Home/ Questions/Q 8923949
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T07:16:03+00:00

I have an ec2 instance where I have installed mysql. The server listens to

  • 0

I have an ec2 instance where I have installed mysql. The server listens to connections from any ip (bind-address = 0.0.0.0).

I have set up the mysql security group in such a way that only my webapp instances can connect remotely to the mysql db.
For this I added a webapp-sg security group to my instance (webapp-sg restricts to http, https and ssh)
Then for my mysql instance, I simply used the webapp-sg group as the “source”. I have verified that
1. I can not remotely log in from outside ec2 instances
2. Within ec2 instance, I have to be on an ec2-instance that has the security group =webapp-sg

However, traffic between the webapp instance and mysql db would still be in clear text. What are the implications? (I see many articles that recommend the above set up).
Do people use “Mysql over ssl” for this – I suspect that would have performance implications?
Or does aws vpc resolve this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Short answer: this is the recommended way to operate. Go for it.

    Longer: It depends. Depends on the level of the security your app requires, and amount of work, complexity, availability and maintenance you are willing to spend.
    While theoretically it is advised that any inter-machine traffic should be encrypted, especially on a multi-tenant environment like public clouds –
    AWS has spent a lot of effort to make their basic security groups offering a solid one.
    see ‘Network Security’ chapter

    That, would make both eavesdropping or packet-spoofing very unlikely.
    If you’ll be realistic, there is a greater chance (by orders of magnitude) that hackers could use your web app bugs and vulnerabilities as the primary attack vector.

    Also probable, is a the chance of security groups misconfiguration. Dedicated services like Dome9 and Newvem might assist in getting insights and in managing you security configurations. (disclosure – I’m Dome9 co-founder)

    Last, VPC.
    While not architectually much different from EC2, it is recommended since it brings more configuration power, and a 2nd method to enforce your policy (Network ACLs).
    This might introduce some complexity and more maintenance, but can reduce misconfiguration effects.

    • 0