We have several Machines that communicate with each other inside a VPC on AWS. All of them are in privete subnets with no public IP address.
One of those machines is a MSSQL server, our main Database.
In our office we have a vpn tunnel with this vpc and can use private IPS.
I am trying to securely gain access over the internet to the database from my home, trying to not modify the database instance.
I created a public load balancer that listens to tcp 1433 and passes the traffic to the instance also to port 1433; this gives me database access however I am worried it is not secure.
I would like the traffic to be encrypted going to the load balancer and then hitting the DB like as regular traffic after that.
Is this possible using a load balancer?
I have a domain, and a certificate throu aws certificate manager.
Best Answer
The easiest way to do this is to create the database with "publicly accessible" turned on, which must be done at creation time. Once this is done you must ensure the security group is opened up to allow access from the IPs you desire. I believe AWS provides the route to the internet, I don't think you have to route it.
Another option would be to establish a VPN session into your work network, and from there use the existing VPN onto the database instance.
If you haven't created the database with that option you could use some kind of a bastion host as a proxy. That is described quite well here, I see no need to copy and paste the answer. This question and answer gives more detail on setting up a bastion host.
Using a load balancer as a proxy is an interesting choice, I'd never even considered that as it's not typically done that way. Load balancers would typically sit in a public DMZ, with the web servers in another subnet, and the database another subnet back, so the ELB shouldn't have database access. A flat network with your servers and database in the same subnet increases risk. I would probably prefer to use an EC2 instance, as I can add more security. You could make it a VPN endpoint and use it as a proxy.