RDS Aurora Connectivity Guide v5-2

Amazon Aurora Connectivity
ThisdocumentdescribeshowtoconfigureaccesstoAmazonAurorainstancesfromonpremises
equipmentandAmazonEC2Classicinstances.Italsodescribestherecommendedconfigurationwhich
hidestheAurorainstancesfromtheInternet.
Getting Started
EstablishingconnectivitytoAurorainstancesismostlyaboutconfiguringanAmazonVirtualPrivate
Cloud(VPC)tosuityourrequirements.AllAuroradatabaseinstancesresideinaVPCassociatedwith
yourAWSaccount.IfyoualreadyhaveaVPCandwanttocreateAurorainstancesinit,these
instructionswillprovideexamplesofhowtoconfigureyourVPCtoallowaccesstoyourAurora
instances.IfyoudonthaveaVPCorwanttocreateanewVPCforyourAurorainstances,theAmazon
RDSlaunchwizardwillcreateandconfigureaVPCforyou.
Choosing Public vs. Private Accessibility

OneofthechoicesyoullmakewhencreatinganAurorainstanceiswhetherornottheinstancewillbe
publiclyaccessible.IfyouwillbeaccessingyourAurorainstancesexclusivelyfromEC2instancesor
devicesinthesameVPCastheAurorainstances,answerNointhePubliclyAccessiblefieldinthe
AmazonRDSlaunchwizard(seetheexamplefollowing).WhentheAurorainstanceiscreated,itwill
haveaprivateIPaddress,butnopublic(Internetroutable)IPaddress.
IfyouplantoaccessyourAurorainstancesfromoutsidetheVPC,suchasfromyouronpremises
equipmentorfromAmazonEC2instancesinotherAWSregions,answeringYesinthePublicly
AccessiblefieldintheAmazonRDSlaunchwizardwillprovidetheAurorainstancewithapublic
(Internetroutable)IPaddressandaprivate(nonInternetroutable)one.Notethattheremightbe
additionalstepsrequiredtoconfigureyourVPCtoallowaccesstotheAurorainstancefromoutsidethe
VPC,suchasconfiguringVPCroutetables,networkaccesscontrollists(ACLs),andsecuritygroups.
Examplesareprovidedinthesectionsfollowing.
Using ClassicLink
IfyouplantoaccessyourAurorainstancesfromEC2instancesresidinginthesameregion,butnotina
VPC(anapproachcommonlyknownasEC2Classic),youcanenableClassicLinkontheVPCwhereyour
Aurorainstancesreside.EnablingClassicLinkallowsyourEC2Classicinstancestocommunicatewith
eachofyourAurorainstancesusingitsprivateIPaddress.Doingsoallowsyoutotakeadvantageofthe
higherthroughputandlowerlatencyconnectivityavailableforinterinstancecommunicationwithinAWS
andavoidnetworkbandwidthchargesassociatedwithcommunicatingovertheInternet.Thisapproach
alsocanimprovesecurity.
Starting from Scratch (No Existing VPC or Aurora Instances)

ThesimplestwaytocreateaVPCforyourAurorainstanceistolettheAmazonRDSlaunchwizarddoit
foryou.ItwillcreateandconfiguretheVPCandcreateanewAurorainstanceinit.Thefigurefollowing
showstheAmazonRDSlaunchwizardpagewhereyoucancreateanewVPCandmakeanAurora
instancepubliclyaccessible.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.

Aurora Instance
HerestheAurorainstancethattheAmazonRDSlaunchwizardcreatedforus.Noticethatitispublicly
accessibleandthatithasbeenassignedtoasecuritygroupandfoursubnetgroupsoneforeach
AvailabilityZoneinthecurrentAWSregion.
VPC
LetstakealookattheVPCthattheAmazonRDSlaunchwizardcreatedforus.NoticethattheDNS
resolutionandDNShostnamesVPCattributeshavebeenenabledbecausewespecifiedthattheAurora
instancewillbepubliclyaccessible.

