Right now I have a VPC with an EC2 instance in a public subnet and a Redshift DB in a private subnet, allowing traffic inbound from the EC2 instance. My company does not use a traditional intranet setup, so Redshift is not immediately accessible by others on the corporate network even when on VPN, and the default posture is to expose all of our services as public endpoints and whitelist IP address ranges (or if integrating with other AWS VPCs, use Private Links, which I have done for some connections but can't do for all due to limitations at the consumer end).
In order to do this I've configured HAProxy on the EC2 instance to forward connections on the Redshift port to the Redshift DB. My haproxy.cfg file looks like this:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats mode 777
listen Redshift 0.0.0.0:DBPort
timeout connect 10s
timeout client 1m
timeout server 1m
mode tcp
server MyRedshiftCluster some-redshift-endpoint.amazonaws.com:DBPort
I then have a security group on the EC2 instance that only allows inbound traffic from a list of whitelisted IP addresses (this list can change over time so it references a managed prefix list that my company maintains). I've tested that I can only connect to Redshift while on the VPN, so it seems to work.
My concern is that I've setup listening on the EC2 instance via HAProxy for all traffic on the database port, even though I have a security group that restricts inbound traffic. Are there any issues with this setup from a security standpoint? It seems like the only alternative to this would be to listen for only the whitelisted IP address ranges, but that list can change dynamically and I'm worried about having to continually update the haproxy.cfg file with new address ranges, which in the meantime would cause a degraded user experience since someone can't log in unless their IP address is in the range within the config file.
