How to Set Up AWS RDS Proxy for Applications in a Private Subnet

 

Introduction

In production environments, database connection management is a common challenge—especially with Lambda, ECS, or EC2-based applications that open too many connections. AWS RDS Proxy solves this by pooling and managing database connections securely.

In this blog, I’ll walk through a real-world RDS Proxy setup, focusing on applications running in a private subnet without public IPs—a scenario many teams struggle with.

Why Use RDS Proxy?

Common problems without RDS Proxy:

  • Too many open DB connections

  • Connection storms during traffic spikes

  • Slow cold starts (especially with Lambda)

RDS Proxy benefits:

  • Connection pooling

  • Improved scalability

  • Faster failover

  • IAM-based authentication

  • Better security

Architecture Overview

Private EC2 / ECS / Lambda
        │
        ▼
    RDS Proxy
        │
        ▼
     RDS MySQL

Key idea: The application never connects directly to the RDS instance.

Prerequisites

  • RDS MySQL or PostgreSQL instance

  • Application running in a private subnet

  • Secrets Manager enabled

  • IAM role for application

  • Proper VPC routing & security groups

AWS Console Walkthrough (Screenshots Flow)

Below is a step-by-step AWS Console navigation flow. You can capture screenshots at each step while publishing on Medium or internal docs.

Screenshot 1: RDS Instance Overview

Console Path: AWS Console → RDS → Databases

  • Select your RDS instance

  • Note:

    • Engine (MySQL / PostgreSQL)

    • VPC

    • Subnet group

    • Security group

📸 Screenshot: RDS instance details page

Screenshot 2: Secrets Manager – Create Secret

Console Path: AWS Console → Secrets Manager → Store a new secret

Choose:

  • Secret type: Credentials for RDS database

  • Username & password

  • Select your RDS instance

📸 Screenshot: Secret creation form

Step 1: Store DB Credentials in Secrets Manager

RDS Proxy requires credentials from AWS Secrets Manager.

  1. Go to Secrets Manager → Store a new secret

  2. Choose Credentials for RDS database

  3. Enter DB username & password

  4. Select your RDS instance

  5. Save the secret

Note: Rotate secrets if required for production.

Step 2: Create IAM Role for RDS Proxy

Create an IAM role with the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "arn:aws:secretsmanager:*:*:secret:*"
    }
  ]
}

Attach this role while creating the RDS Proxy.

Step 3: Create the RDS Proxy

  1. Go to RDS → Proxies → Create proxy

  2. Select engine (MySQL / PostgreSQL)

  3. Choose your RDS instance

  4. Select the secret from Secrets Manager

  5. Attach the IAM role

  6. Choose the same VPC as RDS

  7. Select private subnets only

Important settings:

  • Enable TLS

  • Set idle client connection timeout

  • Enable debug logging (optional)

Step 4: Security Group Configuration (Critical)

RDS Security Group

  • Allow inbound from RDS Proxy SG on port 3306

RDS Proxy Security Group

  • Allow inbound from Application SG on port 3306

  • Allow outbound to RDS SG

Most connection issues come from incorrect SG rules.

Step 5: Application IAM Role Setup

Attach this policy to your app’s IAM role:

{
  "Effect": "Allow",
  "Action": "rds-db:connect",
  "Resource": "arn:aws:rds-db:region:account-id:dbuser:db-resource-id/db-user"
}

This allows IAM-based authentication (recommended).

Step 6: Update Application DB Endpoint

Replace the DB endpoint:

❌ Old:

mydb.abcdefg.eu-west-1.rds.amazonaws.com

✅ New (Proxy endpoint):

mydb-proxy.proxy-abcdefghijkl.eu-west-1.rds.amazonaws.com

Port remains the same (3306 / 5432).

Step 7: Test Connectivity from Private Subnet

From EC2 or container:

mysql -h <proxy-endpoint> -u db_user -p

If it fails:

  • Check route tables

  • Verify security groups

  • Ensure IAM role is attached

Common Errors & Fixes

❌ Connection borrow timeout

Cause: Proxy connection pool exhausted

Fix:

  • Increase max connections

  • Tune application connection usage

  • Increase proxy capacity

❌ ERROR 2003 (HY000)

Cause: Network or security group issue

Fix:

  • Ensure same VPC

  • Verify SG inbound/outbound rules

❌ Access denied for user

Cause: IAM policy or secret mismatch

Fix:

  • Verify rds-db:connect policy

  • Check secret username

Best Practices for Production

  • Use IAM authentication

  • Enable TLS

  • Monitor CloudWatch metrics

  • Set reasonable connection timeouts

  • Keep DB in private subnet

When NOT to Use RDS Proxy

  • Low traffic applications

  • Long-running transactions

  • Applications that manage pooling efficiently

Final Thoughts

RDS Proxy is a must-have for modern AWS architectures using Lambda, ECS, or autoscaling EC2s. When configured correctly, it dramatically improves stability, security, and scalability.

Most issues come from networking and IAM, not the proxy itself.

Key Takeaways

  • RDS Proxy manages DB connections efficiently

  • Secrets Manager is mandatory

  • Security groups matter the most

  • Always test from private subnets

Written from hands-on DevOps production experience.

Comments

Post a Comment