How to whitelist a particular IP and allow it to connect to your RDS database.

What This Is About

By default, if you create an Amazon RDS MySQL database you won’t be able to connect to it unless you specifically whitelist inbound traffic sources.

In this post, I will show you step by step in the easiest way possible how to allow an IP to connect to your RDS instance (in other words, open port 3306). I am assuming this will be helpful for developers using RDS for the first time and wondering why they can’t just connect! 🤯

The instructions will pretty much work to open firewall ports for your AWS EC2 instances.

Note: when creating your RDS instance, make sure you choose to make it publicly accessible (it’s an option that pops up to you when creating the database).

Illustration Designed by Vectorpouch

Steps To Whitelist an IP

Step 1

Choose your RDS database from the list of instances.

Step 1

Step 2

Scroll to the “Details” section then find the “Security groups” and click on the active security group link. This will directly redirect you to the security group you need to whitelist the IP address at.

Step 2

Step 3

Make sure the security group that belongs to your RDS database is selected/highlighted. If you are not sure which one it is, you can match them by the VPC ID (in this case it’s the one ending in 0bc0) or the GROUP IP (ending in 6cbf).

Step 4

Click on “Inbound” at the bottom (you can also right click the highlighted item and click “Edit inbound rules”). Then click “Edit”.

Step 3 and 4

Step 5

In this last step you will just need to select the port to whitelist. If you are using the default MySQL port then selecting the “MYSQL/Aurora” option works. If you are using a custom port for your database, then under the “Type” dropdown select “Custom TCP Rule” and type the port number in the “Port Range” field.

Step 6

Under the “Source” we finally add the IP address or IP range we need to whitelist. Note: The IP addresses you enter here must be not he range format, which means that you need to append /32 to the end of your IP address.

Example: to whitelist 8.8.8.8 you need to enter 8.8.8.8/32 in the source field.

Don’t forget to click “Save” then you are done ✅

Step 5 and 6

Verify You Can Connect

Personally, I like using telnet to check for open ports. In our case we can do the following to check if we can connect to the database instance after whitelisting the IP:

$ telnet hostname_or_endpoint_or_database_ip port

A successful connection to port 3306

In the screenshot above, seeing the “Connected….” means that we can successfully connect to the RDS instance. If you only see the “Trying ….” line then you are still unable to access the instance.

If you are still unable to connect

  • Repeat the steps and make sure you followed all instructions
  • Make sure that your RDS instance is set to “Publicly Accessible”
  • Verify you are trying to connect from the same IP address you whitelisted


One of the cool things that Google Cloud Storage supports is the AWS S3 interoperability mode. This mode allows you to use almost the same API used for AWS S3 to deal with Google Cloud Storage including authentication.

It relies on the same variables needed for S3:

  • Access Key
  • Secret Key
  • Bucket
  • Region

While pretty much of the operations work fine in an S3-like way, signing URLs won’t, since Google uses a different URL signing method. This becomes problematic if you want to use Google Cloud Storage as a Laravel filesystem using the S3 driver.

I am going to show how you can create a signed URL using a PHP function that has no dependencies, no service account needed, and no key file.

Creating a signed download URL

<?php

$filepath = 'path/to/file.tar.gz'; // do not include the bucket name, no slash in the beginning
$bucket = 'my-bucket-name';
$key = 'GOOGSOMEKEYHERE'; // key
$secret = 'aNdTHEsecretGoesRitghtHere'; // secret

function getSignedGoogleCloudStorageUrl($filepath, $bucket, $secret, $key, $duration = 50)
{
    $expires = new DateTime('+ ' . $duration . ' seconds');
    $seconds = $expires->format('U');

    $objectPieces = explode('/', $filepath);
    array_walk($objectPieces, function (&$piece) {
        $piece = rawurlencode($piece);
    });
    $objectName = implode('/', $objectPieces);

    $resource = sprintf(
        '/%s/%s',
        $bucket,
        $objectName
    );

    $headers = []; // you may add any headers needed here

    $toBeSignedArray = [
        'GET',
        '', // contentMd5, can be left blank
        '', // contentType, can be left blank
        $seconds,
        implode("n", $headers) . $resource,
    ];

    $toBeSignedString = implode("n", $toBeSignedArray);
    $encodedSignature = urlencode(base64_encode(hash_hmac('sha1', $toBeSignedString, $secret, true)));

    $query   = [];
    $query[] = 'GoogleAccessId=' . $key;
    $query[] = 'Expires=' . $seconds;
    $query[] = 'Signature=' . $encodedSignature;

    return "https://storage.googleapis.com/{$bucket}/{$filepath}?" . implode('&', $query);
}

This is the same signing function used by Google’s PHP SDK but simplified to only support the GET method for file downloads. Additionally, it utilizes the hidden fact that you can replace the GoogleAccessId with the Key and use the Secret Key to sign the payload.

You can create a free SimpleBackups account and effortlessly back up your databases, servers and websites with the ability to choose Google Cloud Storage and other providers as a storage option! Try it out.