I have a MySQL database on a dedicated server, that I want to replicate to Amazon RDS to always have an up-to-date backup.
For this, Amazon RDS needs to be able to connect to my master MySQL server.
I do not want to open the MySQL port 3306 to the entire world, as even though MySQL has its own permissions, I consider it an extra security risk if a security issue gets discovered in MySQL.
So I want to add a rule to iptables to allow all connections from *.rds.amazonaws.com. But as far as I understand it, even though iptables allows a host name to be specified instead of an IP address, it's resolved when the rule is created, not when the packet is checked.
And because of the way RDS is designed, the IP address behind a RDS instance's host name might change during its lifetime, so this is not a good solution.
What alternatives do I have to only open my MySQL server to RDS?
Best Answer
Here is a link to a Unix & Linux Stack Exchange question: UFW: Allow traffic only from a domain with dynamic IP address
TCP/IP-level blocking might not work well with a dynamic IP address. Although the accepted answer mentions a script, it might be error-prone. AWS does post a list of IP ranges, but this can change over time.
Unfortunately, your best option may be user authentication in MySQL. You can limit privileges by user AND hostname: Specifying Account Names.