Doc Image

Configure the RDS Security Group #

In the security group for the RDS instance, add a rule to allow all traffic from the EC2 instance's Security Group.

Doc Image

DevZero Setup #

1. Open up environments tab on the bottom left, select the template you would like to enable connection to Tailscale for, or create a new template. Find the environment.

2. Take that auth key, and set it as an environment variable for the environment template that needs to connect to remote resources. Give it an appropriate name, say TAILSCALE_AUTH_KEY.

Doc Image

‍3. Add an entry into the scriptpolicy section of the environment template.

- script: |
    curl -fsSL | sh
    sudo tailscale up --accept-routes --authkey ${{ TAILSCALE_AUTH_KEY }}
  runas: devzero

Call the instance! #

With that, you should be able to hit the private IP address for the RDS instance from your DevBox.

ping <ip_address>

Connecting to public DNS #

Global Nameservers handle DNS queries for any domain. You can use a public DNS nameserver to do so. Some public global DNS nameservers include:

  •,, 2620:fe::fe, and 2620:fe::9, provided by Quad9
  •,, 2001:4860:4860::8888, and 2001:4860:4860::8844, provided by Google
  •,, 2606:4700:4700::1111 and 2606:4700:4700::1001, provided by Cloudflare

These nameservers are available in a dropdown when you add a nameserver using the DNS page of the admin console. By default, clients of your network will use their local DNS settings for all queries. To force clients to always use nameservers you define, you can enable the “Override local DNS” toggle.

Doc Image
PreviousHow can I use AWS SQS?
NextHow can I connect to S3?