Deploying Metabase on EC2 with RDS over VPC peering using Terraform
Project Overview:
In this project, I designed and deployed a secure, production style cloud architecture on AWS using Terraform as my Infrastructure as Code tool. The solution consisted of two Virtual Private Clouds (VPCs): one hosting an EC2 instance running Metabase, and another hosting a private RDS MySQL database. I connected the two environments using VPC peering, ensuring that the application could query the database while keeping the database isolated from the public internet.
The EC2 instance was provisioned in a public subnet with an Internet Gateway, allowing me to access Metabase through its web interface. The RDS instance was deployed in private subnets across multiple Availability Zones, following best practices for high availability and security. Security groups were carefully configured so that only the EC2 instance could reach the database on port 3306, while Metabase itself was exposed on port 3000 for user access.
Using Terraform gave me full control and repeatability over the entire stack. Instead of manually clicking through the AWS console, I defined every resource VPCs, subnets, route tables, peering connections, security groups, EC2, and RDS in code. This meant I could destroy and recreate the environment consistently, track changes in version control, and avoid configuration drift. Terraform outputs also provided immediate visibility into critical connection details like the EC2 public IP and RDS endpoint, making testing and integration seamless.
Architecture Overview
- VPC1 (App): Public subnet, Internet Gateway, EC2 running Metabase.
- VPC2 (Data): Private subnets across 2 AZs, RDS MySQL, no public access.
- VPC peering: Bidirectional routes between VPC CIDRs.
- Security groups: Least-privilege rules allowing EC2→RDS only.
- Terraform: Modular resources and outputs for clean operations.
Steps taken to complets this project :
1. Provision networking and peering
.png)
.png)
.png)
.png)
- Created two VPCs with non-overlapping CIDR blocks
- Set up public and private subnets in respective VPCs
- Configured Internet Gateway for public subnet
- Established VPC peering connection and updated route tables
2. Provision RDS (private)
.png)
.png)
- Created RDS subnet group using private subnets
- Deployed RDS MySQL instance in private subnets
- Configured security group to allow EC2 access on port 3306 only
3. Provision EC2 and install Metabase
.png)
.png)
.png)
- Deployed EC2 instance in public subnet with IGW
- Configured security group to allow inbound on port 3000 (Metabase) and SSH
- Used user data script to install Docker and run Metabase container
- Verified Metabase container is running and accessible
4. Apply, test and connect
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
- Applied Terraform configuration to create all resources
- Tested connectivity from EC2 to RDS using MySQL client
- Accessed Metabase web interface via EC2 public IP on port 3000
- Configured Metabase to connect to RDS database using endpoint
Conclusion:
This project successfully demonstrated the deployment of a secure, production-style architecture on AWS using Terraform. By leveraging VPC peering, I was able to isolate the database while still allowing the application to function properly. The use of Infrastructure as Code ensured that the environment could be easily recreated and managed over time. This setup provides a solid foundation for running Metabase in a secure and scalable manner.