How can I configure private and public Aurora endpoints in the Amazon RDS console?
Last updated: 2020-01-30
How can I configure private and public Amazon Aurora endpoints for Aurora DB instances running in the Amazon Relational Database Service (Amazon RDS) console?
To specify whether DB instances in an Aurora DB cluster are publicly or privately accessible, you must have an Amazon RDS DB subnet group for the Amazon Virtual Private Cloud (Amazon VPC) where the DB instances are launched. This DB subnet group must have subnets in at least two Availability Zones in a given AWS Region that are either publicly or privately accessible—it can't be a mix of both. The subnets are public or private, depending on the configuration that you set for their network access control lists (network ACLs) and routing tables. For an Aurora DB Instance in the Aurora cluster to be accessible from outside of a VPC, modify the Aurora DB instance settings and set Publicly accessible to Yes. If Publicly accessible is set to No, then the DB cluster is accessible only inside the VPC.
Finally, you must confirm that the DB cluster has a security group that grants proper access to clients. You can do this by adding your IP address to your allow list, CIDR range, or security group. The default port is 3306.
Creating a publicly accessible Aurora DB cluster
- Create a VPC in the Region where you want to launch the Aurora DB cluster.
- Create a DB subnet group that has two or more public subnets in different Availability Zones. Be sure that the network ACLs and routing tables allow for public access, and that the routing tables are the same for all the subnets in the group.
- Create an Aurora DB cluster in the VPC.
- On the Create database pane, from the Connectivity section, select the Virtual Private Cloud (VPC) that you created.
- From the Connectivity section, expand Additional connectivity configuration.
- From Subnet group, select the DB subnet group that has publicly available subnets.
- Set Publicly accessible to Yes.
- From VPC security group, choose a security group that grants access to the public IP addresses and CIDR ranges that you want to have access from.
If you want to create a privately accessible Aurora DB cluster, set Publicly accessible to No. To block public access to an Aurora DB cluster, you can also remove routes from the route table, adjust the network ACLs to block traffic, or restrict access in the security group.