Subnets
TheAmazonRDSlaunchwizardhascreatedasubnetinourVPCforeachAvailabilityZone(AZ)inthe
currentAWSregion.AlthoughanAurorainstanceresidesinasingleAZatanygiventime,itsnecessary
tohaveasubnetinatleastthreeAZstoachievehighavailability.IftheAZcontainingyourAurora
instancebecomesunavailable,RDSwillautomaticallyprovisionanewinstanceinanavailableAZthat
hasaVPCsubnet.IfthereisnoVPCsubnetforanAZ,RDSwontprovisionAurorainstancesinit.
AnAuroradatabasecanhavemorethanoneinstance.Thesetofinstancesthatbelongtothesame
AuroradatabaseiscalledanAuroracluster.AnAuroraclustercanhaveonewriternodeandmultiple
readernodes.AnotherreasonfordefiningsubnetsformultipleAZsistoallowAurorainstancesinthe
sameAuroraclustertoresideindifferentAZs.EachofthoseinstancescanresideinanyAZinthesame
region,aslongasVPCsubnetsaredefinedfortheAZ.Thisfunctionalityprovidesyouwithoptionsfor
loadbalancingdatabaseaccessacrossallavailableAZsintheregionandforlimitingtheimpacttoyour
businessifoneoftheAZsbecomestemporarilyunavailable.Thefollowingfigureshowssubnetsinthe
launchwizard.
Internet Gateway
BecausewespecifiedthatwewantedtheAurorainstancetobepubliclyaccessible,theAmazonRDS
launchwizardprovisionedanInternetgatewayforourVPC,asshownfollowing.AnAmazonVPC
Internetgatewayishorizontallyscaled,redundant,andhighlyavailableandimposesnobandwidth
constraints.

Route Table
TheAmazonRDSlaunchwizardalsocreatedaroutetableinourVPCandconfiguredittoroutenonlocal
networktraffictotheInternetgateway,asshownfollowing.

Network ACL
AnAmazonVPCnetworkACLallowsyoutospecifywhattrafficisallowedtoenterandexitasubnetand
disallowedfromenteringandexitingasubnet.Here,theAmazonRDSlaunchwizardhascreateda
networkACLandassociateditwithallofthesubnetsintheVPC.Thedefaultistoallowallinboundand
outboundtraffic,butyoucanmodifytherulestosuityourrequirements.

Security Groups
AmazonVPCsecuritygroupsspecifywhichnetworktrafficisallowedanddisallowedattheinstance
level.TheAmazonRDSlaunchwizardcreatesasecuritygroupthatallowsincomingtrafficontheMySQL
port(3306)fortrafficoriginatingfromthesystemyouaccessedtheAWSManagementConsolefrom,as
shownfollowing.Ifyouspecifiedaportotherthan3306fortheAurorainstance,thatportwillbeused
instead.NotethatVPCsecuritygroupsaremanagedfromtheAmazonVPCconsoleratherthanthe
AmazonRDSconsole.
IfyouplantoaccessyourAurorainstancesfromdeviceswithdifferentIPaddresses,youwillneedto
addrulestothesecuritygrouptoallowtheinboundtraffic.
IfyoureaccessingAurorafromacorporatenetwork,youmightneedtocreateinboundrulesforeachof
theIPaddressrangesusedbyyourcorporatenetworkforInternettraffic.Engageyourcorporate
networksupportteamtodeterminewhichIPaddressrangesyoushoulduse.
Getting Connected
Connecting Over the Internet
TheprevioussectionsdescribeasimpleVPCconfigurationthatenablesconnectivitytoAurorainstances
overtheInternet.IfyouwerefollowingalongandusedtheAmazonRDSlaunchwizardtocreatetheVPC
andtheAurorainstance,theVPCwillalreadybeconfiguredtoacceptincomingconnectionsfromtheIP
addressusedtoruntheAmazonRDSlaunchwizard.Theendpoint(DNSnameandport)thatyouwilluse
toconnecttotheinstancecanbefoundintheInstancessectionoftheAmazonRDSconsoleasshownin
thefigurefollowing.

ThefollowingfiguresshowanexampleofconnectingtoanAurorainstanceusingtheMySQLWorkbench
utility.

IfyouneedtoconnecttoAurorafromotherdevices,youllneedtoaddtheirIPaddressesorIPaddress
rangestotheVPCsecuritygroup,asshownfollowing.

Ifyouusedaportotherthanthedefault(3306),useCustomTCPRuleforTypeandspecifythe
appropriateportinthePortRangefield.
Connecting from Within the Same VPC

InordertoconnecttoyourAurorainstancesfromEC2instancesinthesameVPC,youllneedto
associatetheEC2instanceswithaVPCsecuritygroupthatallowsaccesstotheAurorainstances.Todo
so,selecttheinstancesintheAmazonEC2console.ForActions,chooseNetworking,ChangeSecurity
Groups,andthenchooseanappropriateVPCsecuritygroup,asshowninthefollowingexample.

YoumightalsoneedtoaddaruletotheVPCsecuritygroupallowingtrafficfrominstancesassociated
withthatgroup,asshowninthefollowingexamplefromtheAmazonVPCconsole.

