Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

booni3's avatar

Amazon RDS connection over SSH tunnel, via forge (no PEM key file)

I have provisioned an EC2 instance via forge. When doing this, you do not get the opportunity to download the PEM key. Instead, I have added my local key to the forge SSH configuration.

I can now SSH into the EC2 instance with ssh forge@IPADDRESS - all good.

I have a RDS instance setup within the same VPC. I have tested this from the EC2 instance and and can:

  • Connect to MySQL via my EC2 instance in terminal. Using:
mysql -h RDSINSTANCE.ENDPOINT.eu-west-2.rds.amazonaws.com -u USERNAME -p
  • Checked that the 3306 port is open via telnet.
telnet RDSINSTANCE.ENDPOINT.eu-west-2.rds.amazonaws.com 3306

The above all seems to suggest that the RDS instance has a connection to the EC2 instance.

I now need to open an SSL tunnel from my laptop, to connect sequelpro. Due to not having the PEM file, I have opened an SSH tunnel using the command:

ssh -L 3307:FORGE-PRIVATE-IP:3306 forge@FORGE-PUBLIC-IP

This appears to work ok. However, when trying to connect to SQL via sequel pro with settings:

  • HOST: 127.0.0.1
  • PORT:3307
  • USER: USERNAME
  • PASSWORD: PASSWORD

I get the following error from seqelpro:

Lost connection to MySQL server at 'reading initial communication packet', system error: 0

and in verbose mode in terminal:

debug1: Connection to port 3307 forwarding to 172.30.0.110 port 3306 requested.
debug1: channel 2: new [direct-tcpip]
channel 2: open failed: connect failed: Connection refused
debug1: channel 2: free: direct-tcpip: listening port 3307 for 172.30.0.110 port 3306, connect from 127.0.0.1 port 56172 to 127.0.0.1 port 3307, nchannels 3

AWS support seem to think this is because the tunnel is not setup correctly, but I am unsure of any other ways.

0 likes
4 replies
aurawindsurfing's avatar

Probably the easiest solution to connect your ec2 instance would be to use it's internal address and not the public one. This way you will not need to set up any day tunell at all.

Try it that way maybe. Obviously you will still need your ssh keys to connect from your development environment.

Hope it helps!

booni3's avatar

Thanks @aurawindsurfing . I actually have the EC2 instance connected to RDS using the private IP already. So my app works ok... I am just trying to connect to my development environment. So for this I believe the only way is to either SSH tunnel through the EC2 instance or open up the IP.

I can connect to RDS by opening up the IP address, but I would rather SSH tunnel. Unless there are any other ways?

booni3's avatar
booni3
OP
6 years ago
Best Answer
Level 3

I found the issue. The ssh tunnel should be setup using the RDS endpoint rather than the IP address:

ssh -L 3307: RDSINSTANCE.ENDPOINT.eu-west-2.rds.amazonaws.com:3306 forge@FORGE-PUBLIC-IP

The security rules on the VCS between the EC2 instance and the RDS instance should use the private IP. i.e. RDS inbound security group allow MySQL/Aurora from EC2 private IP.

Please or to participate in this conversation.