RDS Proxy with non-default port ?

[anentropic]

I have an RDS MySQL db with an RDS Proxy in front.

I am using cdk-nag library to alert of potential security issues.

One of the issues it alerts for is RDS11, which recommends using a non-default port for the database. So I set my db port to other than 3306.

aws rds describe-db-proxy-targets reports that the proxy has connectivity to the database

But I cannot connect to the RDS Proxy using the non-default port (the one stored in the database secret credentials object).

Changing my whole stack back to use the default port restores connectivity.

I have not confirmed yet but I am guessing that RDS Proxy does not reflect the port number of the database and always exposes port 3306 for MySQL proxy?

And there does not seem to be any option to specify a port in https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseProxy.html

So I can't really make my stack compliant with the spirit of RDS11, although the nag only cares about the db port and not the proxy.

Or have I misunderstood - is there a way to configure this?

[anentropic]

also the RDS Proxy construct doesn't seem to expose the port as a property, seems like I should hard-code the default MySQL port in the app that connects to the proxy instead of deriving it from the stack?

[anentropic]

Well, this is actually in the RDS Proxy docs: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.html#rds-proxy.limitations-my

Currently, all proxies listen on port 3306 for MySQL. The proxies still connect to your database using the port that you specified in the database settings.

[anentropic]

and same for Postgres and MariaDB too