Oncethesechangesaremade,youcanconnecttotheAurorainstanceforexample,usingtheMySQL
commandlinetool:
$ mysql --user=admin -p --host=mydb-1-cluster.cluster-cmswbbjge3do.us-east-1-
beta.rds.amazonaws.com
NotethattheDNShostnamefortheAurorainstanceresolvestoitsinternalIPaddresswhenusedwithin
EC2instancesinthesameVPC.ThisapproachallowscommunicationovertheAWSinterinstance
network,providinghighbandwidthandlowlatencywithoutincurringnetworkbandwidthcharges
associatedwithcommunicatingovertheInternet.
Connecting from EC2Classic

IfyouneedtoconnecttoAurorafromEC2Classicinstances(thatis,instancesthatarenotinaVPC)in
thesameregionastheAurorainstance,youcanenableClassicLinkintheVPCandmanageaccessusing
VPCsecuritygroups,asshowninthefollowingexamplefromtheAmazonVPCconsole.

EnablingClassicLinkaddsanewentrytotheVPCroutetabletoallownetworktraffictotheAWS
interinstancenetwork,asshownfollowing.

AfterenablingClassicLinkontheVPC,wecannowaddEC2ClassicinstancestotheVPCsecuritygroup
thatprovidesaccesstoyourAurorainstances,asshowninthefollowingexamplefromtheAmazonEC2
console.

WecannowconnecttotheAurorainstancebyusingitsprivateIPaddress,asshownfollowing.Note
thatwecannotusetheDNSnamebecausethatresolvestothepublicIPaddressfromEC2Classic
instancesandwehaventdefinedrulestoallowcommunicationwiththepublicIPaddressfromEC2
Classic.WecanaddrulestoallowcommunicationbyusingthepublicIPaddress,butthenwewouldnt
betakingadvantageofthebenefitsClassicLinkprovides.
$ mysql --user=admin -p --host=172.30.3.168
Hiding Aurora Instances from the Internet

Formanyusecases,allowingdirectaccesstodatabasesfromtheInternetisundesirable.Inthissection,
welldescribehowtoconfiguretheVPCsothatyourAurorainstancesarenotvisibletotheInternetand
canbeaccessedonlybyEC2instancesordevicesinthesameVPCastheAurorainstances.Acommon
usecaseisapublicfacingwebapplicationandanAurorainstancethatisnotpubliclyaccessible.
ThesimplestwaytohideAurorainstancesfromtheInternetistospecifyNointhePubliclyAccessible
fieldwhencreatinganinstance.TheinstancewillbecreatedwithaprivateIPaddress,butnopublicIP
address.Inthiscase,theonlywaytocommunicatewiththeinstanceisfromwithintheVPCorEC2
ClassicinstancesthathaveaClassicLinkconnectiontotheVPC.Intheexamplefollowing,theAurora
instanceisbeingcreatedinthesameVPCwevebeenusingpreviouslyandusestheVPCsecuritygroup
thatweconfiguredforpublicaccess.However,becausetheAurorainstancehasnopublicIPaddress,it
cannotbereachedfromtheInterneteventhoughtheVPCsecuritygroupallowsincomingtrafficfrom
theInternet.

NoticethatwecanusetheDNSnameforthisAurorainstance(withinAWSinthesameregion)because
itresolvesonlytotheprivateIPaddress:
$ mysql --user=admin -p --host=my-private-db-2-cluster.cluster-cmswbbjge3do.us-east-1-

beta.rds.amazonaws.com
Using an Existing VPC

IfyoualreadyhaveanAmazonVPC,youcanprovisionAurorainstancesinitaswell.Aurorarequiresa
minimumofthreeAWSAvailabilityZonesforhighavailability,soyoullneedatleastthreeVPC
subnetsoneforeachAZ.YoullalsoneedtocreateanRDSDBsubnetgroupsothatAmazonRDS
knowswhichsubnetstouseforyourAurorainstances.
WewillhostawebfacingappthataccessesanAuroraclusterwithonewriterandtworeaderinstances.
Thedatabaseinstancesshouldbeaccessibleonlybythewebapp.
Configuring Your Amazon VPC

InordertopreventaccesstotheAurorainstancesfromoutsidetheAmazonVPC,wewillusebothVPC
subnetgroupsandAWSnetworkACLstolimitaccesstothedatabases,asshownfollowing.

TheVPCisinaregionwithfourAvailabilityZones,soithasbeenconfiguredwithfourprivateandfour
publicsubnetsoneprivateandonepublicsubnetforeachofthefourAvailabilityZones.Thedatabases
willresideintheprivatesubnets,andthewebappresidesinthepublicsubnets.

Therearetworoutetables,asshownfollowingonethathasaroutetoanAmazonVPCInternet
gatewayforthepublicsubnetsandonethathasnoexternalroutingfortheprivatesubnets.Youcansee
theroutetableassociationsforeachsubnetinthefigurepreceding.

