Secure Cross-VPC Connections Part 2: EC2 to RDS with VPC Lattice Service Network Endpoints
In the second part of this three-part series, we explore how Amazon VPC Lattice Service Network Endpoints provide a secure solution for connecting EC2 instances directly to RDS databases across different VPCs without traditional networking solutions like VPC peering and Transit Gateway.
Published Jun 3, 2025
Last Modified Jun 4, 2025
This blog is the second blog in a three-part series. Check out the other parts at the following links:
- Part 2: We are here!
Amazon VPC Lattice is a fully managed application networking service that you use to connect, secure, and monitor the services and resources for your application. Amazon VPC Lattice enables service-to-service connectivity, eliminating the need to connect VPCs using VPC peering or Transit Gateway.
There are several ways to utilize Amazon VPC Lattice to connect to RDS instances. The patterns are tabled below and this blog explores the Lattice Service Network Endpoint pattern.
| Pattern | Features | Note |
|---|---|---|
| Resource Endpoint | Option of a 1:1 mapping between the resource endpoint and the resource configuration, allowing a security groups per resource endpoint | IPs from the VPC IP space are used to enable connectivity |
| Lattice Service Network VPC Endpoint | Uses a single endpoint in the VPC to connect to your Lattice services | IPs from the VPC IP space are used to enable connectivity |
| Lattice Service Network VPC Association | With Service network association, connectivity is enabled using non-routable public IPs. | No IPs are consumed within the VPC. Connectivity to the services uses the Lattice provided DNS Name. Original DNS Names cannot be used (e.g. RDS DNS Name) |
If you're keen to find out more, this AWS re:Invent 2024 video provides great explanations for the patterns listed above.
In this blog we will be deploying the following architecture.
- RDS instance in the Provider VPC is private.
- A Resource Gateway is created in the Provider VPC. This is the point of inbound traffic into the VPC where the RDS instance resides. A VPC must have a resource gateway if you plan on making resources inside the VPC accessible from other VPCs or accounts.
- The resource configuration represents the RDS instance that we want to make accessible to the Consumer VPC. By defining a resource configuration, you can allow private, secure, unidirectional network connectivity to resources in your VPC from clients in other VPCs and accounts. A resource configuration is associated with a resource gateway through which it receives traffic.
- A Lattice Service Network is created in the AWS Account. A service network is a logical collection of resource configurations and VPC Lattice services. The resource configuration mentioned above is associated with this Service Network.
- In the Consumer VPC, we create a Lattice Service Network Endpoint that provides private access to resources and services that are associated to the service network. Using a service network endpoint, you can connect a service network to your VPC, and access those resources and services privately from your VPC or from on-premises. A service network endpoint lets you connect to one service network.
- An Amazon EC2 instance is also created in the Consumer VPC to test connections to RDS. For convenience, we create an S3 Gateway Endpoint in the Consumer VPC for the EC2 instance to install packages without internet access. We also create the necessary VPC interface endpoints to enable session manager access.
To implement this solution, you'll need to navigate to this GitHub repository folder where you'll find the deployment instructions to provision all necessary resources using Terraform.
Running terraform apply has an output which shows the commands and password used to connect to the RDS instance. This password is output in plaintext for demo purposes. In a real environment you would use a secrets management tool like HashiCorp Vault or AWS Secrets Manager. In addition, if you are using Terraform to deploy your RDS instance with a random password, you can use the ephemeral resources such that this passwords are not persisted in state.
Navigate to the Aurora and RDS console, choose Databases. Then choose the terraform-* RDS instance to view its connectivity & security options. Optional: Note the VPC ID, and navigate to the VPC console to verify that VPC peering and Transit Gateway is not configured for this VPC.
Resource gateway shows the resource configurations associated. Note that the resource configuration of type Child was created automatically after creating the resource configuration of type ARN.
Navigate to the VPC Console and under PrivateLink and Lattice, choose Resource configurations. Then choose the rds resource configuration.
In the Resource configurations associations tab of the Lattice Service Network also shows the 2 resource configuration associations that we have verified earlier.
The VPC Endpoint has the following details
- Endpoint type: ServiceNetwork
- Private DNS names enabled: Yes
Choose the Associations tab for the VPC Endpoint. Note the value in the DNS Name and Private DNS columns. We see that the Private DNS value matches the RDS instance endpoint.
The architecture diagram shows the security groups and their rules that allow traffic from the EC2 instance to the RDS instance through the Lattice Service Network Endpoint and the Resource Gateway.
- RDS Instance security group allows inbound traffic from the Resource Gateway security group on the database port
- Resource Gateway security group allows outbound traffic to the RDS Instance security group on the database port
- Lattice Service Network Endpoint security group allows inbound traffic from the EC2 Client security group on the database port
- EC2 Client security group allows outbound traffic to the Lattice Service Network Endpoint security group on the database port
RDS Security Group has an inbound rule that allows traffic on the database port from the Resource Gateway Security Group
Resource Gateway Security Group does not have any inbound rules
Lattice Service Network Endpoint Security Group has an inbound rule that allows traffic on the database port from the EC2 Client Security Group.
EC2 Client Security Group does not have any inbound rules
postgresql and connect to session manager. 
Navigate to the EC2 console and view the Running instances. Check the checkbox next to the
ec2-client EC2 instance and choose Connect.
Run the following commands to connect to the RDS Postgres instance. Replace
<REPLACE> with your RDS endpoint retrieved from the verify resources section.Then enter the password when prompted. This establishes a connection to the RDS instance via the Lattice Service Network Endpoint.
In this test we will use the VPC endpoint DNS Name to connect to the RDS instance.
Run the following commands to connect to the RDS Postgres instance. Replace
<REPLACE> with your Lattice Service Network endpoint DNS Name retrieved from the verify resources section.Then enter the password when prompted. This establishes a connection to the RDS instance via the Lattice Service Network Endpoint.
In this second instalment of this three-part series, I've demonstrated how Amazon VPC Lattice Service Network Endpoints provide an elegant solution for cross-VPC database connectivity. This approach simplifies your architecture by eliminating the need for traditional networking constructs like VPC peering, Transit Gateway, or site-to-site VPNs.
Check out the other parts of the series that showcases the various patterns to connect your resources using Amazon VPC Lattice at the following links:
- Part 2: We are here!