Hi,
currently Retool requires us to either have an AWS RDS public (not preferred for many orgs where databases need to not be Internet accessible) or via SSH tunneling (using an Internet-accessible EC2 bastion host).
It would be great if Retool can look into support AWS Private Link (VPC Endpoints) or alternatively use SSH via AWS Systems Manager (see section about ProxyCommand in (Step 8: (Optional) Allow and control permissions for SSH connections through Session Manager - AWS Systems Manager). These alternatives would enable more flexibility for customers to connect Retool with non-public AWS RDS instances without needing to expose any resource (RDS or bastion host) to the Internet
Thank you for those thoughtful suggestions. I agree it would be helpful to add these additional options to Retool configuration options.
The two options you mentioned would be very useful for higher level security as they would allow access to no-public instances. Let me file a feature request to our permissions/auth team and I can keep this thread updated with any news that I hear
Just heard back from our Resources team, they told me that "We do support a reverse tunneling architecture with Retool RPC, so maybe this user can put a custom Retool RPC agent in front of their database".
As well as that our existing SSH tunneling provides more or less the same security model as SSH ProxyCommand.
They also noted that AWS Private Link is not currently viable on cloud given the current resource connection lifecycle. But that this could be on the roadmap for enterprise/self-hosted customers.
