Professional Documents
Culture Documents
RDS Aurora Connectivity Guide v5-2
RDS Aurora Connectivity Guide v5-2
RDS Aurora Connectivity Guide v5-2
ThisdocumentdescribeshowtoconfigureaccesstoAmazonAurorainstancesfromonpremises
equipmentandAmazonEC2Classicinstances.Italsodescribestherecommendedconfigurationwhich
hidestheAurorainstancesfromtheInternet.
Getting Started
EstablishingconnectivitytoAurorainstancesismostlyaboutconfiguringanAmazonVirtualPrivate
Cloud(VPC)tosuityourrequirements.AllAuroradatabaseinstancesresideinaVPCassociatedwith
yourAWSaccount.IfyoualreadyhaveaVPCandwanttocreateAurorainstancesinit,these
instructionswillprovideexamplesofhowtoconfigureyourVPCtoallowaccesstoyourAurora
instances.IfyoudonthaveaVPCorwanttocreateanewVPCforyourAurorainstances,theAmazon
RDSlaunchwizardwillcreateandconfigureaVPCforyou.
IfyouplantoaccessyourAurorainstancesfromoutsidetheVPC,suchasfromyouronpremises
equipmentorfromAmazonEC2instancesinotherAWSregions,answeringYesinthePublicly
AccessiblefieldintheAmazonRDSlaunchwizardwillprovidetheAurorainstancewithapublic
(Internetroutable)IPaddressandaprivate(nonInternetroutable)one.Notethattheremightbe
additionalstepsrequiredtoconfigureyourVPCtoallowaccesstotheAurorainstancefromoutsidethe
VPC,suchasconfiguringVPCroutetables,networkaccesscontrollists(ACLs),andsecuritygroups.
Examplesareprovidedinthesectionsfollowing.
Using ClassicLink
IfyouplantoaccessyourAurorainstancesfromEC2instancesresidinginthesameregion,butnotina
VPC(anapproachcommonlyknownasEC2Classic),youcanenableClassicLinkontheVPCwhereyour
Aurorainstancesreside.EnablingClassicLinkallowsyourEC2Classicinstancestocommunicatewith
eachofyourAurorainstancesusingitsprivateIPaddress.Doingsoallowsyoutotakeadvantageofthe
higherthroughputandlowerlatencyconnectivityavailableforinterinstancecommunicationwithinAWS
andavoidnetworkbandwidthchargesassociatedwithcommunicatingovertheInternet.Thisapproach
alsocanimprovesecurity.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
Aurora Instance
HerestheAurorainstancethattheAmazonRDSlaunchwizardcreatedforus.Noticethatitispublicly
accessibleandthatithasbeenassignedtoasecuritygroupandfoursubnetgroupsoneforeach
AvailabilityZoneinthecurrentAWSregion.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
VPC
LetstakealookattheVPCthattheAmazonRDSlaunchwizardcreatedforus.NoticethattheDNS
resolutionandDNShostnamesVPCattributeshavebeenenabledbecausewespecifiedthattheAurora
instancewillbepubliclyaccessible.
Subnets
TheAmazonRDSlaunchwizardhascreatedasubnetinourVPCforeachAvailabilityZone(AZ)inthe
currentAWSregion.AlthoughanAurorainstanceresidesinasingleAZatanygiventime,itsnecessary
tohaveasubnetinatleastthreeAZstoachievehighavailability.IftheAZcontainingyourAurora
instancebecomesunavailable,RDSwillautomaticallyprovisionanewinstanceinanavailableAZthat
hasaVPCsubnet.IfthereisnoVPCsubnetforanAZ,RDSwontprovisionAurorainstancesinit.
AnAuroradatabasecanhavemorethanoneinstance.Thesetofinstancesthatbelongtothesame
AuroradatabaseiscalledanAuroracluster.AnAuroraclustercanhaveonewriternodeandmultiple
readernodes.AnotherreasonfordefiningsubnetsformultipleAZsistoallowAurorainstancesinthe
sameAuroraclustertoresideindifferentAZs.EachofthoseinstancescanresideinanyAZinthesame
region,aslongasVPCsubnetsaredefinedfortheAZ.Thisfunctionalityprovidesyouwithoptionsfor
loadbalancingdatabaseaccessacrossallavailableAZsintheregionandforlimitingtheimpacttoyour
businessifoneoftheAZsbecomestemporarilyunavailable.Thefollowingfigureshowssubnetsinthe
launchwizard.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
Internet Gateway
BecausewespecifiedthatwewantedtheAurorainstancetobepubliclyaccessible,theAmazonRDS
launchwizardprovisionedanInternetgatewayforourVPC,asshownfollowing.AnAmazonVPC
Internetgatewayishorizontallyscaled,redundant,andhighlyavailableandimposesnobandwidth
constraints.
