App overview screenshotSQL and Database Guides
Try our free SQL Client
Connecting to Postgres
Connecting to Drivers
Installing Postgres
Setting up Postgres
Postgres   >   
Connecting to Postgres   >   
Postgres Bastion on AWS

Connect to Postgres with SSH on AWS

Create Bastion Server

Create the smallest EC2 instance available. Take note of the Virtual Private Cloud (VPC) network it is created in.

aws configure instance details

Configure the security group. This must allow connections from the outside internet to the bastion server. For example, you can look up your machine's IP address and allow SSH connections to this instance from it. In the example below, the developer's machine has an IP of

aws configure security group

Just before you launch the instance, you should ensure that you have access to the SSH key that is associated with it.

Lock down the RDS Instance

Your database instance may have previously had some other configuration, but now it should be Not Publicly Accessible.

aws connectivity

However, now your instance is completely closed off. Add a security group which will allow all connections to the instance within the VPC as below. The VPC of the RDS instance should be the same as the VPC of the EC2 Bastion Server above (security group name not shown).

aws inbound rules

Now your database instance is secured behind your private cloud network and your bastion server is accepting SSH connections.

Find the SSH Server Hostname

Sometimes called a bastion server or bastion host, this is an EC2 Instance which allows your machine to connect to it. AWS recommends you only allow your IP address to connect over SSH.

Check the inbound connections for the Bastion server. Locate the SSH server hostname, labeled Public IPv4 DNS.

Get the Hostname of the Bastion server.

Get the Hostname of the Bastion server.

Ensure Access to the SSH Key Pair

You will need the key pair for the instance on your computer, with read only permissions chmod 400 ~/.ssh/getarctype.pem. Ensure the name of this key matches the key associated with the instance.

Check that the local key pair and the instance key pair match.

Check that the local key pair and the instance key pair match. For Amazon Linux Instances, the default username is ec2-user. For ubuntu it is ubuntu. You may be using an authentication service which has created a user for you on this instance.

Get the RDS Connection Information

With the SSH server hostname, user, and key pair you now need connection information for the database. Go into the RDS console or your credential store to retrieve this information.

Check out our tutorial on connecting to Postgres in AWS here to navigate the AWS Console and find your connection information.

Connect with SSH to your Postgres Database

In a SQL client like Arctype you can combine the information from the previous steps to connect to the Postgres database. Enter the RDS connection information as shown in the Arctype documentation. Check Connect with SSH and more inputs will appear to add in the SSH Bastion credentials to create an SSH tunnel to connect to the Postgres database.

Add the private key path and EC2 credentials when connecting with SSH.

Add the private key path and EC2 credentials when connecting with SSH. There is no need to run a separate SSH tunnel, although this can be done. In that case, the SQL client would connect to Localhost and not use the SSH connection settings.

Get help on databases and SQL. Join our Discord community.