How can I use port tunneling to connect to a private database instance through a network bastion?

When you create an SSH tunnel, it does not expose the opened port to the outside world. The opened port, is only available as localhost. So effectively what you've done is to create a tunnel from your bastion, to your bastion.

Instead, what you want to do is create a tunnel from your local computer through your bastion.

So, you create your tunnel as part of your connection from your local computer to your bastion. You do not need to create another SSH connection.

So, locally, you would execute:

$ ssh -i key.pem -L 5432:postgres.example.us-east-1.rds.amazonaws.com:5432 [email protected]

Assuming postgres.example.us-east-1.rds.amazonaws.com resolves to the private IP address.

Then to connect to your server, still locally, connect as if the server was local:

$ psql -p 5432 -h localhost -U postgres

Doing this, there's no need to use a prompt on your bastion.