Setup Access for Publicly Accessible RDS

I feel like this is a weird question that might not even be an issue with my Tailscale setup but here goes. We have 2 RDS databases, a primary and a replica. The primary is not publicly accessible and is access controlled via security groups within our VPC. The replica is publicly available and that is controlled via IP restrictions in a security group. They are both in the same VPC but on different subnets. The private subnet that the primary is in has a route table with a local and a NAT gateway entry. The public subnet that the replica is in has a local and an internet gateway entry.

I’ve set up tailscale with a subnet router according to the docs. I can access the private primary RDS instance but I cannot access the read only replica. The connection times out as if it can’t resolve the host name or as if a security group is preventing access. I’ve triple checked everything (CAVEAT: I’m a networking neophyte) and the only difference I can see is the NAT Gateway versus internet gateway in the route tables.

My main question is just to confirm that I should be able to set up access via tailscale to the replica in the public subnet. I don’t see why it should matter whether it’s publicly accessible or not.

I’d welcome any tips for debugging why connections timeout to the replica.

Having slept on this and had nightmares about it, I think the issue is the public accessibility. I think the traffic to this RDS instance from my machine is never going through the tailscale network. I think it’s trying to go out through the public internet because that’s how the URL resolves. Wondering if I could do some trickery in SplitDNS to force particular URLs through the tailscale network?

Yep, totally just added the full URL to the publicly accessible RDS instance in SplitDNS and pointed it at the VPC nameserver. It all works. This can be closed if there is a concept for closed issue.

1 Like

Was hoping this would help me also but no luck.
I just have an RDS in a private subnet (not publicly accessible). I tried the docs and that didn’t work.
I also tried the suggestion above to add the full RDS URL to the SplitDNS configuration, that didn’t work for me either. The tailscale subnet router is online and has published routes. The tailscale subnet router is also in the private subnet and has access to DB via security groups.

it’s been a hot minute since I did this but I don’t think the full RDS ended up being the final answer. This worked for one of our databases but I have 2 others without the full URL in Tailscale DNS and they resolve properly. I have IP forwarding enabled on the subnet routers, not sure if that’s required for this. I also have SplitDNS set up to point at the DNS for each VPC (dev, stage and prod for us) that the RDS instances live in. However, that’s in the docs so I assume you’ve done that.

The main difference I see is that our tailscale subnet router is in a public subnet and not the private ones that the RDS is in.

Not sure any of this helps but happy to provide other info.