[RDS access via Private subnet]
VPC network uses IGW or NAT GW to communicate with external networks.
Interent gateway(IGW) can Inbound/Outbound communication with the external network,
so subnet using IGW is called Public subnet..
On the other hand, the NAT GW is a private subnet that uses NAT GW because it is only able to communicate with the external network and cannot be accessed from the external network.
Therefore, for instances or RDSs that are using Private subnet,
registering an external IP on the SG itself is blocked by the NAT GW,
so there is no way to directly access the instance or RDS that is located on the private subnet only with SG modification without tunneling through the Bastion.
If you want to access RDS directly with your corporate IP without tunneling,
AWS Direct Connect allows you to establish a private connection between your AWS and your data center, office, and co-location environment.
Reference link : https://aws.amazon.com/ko/directconnect/
This document is based on December 2019.
Please leave a comment if document needs an update.
Bespin Global Cloud Support Team