AWS Database Blog
Use Amazon RDS Proxy and AWS PrivateLink to access Amazon RDS databases across AWS Organizations at American Family Insurance Group
The American Family Insurance Group of companies includes American Family Insurance, CONNECT (powered by American Family Insurance), The General, Homesite, and Main Street America Insurance. It is the nation’s twelfth-largest property and casualty insurance group, ranking number 301 on the Fortune 500 list. Across these companies, the group has nearly 13,000 employees nationwide.
The group required an enterprise-level solution to privately share centralized information for their common systems of record. This information was stored in Amazon Relational Database Service (Amazon RDS) and needed to be accessible to multiple lines of business. The information is used by commercial systems across the organization to drive process automation, aggregate clickstream data for marketing campaigns, and fulfill analytical or operational reporting needs.
To follow best practices, the company decided to isolate workloads in their own AWS account and network boundary. However, they still needed to grant access to the information across different AWS accounts and VPCs that had overlapping CIDR ranges.
In this post, we show how the organization created a solution for highly available, centralized database access. They achieved this by combining Amazon RDS Proxy with AWS PrivateLink, which allows for secure and private access to RDS databases. This solution enables clients from different AWS Organizations and accounts to connect to the database over PrivateLink, even if they have overlapping CIDR ranges.
Shared Amazon RDS connectivity
In this post, we refer to “consumer” and “database” accounts to demonstrate connectivity. The database account includes an RDS database (or Amazon Aurora cluster), RDS proxy, and PrivateLink endpoint service. The consumer account includes an interface VPC endpoint using the database account PrivateLink endpoint service.
Customers with multiple organizations, overlapping CIDR ranges across VPCs, or a centralized database management strategy may require shared access to a common RDS DB instance or Aurora cluster. These situations can be the result of merger and acquisition or by design, offering centrally defined entry points to specific database resources.
With overlapping CIDR ranges, you can use PrivateLink to create an endpoint service in the database account that will be accessible by AWS principals, such as other AWS accounts. A PrivateLink endpoint service is backed by a Network Load Balancer (NLB) with a target group. One option is to create a target group with the target type of IP addresses pointing to the RDS instance or Aurora cluster IP, as detailed in the related post Access Amazon RDS across VPCs using AWS PrivateLink and Network Load Balancer. However, IP addresses may change as a result of multiple Availability Zone failover or database maintenance activity. When using a supported DB engine, RDS Proxy creates a connection pool and automatically connects to the new underlying RDS DB instance or Aurora cluster instance in the event of a failover. Creating an RDS Proxy endpoint in multiple Availability Zones provides static IP addresses for the life of the endpoint, which can be set as the IP address target for an NLB.
After a PrivateLink endpoint is created in the database account, the allowed principals create an interface VPC endpoint in consumer accounts, which requires private connectivity to the RDS DB instance or Aurora cluster.
If connectivity to an RDS database is across AWS accounts, but the accounts reside within VPCs without overlapping CIDR ranges connected via AWS Transit Gateway, then refer to Use Amazon RDS Proxy to provide access to RDS databases across AWS accounts.
Let’s dive deeper into the specific solution the American Family Insurance Group deployed enabling secure Amazon RDS connectivity across organizations with overlapping VPC CIDR ranges.
Solution overview
We use two AWS accounts, each within a different organization. Each account uses their own VPC with overlapping CIDR ranges.
The following diagram illustrates the solution architecture.
Prerequisites
Before getting started, the following prerequisites must be met:
- Choose two accounts in separate organizations. This step is optional; standalone accounts will also work.
- In the database account, create a VPC with a minimum of two private subnets placed in different Availability Zones.
- Note the Availability Zone ID (for example, use1-az1) for the selected Availability Zone. This can be found on the subnet details tab on the Amazon Virtual Private Cloud (Amazon VPC) console.
- In the consumer account, create a VPC with a minimum of two private subnets using the same Availability Zone IDs from the DB account.
- Make sure the Amazon RDS or Aurora Region, engine, and version you’ll create are supported by RDS Proxy.
Create an RDS DB instance and RDS proxy in the database account
For this post, we use Amazon RDS for MySQL. To create an RDS for MySQL DB instance, complete the following steps:
- On the Amazon RDS console, choose DB instances in the navigation pane.
- Choose Create database.
- Choose Amazon RDS for MySQL.
- For Version, choose the latest available version.
- For Templates, choose production template.
- For Availability and durability, select Multi-AZ DB instance.
- In the Settings section, choose a DB instance identifier, set a user name and password, and confirm the password.
- For Instance configuration, choose a DB instance class.
- For Connectivity, choose the VPC created as a prerequisite.
- Choose Create an RDS Proxy.
- Create a new DB subnet group.
- For Public access, choose No.
- For VPC security group, create a new security group.
- Modify the custom rules in the security group for your DB instances to allow inbound connections on your database port (3306 for MySQL) from the subnet CIDRs you will use when creating the RDS proxy in the next step.
- For additional configurations, enter an initial DB name.
- Leave the other settings as default.
The following screenshot shows the configuration of an RDS for MySQL DB instance using the db.t3.micro instance class. Ensure that the status is available before moving to the next step; this typically takes a few minutes.
