Secure Cross-VPC Connections Part 3: EC2 to RDS with Lattice Service Network VPC Associations
In the final part of this three-part series, we explore how Amazon VPC Lattice Service Network VPC Associations provide a secure solution for connecting EC2 instances directly to RDS databases across different VPCs without traditional networking solutions like VPC peering and Transit Gateway
Published Jun 4, 2025
This blog is the final blog in a three-part series. Check out the other parts at the following links:
- Part 3: We are here!
Amazon VPC Lattice is a fully managed application networking service that you use to connect, secure, and monitor the services and resources for your application. Amazon VPC Lattice enables service-to-service connectivity, eliminating the need to connect VPCs using VPC peering or Transit Gateway.
There are several ways to utilize Amazon VPC Lattice to connect to RDS instances. The patterns are tabled below and this blog explores the Lattice Service Network VPC Association pattern.
| Pattern | Features | Note |
|---|---|---|
| Resource Endpoint | Option of a 1:1 mapping between the resource endpoint and the resource configuration, allowing a security groups per resource endpoint | IPs from the VPC IP space are used to enable connectivity |
| Lattice Service Network VPC Endpoint | Uses a single endpoint in the VPC to connect to your Lattice services | IPs from the VPC IP space are used to enable connectivity |
| Lattice Service Network VPC Association | With Service network association, connectivity is enabled using non-routable public IPs. | No IPs are consumed within the VPC. Connectivity to the services uses the Lattice provided DNS Name. Original DNS Names cannot be used (e.g. RDS DNS Name) |
If you're keen to find out more, this AWS re:Invent 2024 video provides great explanations for the patterns listed above.
In this blog we will be deploying the following architecture.
- RDS instance in the Provider VPC is private.
- A Resource Gateway is created in the Provider VPC. This is the point of inbound traffic into the VPC where the RDS instance resides. A VPC must have a resource gateway if you plan on making resources inside the VPC accessible from other VPCs or accounts.
- The resource configuration represents the RDS instance that we want to make accessible to the Consumer VPC. By defining a resource configuration, you can allow private, secure, unidirectional network connectivity to resources in your VPC from clients in other VPCs and accounts. A resource configuration is associated with a resource gateway through which it receives traffic.
- A Lattice Service Network is created in the AWS Account. A service network is a logical collection of resource configurations and VPC Lattice services. The resource configuration mentioned above is associated with this Service Network.
- We then associate the Consumer VPC with the Lattice Service Network. This allows clients in the consumer VPC to send requests to services and resources specified in resource configurations associated with the Service Network.
- An Amazon EC2 instance is also created in the Consumer VPC to test connections to RDS. For convenience, we create an S3 Gateway Endpoint in the Consumer VPC for the EC2 instance to install packages without internet access. We also create the necessary VPC interface endpoints to enable session manager access.
To implement this solution, you'll need to navigate to this GitHub repository folder where you'll find the deployment instructions to provision all necessary resources using Terraform.
Running terraform apply has an output which shows the commands and password used to connect to the RDS instance. This password is output in plaintext for demo purposes. In a real environment you would use a secrets management tool like HashiCorp Vault or AWS Secrets Manager. In addition, if you are using Terraform to deploy your RDS instance with a random password, you can use the ephemeral resources such that this passwords are not persisted in state.
Navigate to the Aurora and RDS console, choose Databases. Then choose the terraform-* RDS instance to view its connectivity & security options. Optional: Note the VPC ID, and navigate to the VPC console to verify that VPC peering and Transit Gateway is not configured for this VPC.
Resource gateway shows the resource configurations associated. Note that the resource configuration of type Child was created automatically after creating the resource configuration of type ARN.
Navigate to the VPC Console and under PrivateLink and Lattice, choose Resource configurations. Then choose the rds resource configuration.
In the Resource configurations associations tab of the Lattice Service Network also shows the 2 resource configuration associations that we have verified earlier.
rcfg. From the screenshot above, it is snra-0881598b007aa0c97. This value will be different for your deployment. This leads to the association details page. Note the value of the DNS entry: Domain name. This is the domain that is used by the client to connect to RDS over the Lattice Service Network VPC Association.
In the VPC associations tab, verify that the Lattice Service Network has an associated VPC. It is associated with the Consumer VPC.
The architecture diagram shows the security groups and their rules that allow traffic from the EC2 instance to the RDS instance through the Lattice Service Network VPC Association and the Resource Gateway.
- RDS Instance security group allows inbound traffic from the Resource Gateway security group on the database port
- Resource Gateway security group allows outbound traffic to the RDS Instance security group on the database port
- Lattice Service Network VPC Association security group allows inbound traffic from the EC2 Client security group on the database port
- EC2 Client security group allows outbound traffic to the Lattice Service VPC Association security group on the database port
RDS Security Group has an inbound rule that allows traffic on the database port from the Resource Gateway Security Group
Resource Gateway Security Group does not have any inbound rules
Lattice Service Network VPC Association Security Group has an inbound rule that allows traffic on the database port from the EC2 Client Security Group.
EC2 Client Security Group does not have any inbound rules
postgresql and connect to session manager. 
Navigate to the EC2 console and view the Running instances. Check the checkbox next to the
ec2-client EC2 instance and choose Connect.
In this test we will use the Lattice Service Network Resource Configuration Association DNS entry domain name to connect to the RDS instance.
Run the following commands to connect to the RDS Postgres instance. Replace
<REPLACE> with your Lattice Service Network Resource Configuration Association DNS entry domain name retrieved from the verify resources section.Then enter the password when prompted. This establishes a connection to the RDS instance via the Lattice Service Network VPC Association.
Run the following commands to connect to the RDS Postgres instance. Replace
<REPLACE> with your RDS endpoint retrieved from the verify resources section. Enter the password when prompted. Connecting using the RDS endpoint does not work and there is an error psql: error: connection to server at "terraform-20250523091147787100000005.c5yg4kykuk40.us-east-2.rds.amazonaws.com" (10.0.0.124), port 5432 failed: Connection timed out. This test shows that we must use the Lattice DNS entry Domain Name to connect and not the RDS endpoint.
In this final instalment of this three-part series, I've demonstrated how Amazon VPC Lattice Service Network VPC associations provide an elegant solution for cross-VPC database connectivity. This approach simplifies your architecture by eliminating the need for traditional networking constructs like VPC peering, Transit Gateway, or site-to-site VPNs. One key difference between this approach and the other approaches described in Part 1 and 2 is that we must connect using the Lattice provided DNS entry domain name. We cannot use the original RDS endpoint to connect.
Check out the other parts of the series that showcases the various patterns to connect your resources using Amazon VPC Lattice at the following links:
- Part 3: We are here!