So I have previously asked this question over at stackoverflow but I was informed that I should ask it over here also since it seems to be more of a network based question. I did search serverfault for similar questions and came across this one from 2014 but I wanted to expand onto it.
So for a project that I am working on at my office, I have a .NET application that will be storing and retrieving data to/from an AWS RDS MySQL Server that I have setup. The problem that I have run into is that port 3306 is not open on my work's network. It works great when I am not on my company network so I know it is not an issue with the AWS RDS server. (for example, if I hotspot form my phone it works)
I have reached out to the networking department to see what they can do about opening this port. They asked me if there was a way to set a static IP to this AWS RDS Instance so they can add a firewall rule to allow port 3306 to only this static IP. They only want to open the port based on the server's IP address rather than open the port 3306 completely for security reasons they say. They said if they open the port 3306, it will be open for the whole office network and they can't open it just for just my computer's IP.
I did not see anywhere on the AWS Dashboard about setting a static IP for my RDS Instance. IT says that the reason behind needing a static IP is so that when the IP that is associated with the endpoint DNS that they provide changes, they wont need to adjust the firewall settings to accommodate this change.
1) Is it possible to set an IP to static on the RDS instance? (based on the link above, it doesn't seem possible but I wanted to ask anyways encase something has changed and it is now possible since the previous post was from 2014)
2) Is it possible to have the port open for only this specific DNS endpoint that AWS provides? My IT team is saying that it is NOT possible for them to open the port to a URL and that is has to be an IP (static so it doesn't change). Is this really the case or is there a way around this? Based on a response from my stackoverflow post, he mentions that it is possible by:
You can tell your IT team to create a firewall rule in port 3306 for the RDS instance URL and it will work fine.
Is there any extra information that I can provide to my IT Networking team to help steer them in the right direction if it really is possible? I feel like this has to be a pretty common task given the popularity of cloud hosted MySQL servers and that I can't be the only one with this issue?
Thank you!
Best Answer
It sounds like you have a fairly locked-down network environment, which is disallowing outbound connections destined for port 3306. "Traditional" firewalls will only allow ACLs targeting IPs, not DNS names, so it sounds like the RDS URL will not work for you. These firewalls operate at layers 3 and 4, so they have no concept of DNS names, which are a layer 7 concept.
If your company is blocking connections to 3306 specifically, as it's a well-known port, it's possible they may allow you to open up connections to a different port. You could then recreate your instance to use that port rather than the default.
If the blockage is instead a blanket policy, implemented at layers 3 and 4, you may be out of luck for the moment. You could do a DNS lookup of your instance's IP address and use it in an ACL, but that address is subject to change.
Normally I would say to ask them to open connectivity just for your client system's IP address, but as you say, they rejected that already. I assume this is due to using DHCP to assign an address to your system, rather than a static IP. Perhaps you could request a static IP for your system, or you could run your application on a company server with a static IP. That would allow them to complete a one-to-many ACL that they may find acceptable.