Route Table
TheAmazonRDSlaunchwizardalsocreatedaroutetableinourVPCandconfiguredittoroutenonlocal
networktraffictotheInternetgateway,asshownfollowing.
Network ACL
AnAmazonVPCnetworkACLallowsyoutospecifywhattrafficisallowedtoenterandexitasubnetand
disallowedfromenteringandexitingasubnet.Here,theAmazonRDSlaunchwizardhascreateda
networkACLandassociateditwithallofthesubnetsintheVPC.Thedefaultistoallowallinboundand
outboundtraffic,butyoucanmodifytherulestosuityourrequirements.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
Security Groups
AmazonVPCsecuritygroupsspecifywhichnetworktrafficisallowedanddisallowedattheinstance
level.TheAmazonRDSlaunchwizardcreatesasecuritygroupthatallowsincomingtrafficontheMySQL
port(3306)fortrafficoriginatingfromthesystemyouaccessedtheAWSManagementConsolefrom,as
shownfollowing.Ifyouspecifiedaportotherthan3306fortheAurorainstance,thatportwillbeused
instead.NotethatVPCsecuritygroupsaremanagedfromtheAmazonVPCconsoleratherthanthe
AmazonRDSconsole.
IfyouplantoaccessyourAurorainstancesfromdeviceswithdifferentIPaddresses,youwillneedto
addrulestothesecuritygrouptoallowtheinboundtraffic.
IfyoureaccessingAurorafromacorporatenetwork,youmightneedtocreateinboundrulesforeachof
theIPaddressrangesusedbyyourcorporatenetworkforInternettraffic.Engageyourcorporate
networksupportteamtodeterminewhichIPaddressrangesyoushoulduse.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
Getting Connected
Connecting Over the Internet
TheprevioussectionsdescribeasimpleVPCconfigurationthatenablesconnectivitytoAurorainstances
overtheInternet.IfyouwerefollowingalongandusedtheAmazonRDSlaunchwizardtocreatetheVPC
andtheAurorainstance,theVPCwillalreadybeconfiguredtoacceptincomingconnectionsfromtheIP
addressusedtoruntheAmazonRDSlaunchwizard.Theendpoint(DNSnameandport)thatyouwilluse
toconnecttotheinstancecanbefoundintheInstancessectionoftheAmazonRDSconsoleasshownin
thefigurefollowing.
ThefollowingfiguresshowanexampleofconnectingtoanAurorainstanceusingtheMySQLWorkbench
utility.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
IfyouneedtoconnecttoAurorafromotherdevices,youllneedtoaddtheirIPaddressesorIPaddress
rangestotheVPCsecuritygroup,asshownfollowing.
Ifyouusedaportotherthanthedefault(3306),useCustomTCPRuleforTypeandspecifythe
appropriateportinthePortRangefield.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
YoumightalsoneedtoaddaruletotheVPCsecuritygroupallowingtrafficfrominstancesassociated
withthatgroup,asshowninthefollowingexamplefromtheAmazonVPCconsole.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
Oncethesechangesaremade,youcanconnecttotheAurorainstanceforexample,usingtheMySQL
commandlinetool:
$ mysql --user=admin -p --host=mydb-1-cluster.cluster-cmswbbjge3do.us-east-1-
beta.rds.amazonaws.com
NotethattheDNShostnamefortheAurorainstanceresolvestoitsinternalIPaddresswhenusedwithin
EC2instancesinthesameVPC.ThisapproachallowscommunicationovertheAWSinterinstance
network,providinghighbandwidthandlowlatencywithoutincurringnetworkbandwidthcharges
associatedwithcommunicatingovertheInternet.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
EnablingClassicLinkaddsanewentrytotheVPCroutetabletoallownetworktraffictotheAWS
interinstancenetwork,asshownfollowing.
AfterenablingClassicLinkontheVPC,wecannowaddEC2ClassicinstancestotheVPCsecuritygroup
thatprovidesaccesstoyourAurorainstances,asshowninthefollowingexamplefromtheAmazonEC2
console.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
WecannowconnecttotheAurorainstancebyusingitsprivateIPaddress,asshownfollowing.Note
thatwecannotusetheDNSnamebecausethatresolvestothepublicIPaddressfromEC2Classic
instancesandwehaventdefinedrulestoallowcommunicationwiththepublicIPaddressfromEC2
Classic.WecanaddrulestoallowcommunicationbyusingthepublicIPaddress,butthenwewouldnt
betakingadvantageofthebenefitsClassicLinkprovides.
$ mysql --user=admin -p --host=172.30.3.168
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
canbeaccessedonlybyEC2instancesordevicesinthesameVPCastheAurorainstances.Acommon
usecaseisapublicfacingwebapplicationandanAurorainstancethatisnotpubliclyaccessible.
