- Newest
- Most votes
- Most comments
Hi Andrea,
Please go through the below steps I hope it will helps to resolve your issue.
Certificate Authority Alignment:
- Update Certificates: Ensure all instances in the Aurora cluster are using the same CA. You can update the CA for the existing instances to match the new replica's CA (rds-ca-rsa2048-g1). This ensures that there are no SSL/TLS handshake issues when your application tries to communicate with the replicas.
- Modify DB Instance: Go to the RDS console, select the instances, and modify them to use the new CA.
- Apply Updates: Apply the changes and schedule a maintenance window if required to avoid downtime.
Load Balancing:
- Check Load Balancer Configuration: Ensure that the load balancer or the read endpoint configuration includes the new replica.
- Endpoint Configuration: Verify that the cluster's read endpoint (<cluster_name>-ro) is correctly configured to include the new replica. The Aurora cluster's read endpoint should automatically distribute read traffic among all read replicas.
Replica Status:
- Check Replica Status: Ensure the new replica is in a healthy state and marked as available. Sometimes replicas might be added but are not marked as available immediately due to ongoing synchronization or other processes.
- Replica Configuration: Verify that the new replica has the correct parameter group and subnet group settings matching the existing instances.
Application Configuration:
- Update Application Settings: If the application directly references instance endpoints, make sure to include the new replica's endpoint. Ideally, the application should use the cluster's writer and read endpoints to automatically manage load balancing.
Aurora Cluster Configuration:
- Cluster Configuration: Ensure the Aurora cluster itself is correctly configured to balance traffic between the writer and all replicas. You can review the cluster's configuration in the RDS console and adjust settings as needed.
Health Checks:
- Monitor Logs: Check the RDS and application logs to identify any connection issues or errors that might indicate why the new replica isn't receiving traffic.
Steps to Update Certificates
- Modify Existing Instances:
- Open the RDS console.
- Select your Aurora cluster.
- Choose each of the existing instances one by one.
- Click on "Modify".
- Under the "Network & Security" section, update the "CA Certificate Identifier" to rds-ca-rsa2048-g1.
- Apply the changes. You may need to specify a maintenance window.
Verify the Change:
- After the maintenance window, check that the instances have been updated to use the new CA.
- Use the describe-db-instances AWS CLI command or check in the RDS console.
Example AWS CLI Command
To update the CA for an instance using the AWS CLI:
aws rds modify-db-instance \
--db-instance-identifier your-db-instance-identifier \
--ca-certificate-identifier rds-ca-rsa2048-g1 \
--apply-immediately
Repeat this for each instance in your cluster.
By ensuring all instances use the same CA and are properly configured within the cluster, your new replica should start receiving traffic as expected.
One additional point of clarification to the above answer. The Aurora cluster's "reader endpoint" is a Route 53 DNS-based endpoint. It load balances "connection" requests, not individual SQL read queries. Once a connection is established to a particular reader node, it remains open until the application either closes it or it "times out" based on the relevant database engine's connection timeout parameter(s). This is all documented in our public documentation at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.Endpoints.html#Aurora.Endpoints.Reader.
Please also note that the load balancing of connections occurs when the application resolves the DNS name. Each time the application makes the call to DNS, DNS returns the "next" reader node in the set. If your application caches DNS entries, as most do, rapid and successive calls for a connection may be serviced out of the DNS cache and use the same reader's IP address. You can mitigate this by setting the appropriate DNS "time-to-live" parameter(s) to reasonable values for your applications' behavior.
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
- asked 5 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago