The Iron Rose posted:

Unlike both azure and GCP, aws does not have a clean solution to zero trust public access to RDS instances! You can sorta approximate it by using SSM port forwarding to a bastion host. which sucks and you also have to handle timeouts. There’s really not a great out of the box service, especially compared to azure cosmos db’s inherent identity proxy and the GCP CloudSQL auth proxy.

AWS RDS proxy is a replacement for pgbouncer and other similar connection pooling services. It doesn’t do anything with regards to networking.

Sticking public IPs in an allowlist is neither particularly scalable nor especially secure. I really wouldn’t want to do this without an authentication proxy in front of the service.

In general AWS sucks on this front. They have a competitor service to GCP’s IAP/Azure AD App Proxy, but it costs a ridiculously huge amount of money. Something up 24/7 will cost you thousands of dollars a month, minimum. GCP/Azure’s offerings here are free!