Amazon Lightsail started offering a managed database service a few months ago.
I took a look at it … and tried it out … a while back and wasn’t really happy with it.
Although it had some nice features, I wasn’t given a ‘root’ (or super user) account and (as I sometimes do) was able to completely trash the instance within a few hours of creating it (I tried to manipulate the permissions on the master database user and ended up revoking all of them).
So I was considering creating my own database server using MySQL on a stand alone Amazon Linux instance.
This would give me a stand alone database with the flexibility to do anything I wanted.
My big concern was network security. I wanted to make sure that only my Lightsail instances would be able to communicate with the database server.
I posted a question to the Lightsail forums and got a response from Amazon.
It boils down to this …
Each AWS account, that uses Lightsail resources, has a Virtual Private Cloud (VPC) network that no other Lightsail account can access.
Lightsail instances within my own account will always be able to communicate with each other, via internal IP addresses, no mater what.
If I enable VPC peering, then other EC2 resources (that I own) can communicate with my Lightsail instances via internal IP addresses (and visa-versa).
If I don’t enable VPC peering, then my Lightsail instances will be able to communicate but no other EC2 resources I own will be able to communicate via internal IP addresses.
Regardless of the VPC peering setting, no Lightsail instances outside of my account will be able to communicate with my instances via internal IP addresses.
Lightsail instances cannot access instances in other regions (even with VPC Peering enabled). Interestingly, this even applies to ports that have been opened up on the external IP address. So a Lightsail instance in another region can only access those ports via the public IP address.