Identify the IP addresses assigned to the RDS Proxy endpoint
Next, we identify the IP addresses assigned to the VPC endpoint automatically created for the RDS Proxy endpoint.
- On the Amazon RDS console, choose Proxies in the navigation pane.
- Choose the proxy identifier name created in the previous step.
- Locate the proxy endpoint you wish to share and copy the endpoint DNS name.
- Using a DNS lookup tool, such as Dig, look up the VPC endpoint ID using the RDS Proxy endpoint DNS name.
- Copy the VPC endpoint ID from the DNS lookup results.
The VPC ID is identified by a leadingvpce-
followed by a series of characters up to but excluding the following dash (-), as shown in the following screenshot. - On the Amazon VPC console, choose Endpoints in the navigation pane.
- Locate the VPC endpoint ID copied from the DNS lookup results.
- Choose the Subnets tab and note the IP addresses for each subnet.
You will use the IP addresses when creating the PrivateLink endpoint service in the next step.
Create a PrivateLink endpoint service in the database account
Next, we complete three steps to create a PrivateLink endpoint service using the RDS proxy IP addresses as targets.
Create a target group in the database account
Complete the following steps to create a target group using Amazon Elastic Compute Cloud (Amazon EC2):
- On the Amazon EC2 console, choose Target groups in the navigation pane.
- Choose Create target group.
- For Basic configuration, select IP addresses.
- Set a target group name.
- Change Protocol to TCP and change Port to your RDS instance port (the MySQL default is 3306).
- Select the VPC used previously for RDS Proxy.
- For Register targets IP addresses, specify the target entries for each of the IP addresses noted when identifying the IP addresses assigned to the RDS Proxy endpoint in the previous step.
The target health status will change to Healthy when the configured health checks are complete.
- Choose Create target group.
Ensure all targets are healthy, as shown in the following screenshot of the target group.
Create a Network Load Balancer in the database account
Complete the following steps to create a Network Load Balancer:
- On the Amazon EC2 console, choose Load balancers in the navigation pane.
- Choose Create load balancer.
- Under Network Load Balancer, choose Create.
- For Basic configuration, provide an NLB name.
- Set the scheme to Internal.
- For Network mapping, choose the VPC used previously for RDS Proxy.
- Choose each subnet used previously for RDS Proxy.
- For Listeners and routing, change Protocol to TCP and change Port to your RDS instance port (the MySQL default is 3306).
- For Default action, choose the target group created in the previous step.
Create a VPC endpoint service in the database account
Complete the following steps to create a VPC endpoint in the database account:
- On the Amazon VPC console, choose Endpoint services in the navigation pane.
- Choose Create endpoint service.
- In the Endpoint service settings section, provide a name.
- For Available load balancers, choose the NLB created in the previous step.
- Choose Create.
- On the Allow principals tab, choose Allow principals.
- Enter the ARN of your consumer account in the format
arn:aws::<aws-account-id>:root
.
This will allow any user or role in the consumer account to use the PrivateLink. The principal can be further restricted to a specific user or role. - Under Details for the Endpoint Service, copy the service name and save it for later.
Accepting the consumer account endpoint connection will occur in the next step.
At this point, we’ve created an RDS DB instance with an RDS proxy along with a VPC PrivateLink endpoint service. Next, we log in to the consumer account and create a VPC endpoint to consume the VPC endpoint service created in the database account.
Create a VPC endpoint in the consumer account
Complete the following steps to create a VPC endpoint in the consumer account:
- Log in to the consumer account.
- On the Amazon VPC console, choose Endpoints in the navigation pane.
- Choose Create endpoint.
- For Endpoint settings, provide a name.
- For Service category, select Other endpoint services.
- Enter the endpoint service name copied from the previous step and verify the service.
- For VPC, choose a VPC with at least two subnets.
- For Subnets, choose at least two subnets.
- For Security group, choose a security group allowing TCP to your RDS instance port (the MySQL default is 3306).
- Choose Create endpoint.
- In the database account, on the VPC endpoint services Endpoint connections tab, select the new endpoint connection request.
- On the Actions menu, choose Accept endpoint connection request.
- Enter accept to confirm, then choose Accept.
After a few minutes, the status will change from Pending to Available.
Test the connection
Now we can test the connection. Using a client (such as an EC2 instance with the MySQL client for Linux installed) in the consumer account, we can use the VPC endpoint DNS as the host of our RDS instance or cluster.
The following screenshot shows a successful MySQL client connection test using PrivateLink.
Clean up
After you’ve finished, if the resources you created are no longer needed, delete the VPC endpoint service, Network Load Balancer, and the target group followed by the RDS proxy and RDS DB instance to prevent incurring additional charges.
Conclusion
In this post, we showed you how the American Family Insurance Group successfully implemented a highly available solution to share centralized information stored in RDS databases across different AWS accounts and VPCs with overlapping CIDR ranges. By combining RDS Proxy with PrivateLink, they were able to achieve secure and private access to their databases, enabling clients from different organizations to use system of record information for customer applications and analytics applications.
For more information about the American Family Insurance Group, see the amfam.com website. Leave your feedback in the comments section to further improve this post.
About the authors
Jarrid Kleinfelter is a Senior Solutions Architect at AWS.
Charles Timmons is a Cloud Platform Engineer at the American Family Insurance Group.