Create the smallest EC2 instance available. Take note of the Virtual Private Cloud (VPC) network it is created in.
Configure the security group. This must allow connections from the outside internet to the bastion server. For example, you can look up your machine's IP address and allow SSH connections to this instance from it. In the example below, the developer's machine has an IP of
Just before you launch the instance, you should ensure that you have access to the SSH key that is associated with it.
Your database instance may have previously had some other configuration, but now it should be Not Publicly Accessible.
However, now your instance is completely closed off. Add a security group which will allow all connections to the instance within the VPC as below. The VPC of the RDS instance should be the same as the VPC of the EC2 Bastion Server above (security group name not shown).
Now your database instance is secured behind your private cloud network and your bastion server is accepting SSH connections.
Sometimes called a bastion server or bastion host, this is an EC2 Instance which allows your machine to connect to it. AWS recommends you only allow your IP address to connect over SSH.
Check the inbound connections for the Bastion server. Locate the SSH server hostname, labeled
Public IPv4 DNS.
Get the Hostname of the Bastion server.
You will need the key pair for the instance on your computer, with read only permissions
chmod 400 ~/.ssh/getarctype.pem. Ensure the name of this key matches the key associated with the instance.
Check that the local key pair and the instance key pair match.
For Amazon Linux Instances, the default username is
ec2-user. For ubuntu it is
ubuntu. You may be using an authentication service which has created a user for you on this instance.
With the SSH server hostname, user, and key pair you now need connection information for the database. Go into the RDS console or your credential store to retrieve this information.
Check out our tutorial on connecting to Postgres in AWS here to navigate the AWS Console and find your connection information.
In a SQL client like Arctype you can combine the information from the previous steps to connect to the Postgres database. Enter the RDS connection information as shown in the Arctype documentation. Check
Connect with SSH and more inputs will appear to add in the SSH Bastion credentials to create an SSH tunnel to connect to the Postgres database.
Add the private key path and EC2 credentials when connecting with SSH.
There is no need to run a separate SSH tunnel, although this can be done. In that case, the SQL client would connect to
Localhost and not use the SSH connection settings.