How can I configure private and public Aurora endpoints in the Amazon RDS console?
Last updated: 2020-10-28
How can I configure private and public Amazon Aurora endpoints for Aurora DB instances running in the Amazon Relational Database Service (Amazon RDS)?
An Amazon Aurora cluster can be launched only in Amazon Virtual Private Cloud (Amazon VPC), based on the Amazon VPC service. The DB subnet group that you choose for your DB cluster must span at least two Availability Zones in the Region you want to deploy your cluster. For the Aurora DB instance to be publicly accessible, or accessible only inside the VPC, configure the following two settings, one at the VPC subnet level, and the second at the DB instance level.
- You can make your DB subnets public or private-only based on the route table associated with the subnet. Be sure that the subnets in the DB subnet group all have the same configuration to avoid any connection issues after the failover.
- At the DB instance level, you can enable the publicly accessible parameter to yes or no. This determines whether your DB instance is reachable through the internet or not.
It is also important to make sure the VPC security group used by the DB instance is allowing source IP address or CIDR range. For more information, see Security group rules reference.
Creating a publicly accessible Aurora DB cluster
- When creating an Amazon Aurora DB cluster using the AWS Management Console, Amazon RDS automatically creates a VPC for you. Or you can use an existing VPC or create a new VPC for your Aurora DB cluster.
- Create a DB subnet group that defines at least two subnets in the VPC. Make sure the route table associated with the subnets is configured for public access.
- Create an Aurora DB cluster in the VPC.
- On the Create database pane, from the Connectivity section, select the Virtual Private Cloud (VPC) that you created.
- From Subnet group, select the DB subnet group that has publicly available subnets.
- From the Connectivity section, expand Additional connectivity configuration.
- Set Publicly accessible to Yes.
- From VPC security group, choose a security group that grants access to the public IP addresses and CIDR ranges that you want to have access from.
If you want to create a private only Aurora DB cluster, follow the steps above and in step 7 set Publicly accessible to No.
Changing public accessibility of running instances in an Aurora DB cluster
If you want to change whether the running instances in the Aurora cluster are publicly accessible, follow the steps below:
- Sign in to the Amazon RDS console.
- In the navigation pane, choose Databases, and then select the Aurora DB instance in the Aurora Cluster that you want to modify.
- Choose Modify.
- From the Modify DB instance page, under Network & Security, set Publicly accessible to Yes or No.
- Choose Continue, and check the summary of modifications.
- To apply the changes immediately, select Apply immediately.
Note: Changing this setting on the existing DB instance in the cluster affects the network connectivity.
Note: You can't give an Amazon Aurora Serverless DB cluster a public IP address. You can access an Aurora Serverless DB cluster only from within a virtual private cloud (VPC), based on the Amazon VPC service. For more information, see Using Amazon Aurora Serverless.