Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I configure a provisioned Amazon Aurora DB cluster to be publicly accessible?

4 minute read
0

I want to configure my provisioned Amazon Aurora DB cluster to be publicly accessible, and secure my Aurora DB cluster from outside connections.

Short description

To make your Aurora DB cluster publicly accessible, the instances in the cluster must have a public IP address and run in a public subnet.

For an Aurora DB instance, you can't choose a specific subnet. Instead, you must choose a DB subnet group when you create the instance. Make sure that you create a DB subnet group with similar network configurations. For example, create a DB subnet group for public subnets and another one for private subnets.

After you configure the DB instance to allow connections from outside the VPC, you can use TLS to secure the connections.

Note: It's a security best practice not to allow connections from outside the VPC unless you must have public accessibility.

Resolution

Set the Publicly accessible setting for the DB instance to Yes

The Publicly accessible setting for an Amazon Relational Database Service (Amazon RDS) DB instance controls the assignment of a public IP address to the DB instance. When you set the setting to no, the DB instance doesn't have a public IP address. When you set the setting to yes, the DB instance has both public and private IP addresses.

To change the Publicly accessible setting of the DB instance to yes, complete the following steps:

  1. Open the Amazon RDS console.
  2. In the navigation pane, choose Databases, and then choose the DB instance.
  3. Choose Modify.
  4. In the Connectivity section, choose Additional configuration, and then choose Publicly accessible.
  5. Choose Continue.
  6. In the Schedule modifications section, choose the option that's best for your use case.
    Note: The Apply immediately option can cause downtime. For more information, see Using the schedule modifications setting.
  7. Choose Modify DB instance.

Run the DB instance in a public subnet

To make sure that your DB instance's public subnet has internet access, complete the following steps:

  1. Create an internet gateway and attach it to the VPC.
  2. In the navigation pane, choose Subnets.
  3. Verify that all subnets in the DB subnet group use a route table with the internet gateway.
  4. If the subnet uses the main route table of the VPC, thenadd the 0.0.0.0/0 route for the internet gateway. You can also create a custom route table with a route to the internet gateway, and then associate the route table to the subnet.
  5. To add the source public IP address that you want to connect to the DB instance from, configure the inbound security group rules.
    For Type, choose MySQL/Aurora or PostgreSQL.
    For Source, choose Custom and manually enter the CIDR range. Or, choose My IP to connect to the DB instance from the same workstation.

Secure the DB cluster from connections that are outside the VPC

Use TLS to encrypt connections that are outside a VPC because the data transfer happens over the internet. To confirm that you're using the highest level of security, use the ssl-ca parameter to pass the certificate authority (CA) certificate, and then turn on hostname validation.

To test the TLS connection, run the following command for the version of Aurora that you use.

Amazon Aurora MySQL-Compatible Edition 5.6

mysql -h test-aurora-56.cluster-############.us-east-1.rds.amazonaws.com -u test_user --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert

Note: Replace test-aurora-56.cluster-############.us-east-1.rds.amazonaws.com with your cluster endpoint. Replace test_user with your username. Replace rds-combined-ca-bundle.pem with the path of your CA.

Amazon Aurora MySQL-Compatible 5.7 and later

mysql -h test-aurora-57.cluster-############.us-east-1.rds.amazonaws.com -u test_user --ssl-ca=rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY

Note: Replace test-aurora-57.cluster-############.us-east-1.rds.amazonaws.com with your cluster endpoint. Replace test_user with your username. Replace rds-combined-ca-bundle.pem with the path of your CA.

Amazon Aurora PostgreSQL-Compatible Edition

psql -h test-aurora-pg.cluster-############.us-east-1.rds.amazonaws.com -p 5432 "dbname=postgres user=test_user sslrootcert=rds-combined-ca-bundle.pem sslmode=verify-full"

Note: Replace test-aurora-pg.cluster-############.us-east-1.rds.amazonaws.com with your cluster endpoint. Replace 5432 with your clusters port. Replace postgres with your database username Replace test_user with your username. Replace rds-combined-ca-bundle.pem with the path of your CA.

You can also enforce TLS for DB clusters. For Aurora MySQL-Compatible, set TLS at the database user level. For Aurora PostgreSQL-Compatible, set the rds.force_ssl parameter to 1.

Related information

Using SSL/TLS to encrypt a connection to a DB cluster

Securing Aurora PostgreSQL data with SSL/TLS

How do I connect to my Amazon RDS DB instance with a bastion host from my Linux or macOS machine?

How can I configure private and public Aurora endpoints in the Amazon RDS console?

Topics
Database
Tags
Aurora PostgreSQLAurora MySQL
Language
English
AWS OFFICIALUpdated 4 months ago
No comments

Relevant content