ThenetworkACLsfortheprivatesubnetsareconfiguredtoallowincomingtrafficonlyfromthepublic
subnetsandonlyontheportusedbytheAurorainstances:
EachofthefourprivatesubnetsisassociatedwiththisnetworkACL:

TherearealsotwoVPCsecuritygroups,asshownfollowingonefordatabaseuseandoneforwebapp
use.Theinboundrulefortheprivatesecuritygroupacceptstrafficonlyonthedatabaseportandonly
frominstancesthatareassociatedwiththepublicVPCsecuritygroup.Thewebappinstancesare
associatedwiththepublicVPCsecuritygroup.

Configuring RDS DB Subnet Groups
BeforewecancreateAurorainstancesinthisVPC,weneedtotellAmazonRDSwhichVPCsubnetsto
use.Intheexampleillustratedfollowing,anRDSDBsubnetgroupnamedprivatewascreatedthat
mapstoeachoftheVPCprivatesubnetswherewewantRDStoprovisionourAurorainstances.

Aurora Cluster Creation
NowwecancreateAurorainstancesintheVPC.ThesubnetgroupissettousetheprivateRDSDB
subnetgroup,PubliclyAccessibleissettoNosothattheAurorainstancewillhaveaprivateIPaddress
only,andtheVPCSecurityGroupfieldissettothePrivate VPCsecuritygroup.
HerestheclusteraftercreatingtwoAuroraReplicas.NoticethateachinstanceisinadifferentAZ.

Accessing the Aurora Cluster Instances
UsinganEC2instancecreatedinthesameVPCinoneofthepublicsubnets,wecanconnecttoeachof
theinstancesintheAuroracluster,buttheywillnotbeaccessiblefromanywhereoutsidetheVPC.
First,wellcreateanewdatabaseandtableonthewriterinstanceusingthefollowingcommands.
[ec2-user@ip-172-30-7-75 ~]$ mysql --user=admin -p --host=my-hidden-db-1-cluster.cluster-
cmswbbjge3do.us-east-1-beta.rds.amazonaws.com
mysql> create database mydb;

Query OK, 1 row affected (0.02 sec)
mysql> create table mydb.myuser as select * from mysql.user;
Query OK, 3 rows affected (0.05 sec)

Records: 3 Duplicates: 0 Warnings: 0
Nowwellreadthetablefromoneofthereaderinstancesusingthefollowingcommands.
[ec2-user@ip-172-30-7-75 ~]$ mysql --user=admin -p --host=my-hidden-db-rr-1.cmswbbjge3do.us-east-
1-beta.rds.amazonaws.com
mysql> select count(*) from mydb.myuser;

+----------+
| count(*) |
+----------+
| 3 |
+----------+
1 row in set (0.01 sec)
mysql> exit
Nowwellreadthetablefromtheotherreaderinstance.
[ec2-user@ip-172-30-7-75 ~]$ mysql --user=admin -p --host=my-hidden-db-rr-2.cmswbbjge3do.us-east-

mysql>
select count(*) from mydb.myuser;
+----------+
| count(*) |
+----------+
| 3 |
+----------+
1 row in set (0.01 sec)
mysql>
Nowyou'velearnedhowtoconnecttoRDSAurorainstancesfromonpremisesequipmentandEC2
ClassicinstancesusingAWSClassicLink,andhowtohideRDSAurorainstancesfromtheInternetwhile
allowingaccessfromWebfacingapps.Forfurtherreading,seethefollowing.
Further Reading
AmazonAurora:http://aws.amazon.com/rds/aurora/
AmazonVPC:http://aws.amazon.com/vpc/

RDS Aurora Connectivity Guide v5-2

Uploaded by

Copyright:

Available Formats

You might also like

RDS Aurora Connectivity Guide v5-2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RDS Aurora Connectivity Guide v5-2

Uploaded by

Copyright:

Available Formats

Amazon Aurora Connectivity

Choosing Public vs. Private Accessibility

Starting from Scratch (No Existing VPC or Aurora Instances)

Connecting from Within the Same VPC

Connecting from EC2Classic

Hiding Aurora Instances from the Internet

$ mysql --user=admin -p --host=my-private-db-2-cluster.cluster-cmswbbjge3do.us-east-1-

Using an Existing VPC

Configuring Your Amazon VPC

mysql> create database mydb;

mysql> create table mydb.myuser as select * from mysql.user;

Query OK, 3 rows affected (0.05 sec)

mysql> select count(*) from mydb.myuser;

[ec2-user@ip-172-30-7-75 ~]$ mysql --user=admin -p --host=my-hidden-db-rr-2.cmswbbjge3do.us-east-

You might also like