Connect To Private RDS Instances Using DBeaver

In this blog post We have explained how to Connect to Private RDS Instances using DBeaver.

It is always recommended to host RDS instances (Databases) in private subnet as they should be more secure and also it doesn’t need to be hosted in public facing subnets.

Connecting RDS instances in the private subnet can be established in two ways.

In this blog , We have explained on connecting with private RDS instances using SSH tunneling.

Steps Involved

To connect with the RDS instances in the private subnet from local machine using DBeaver we have to execute the below steps.

  • Create an EC2 Instance in the Public subnet and configure networking
  • Configure RDS instance security group so that the EC2 instance can connect with it.
  • Establish SSH tunneling with EC2 and RDS Instances details from the local system
  • Install DBeaver and connect to RDS instances

What Is SSH Tunneling?

SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection.

It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH.


As we are in the requirement of creating EC2 instance (bastion server) in the Public and the RDS instances in the private subnet.

Check out this article , To create Custom VPC with Public and private subnets , if you don’t have one already.

Step 1 : Creating EC2 Instance

I have published an separate article and explained in details on

How to create Linux EC2 Instances , Check here And also how to establish SSH connection to EC2 instances using SSH client.

By default , port 22 is open to all , We can restrict to local public IP address for security purpose.

Step 2 : Configuring RDS Instance Security Group.

Next step is configure the security group of the RDS instance in such a way that the EC2 instance is able to connect with it.

If you havn’t created an RDS instance yet , Check this blog. Always make sure to create the RDS instance in the Private subnet and Allow Database port only for the certain IP addresses.

To configure the security group , Login to RDS console.

In the navigation pane , Choose Databases , Select the RDS Instance.

MySQL RDS Instances

Choose the Connectivity & Security tab. Under Security , Click the VPC security groups.

Then click the Inbound rules, Click Edit to allow a new inbound rule for EC2 instance.

Click Add rule , For port range , Enter the database port Eg: 3306 for MySQL , 5432 for PostgreSQL.

For the Source , Enter the private IP address of the EC2 instance.

and click Save rules.

The configuration which we have added in the security group will allow traffic from the EC2 instance’s private IP address.

Step 3 : SSH Tunneling

To establish the SSH tunneling , We need the following details.

Public IP Address of EC2 Instance , .pem file of the EC2 Instance , RDS instance Endpoint and Port.

ssh -i testinstance.pem -4 -N -L randomport:DB-endpoint:DB-port username@PublicIPAddress

In the above command ,

testinstance.pem – is the pem file of the public EC2 instance

randomport – we need to provide a port It can be any port number For eg: 5555

DB-endpoint – Enter the endpoint of the private RDS instance

DB-port – Port of the Database instance

username – username of the EC2 Instance , For eg: Amazon Linux OS (ec2-user) , Ubuntu OS (ubuntu)

PublicIpAddress – Public IP address of the EC2 Instance.

Once the command is successfully executed , We can connect to RDS instances in the private subnet using DBeaver from the Local machine.

Step 4 : Connecting To RDS Instance Using DBeaver

If you havn’t installed DBeaver yet , Check this article to Install DBeaver on Ubuntu systems.

Depending on the operating system , You can install the DBeaver.

Once the installation is completed.

Launch the DBeaver , As we have already established SSH tunnel We can now be able to connect with RDS instance with the DB Host as localhost and Port as Randomport that we have used while establishing SSH tunnel.

From the top navigation , Select Database and choose New Database connection

You will see the following page.

From the lists of Databases , Choose the Database engine which you’re using.

For example ; MySQL and click Next

Here For Server Host : It should be localhost

For Port : Type the Randomport that you have used while creating SSH tunnel.

For Authentication , Provide the actual username and Password of the Database Instance.

Click Test Connection , To verify the connection strings of the database instance.

If all went well, You should get the below output.

Click OK and then Choose Finish

We have successfully connected to RDS instance which is running in the private subnet using SSH tunnel in a secured way.

Same way , You can connect with multiple RDS Instances hosted in the private subnets by establishing multiple SSH tunnels with multiple randomports.

Hope you find it helpful.

Don’t forget to check out my other articles.