ThesimplestwaytohideAurorainstancesfromtheInternetistospecifyNointhePubliclyAccessible
fieldwhencreatinganinstance.TheinstancewillbecreatedwithaprivateIPaddress,butnopublicIP
address.Inthiscase,theonlywaytocommunicatewiththeinstanceisfromwithintheVPCorEC2
ClassicinstancesthathaveaClassicLinkconnectiontotheVPC.Intheexamplefollowing,theAurora
instanceisbeingcreatedinthesameVPCwevebeenusingpreviouslyandusestheVPCsecuritygroup
thatweconfiguredforpublicaccess.However,becausetheAurorainstancehasnopublicIPaddress,it
cannotbereachedfromtheInterneteventhoughtheVPCsecuritygroupallowsincomingtrafficfrom
theInternet.
NoticethatwecanusetheDNSnameforthisAurorainstance(withinAWSinthesameregion)because
itresolvesonlytotheprivateIPaddress:
WewillhostawebfacingappthataccessesanAuroraclusterwithonewriterandtworeaderinstances.
Thedatabaseinstancesshouldbeaccessibleonlybythewebapp.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
TheVPCisinaregionwithfourAvailabilityZones,soithasbeenconfiguredwithfourprivateandfour
publicsubnetsoneprivateandonepublicsubnetforeachofthefourAvailabilityZones.Thedatabases
willresideintheprivatesubnets,andthewebappresidesinthepublicsubnets.
Therearetworoutetables,asshownfollowingonethathasaroutetoanAmazonVPCInternet
gatewayforthepublicsubnetsandonethathasnoexternalroutingfortheprivatesubnets.Youcansee
theroutetableassociationsforeachsubnetinthefigurepreceding.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
ThenetworkACLsfortheprivatesubnetsareconfiguredtoallowincomingtrafficonlyfromthepublic
subnetsandonlyontheportusedbytheAurorainstances:
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
EachofthefourprivatesubnetsisassociatedwiththisnetworkACL:
TherearealsotwoVPCsecuritygroups,asshownfollowingonefordatabaseuseandoneforwebapp
use.Theinboundrulefortheprivatesecuritygroupacceptstrafficonlyonthedatabaseportandonly
frominstancesthatareassociatedwiththepublicVPCsecuritygroup.Thewebappinstancesare
associatedwiththepublicVPCsecuritygroup.
Configuring RDS DB Subnet Groups
BeforewecancreateAurorainstancesinthisVPC,weneedtotellAmazonRDSwhichVPCsubnetsto
use.Intheexampleillustratedfollowing,anRDSDBsubnetgroupnamedprivatewascreatedthat
mapstoeachoftheVPCprivatesubnetswherewewantRDStoprovisionourAurorainstances.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
Aurora Cluster Creation
NowwecancreateAurorainstancesintheVPC.ThesubnetgroupissettousetheprivateRDSDB
subnetgroup,PubliclyAccessibleissettoNosothattheAurorainstancewillhaveaprivateIPaddress
only,andtheVPCSecurityGroupfieldissettothePrivate VPCsecuritygroup.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
HerestheclusteraftercreatingtwoAuroraReplicas.NoticethateachinstanceisinadifferentAZ.
Accessing the Aurora Cluster Instances
UsinganEC2instancecreatedinthesameVPCinoneofthepublicsubnets,wecanconnecttoeachof
theinstancesintheAuroracluster,buttheywillnotbeaccessiblefromanywhereoutsidetheVPC.
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.
First,wellcreateanewdatabaseandtableonthewriterinstanceusingthefollowingcommands.
[ec2-user@ip-172-30-7-75 ~]$ mysql --user=admin -p --host=my-hidden-db-1-cluster.cluster-
cmswbbjge3do.us-east-1-beta.rds.amazonaws.com
Nowwellreadthetablefromoneofthereaderinstancesusingthefollowingcommands.
[ec2-user@ip-172-30-7-75 ~]$ mysql --user=admin -p --host=my-hidden-db-rr-1.cmswbbjge3do.us-east-
1-beta.rds.amazonaws.com
mysql> exit
Nowwellreadthetablefromtheotherreaderinstance.
mysql>
Nowyou'velearnedhowtoconnecttoRDSAurorainstancesfromonpremisesequipmentandEC2
ClassicinstancesusingAWSClassicLink,andhowtohideRDSAurorainstancesfromtheInternetwhile
allowingaccessfromWebfacingapps.Forfurtherreading,seethefollowing.
Further Reading
AmazonAurora:http://aws.amazon.com/rds/aurora/
AmazonVPC:http://aws.amazon.com/vpc/
2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved.