Sometimes you just need to be able to quickly access a database that's inside a VPC. I stumbled upon a tool called Port7777 and it promises that it can do exactly that for both RDS and ElastiCache.

Disclaimer This is not a sponsored post. My employer paid for a team license earlier this year and I am genuinely happy with it and I think it can greatly benefit others too.

Port7777

So, what is it and how does it work?

7777 automates the work of creating and using a jump server to reach private databases in AWS VPC.

By internally using AWS Fargate containers instead of EC2 instances, the setup time and costs are drastically reduced. 7777 creates jump servers using containers on the fly, and deletes them after you are finished.

Finally, everything runs in your AWS account, including the Fargate containers. Nothing is sent to 3rd party servers.

Simply said, the tool uses a Fargate container to setup an SSH tunnel between the remote database and your device and cleans it up automatically afterwards so you don't have a server running 24/7.

Pricing

This tool is cheap, very cheap, maybe a bit too cheap for what it solves if you ask me:

• $19 for a solo license, 1 user with unlimited databases, unlimited tunnels
• $99 for a team license, unlimited users allowing it to be used in your team and CI/CD pipelines

Note that both licenses are a one-time purchase (!).

Obviously running the Fargate container itself costs some money but this costs only a few dollar per month per tunnel assuming you don't need it all the time.

Security

While this tool is developed by 2 very trustworthy people I didn't like the aspect of this tool grabbing my AWS credentials and doing something with it in a black box. I gave myself the task to come up with a solution where we are in control of the credentials the tool could access.

Isolation with Docker

To increase security I looked into the offered option of running 7777 in Docker and manually setting up the stack. This way I can be sure that the tool runs completely isolated and only has access to the AWS credentials that I specifically specified with the correct policy. While there was some documentation on manual installation available it took me a while to figure it out.

Basically the steps are:

• Install Port7777 stack using CloudFormation
• Create a policy + user with minimal permissions
• Store credentials for this user in an env file
• Start Port7777 inside a Docker container passing the env file containing the AWS permissions

Sharing is caring

I created a repository which contains the templates to set up this tool manually in your AWS account and a shell script that makes it similar in use to the original tool. I shared it previously with the other developers within my company but I thought it might also be helpful to others so I put it on my GitHub account for everyone to use: https://github.com/slootjes/port-7777-isolated.

Enterprise

Recently they also added an enterprise license which is a subscription-based plan where they allow a customer to fork the project in a private GitHub repository. This allows you to analyse the code, run security scanners and self-build the tool. I don't know about pricing details on this subscription so you will have to contact them about it yourself if you're interested.