How do I connect to my Amazon RDS MySQL DB instance or Aurora MySQL DB cluster using Amazon RDS Proxy?

Last updated: 2020-04-14

How do I connect to my Amazon Relational Database Service (Amazon RDS) DB instance or Amazon Aurora DB cluster that's running MySQL by using Amazon RDS Proxy?

Short Description

You can use Amazon RDS Proxy to manage connections to your application. During the preview of this service, RDS Proxy supports one engine family: Amazon RDS MySQL 5.6 and 5.7 and Aurora MySQL. Within the MySQL engine family, Amazon RDS Proxy supports Aurora provisioned clusters, Aurora parallel query clusters, and Aurora Global Databases. For a global database, you can create a proxy for the primary AWS Region, but not for the read-only secondary AWS Regions. Amazon RDS Proxy doesn't currently support Aurora Serverless/Aurora multi-master clusters and Amazon RDS MySQL 8.0.

Resolution

Before you begin, your Amazon RDS Proxy must be in the same VPC as the database. Although the database can be publicly accessible, the proxy can't be publicly accessible.

1.    Create database credentials in AWS Secrets Manager.
Note: Use the same user name and password as your database when you create your secret.

2.    Create an AWS Identity and Access Management (IAM) policy and an IAM role.

3.    Create an Amazon RDS Proxy.

4.    Check that the proxy endpoint is reachable:

nc -zv <proxy_endpoint> 3306

This command returns an output similar to the following:

nc -z test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com 3306
Connection to test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com 3306 port [tcp/mysql] succeeded!

5.    Connect to the RDS DB instance using the Amazon RDS proxy:

mysql -h <proxy_end_point> -u username -p

This command returns an output similar to the following:

mysql -h test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com -u admin -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2946664484
Server version: 5.7.28-log
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> 

Or, you can connect to the RDS DB instance using Amazon RDS Proxy with an SSL connection by following these steps:

1.    Optionally, enable Require Transport Layer Security when you create the Amazon RDS Proxy. You can also modify an existing RDS Proxy to enable this option.

Note: Changing the parameter to Required means that connections must use SSL. Any plaintext connections are rejected. If this parameter isn't enabled, then Amazon RDS Proxy can connect to the RDS DB instance with and without SSL.

2.    Download the Amazon Root CA 1 trust store .pem file from Amazon Trust Services:

wget https://www.amazontrust.com/repository/AmazonRootCA1.pem

3.    Connect using SSL:

mysql -h test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com -u admin --ssl-mode=REQUIRED --ssl-ca=AmazonRootCA1.pem -p

Or connect using SSL by running this command:

mysql -h test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com -u admin --ssl-mode=VERIFY_IDENTITY --ssl-ca=AmazonRootCA1.pem -p

Note: Because Amazon RDS Proxy uses wildcard certificates, you must use the MySQL 8.0-compatible mysql command if you use the MySQL client to connect with SSL mode VERIFY_IDENTITY.

When you connect, the following output is returned:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12659040
Server version: 5.7.28-log
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Did this article help you?

Anything we could improve?


Need more help?