Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I use Amazon RDS Proxy to connect to my Amazon RDS for MySQL DB instance or Aurora MySQL-Compatible DB cluster?

3 minute read

I want to use Amazon Relational Database Service (Amazon RDS) Proxy to connect to my Amazon RDS for MySQL DB instance or Amazon Aurora MySQL-Compatible Edition DB cluster.

Resolution

Prerequisite: Your proxy must be in the same virtual private cloud (VPC) as the database. You can make the database publicly accessible, but the proxy can't be publicly accessible.

Create the proxy and connect it to your DB instance

Complete the following steps:

Create database credentials in AWS Secrets Manager.
Note: When you create the secret, use the same username and password as your database.
(Optional) Create an AWS Identity and Access Management (IAM) policy and an IAM role.
Note: Amazon RDS Proxy automatically creates an IAM role. However, you can create your own IAM role.
Create a proxy.

Run the following command to check whether the proxy endpoint is reachable:

nc -zv proxy_endpoint 3306

Note: Replace proxy_endpoint with the address of your proxy server. Run the preceding command only on an Amazon Elastic Compute Cloud (Amazon EC2) machine that's in the same VPC as the proxy. The command doesn't run on local machines.
Example output:

Connection to test-proxy.proxy-#############.eu-west-1.rds.amazonaws.com 3306 port [tcp/mysql] succeeded

Run the following command to use the proxy to connect to the RDS DB instance:

mysql -h proxy_endpoint -u username -p

Note: Replace proxy_endpoint with the address of your proxy server.
Example output:

Server version: 5.7.28-log

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

(Optional) Use the proxy with an TLS/SSL connection

Complete the following steps:

When you create the proxy, turn on Require Transport Layer Security. You can also modify an existing proxy.
Note: When you use an TLS/SSL protocol, the proxy rejects plaintext connections.

Download the Amazon Root CA 1 trust store .pem file from Amazon Trust Services:

wget https://www.amazontrust.com/repository/AmazonRootCA1.pem

Run the following command to use TLS/SSL to connect to the DB instance:

mysql -h test-proxy.proxy-#############.eu-west-1.rds.amazonaws.com -u admin --ssl-mode=REQUIRED --ssl-ca=AmazonRootCA1.pem -p

Or, you can run the following command with TLS/SSL VERIFY_IDENTITY mode to connect to the DB instance:

mysql -h test-proxy.proxy-#############.eu-west-1.rds.amazonaws.com -u admin --ssl-mode=VERIFY_IDENTITY --ssl-ca=AmazonRootCA1.pem -p

Note: The proxy uses wildcard certificates. If you use the MySQL client to connect with the TLS/SSL VERIFY_IDENTITY mode, then you must use the MySQL 8.0-compatible mysql command.
Example output:

Welcome to the MySQL monitor.  Commands end with ; or \g.Your MySQL connection id is 12659040
Server version: 5.7.28-log
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.