Amazon Relational Database Service
User Guide (API Version 2013-02-12)
AWS Documentation » Amazon Relational Database Service (RDS) » User Guide » Amazon RDS Terminology and Concepts » Amazon RDS and the Amazon Virtual Private Cloud Service
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Amazon RDS and the Amazon Virtual Private Cloud Service

You can use the Amazon Virtual Private Cloud (VPC) service to create a virtual private cloud where you can launch Amazon RDS DB instances. When you use a virtual private cloud, you have control over your virtual networking environment: you can select your own IP address range, create subnets, and configure routing and access control lists. The basic functionality of Amazon RDS is the same whether it is running in a VPC or not: Amazon RDS manages backups, software patching, automatic failure detection, and recovery. There is no additional cost to run your DB instance in a VPC.

Amazon RDS supports two VPC platforms in each region: The EC2, VPC supported platform, which requires you to use the Amazon VPC service to create a VPC, and the VPC supported platform, which provides your AWS account with a default VPC in a region. To determine which platform your account supports in a particular region, see Determining If You Have a Default VPC.

The following image shows the EC2, VPC supported platform information for an AWS account that does not have a default VPC in the selected region.

With the VPC platform, your AWS account is assigned a default VPC that you can launch a DB instance into, or you can create your own VPC using the Amazon VPC service. If your AWS account supports the VPC platform for a region, all DB instances that you create are created inside a VPC, either your default VPC or a VPC that you create.

When launching an RDS instance inside any VPC (including a default VPC), you can designate whether the DB instance you create has a DNS that resolves to a public IP address by using the PubliclyAccessible parameter. This parameter controls public access to the DB instance even if the VPC has a public IP address. If you want a DB instance in a VPC to be publicly accessible, you must also enable the VPC attributes DNS hostnames and DNS resolution. For more information about creating a VPC, see Things to Consider When Creating a VPC for an RDS Instance

The following illustration shows the Publicly Accessible parameter in the Launch DB Instance Wizard.

You might deploy Amazon RDS in a VPC to run a public-facing web application whose backend servers are not publically accessible. For example, you could create a VPC that has a public subnet and a private subnet. The Amazon EC2 instances that function as web servers would be deployed in the public subnet, and the Amazon RDS DB instances would be deployed in the private subnet. In such a deployment, only the web servers have access to the DB instances.

Things to Consider When Creating a VPC for an RDS Instance

The most common scenarios for using a VPC are documented at Scenarios for Using Amazon VPC. Each of these scenarios have a link to a detailed explanation of the scenario. At the end of the section is a link called Implementing the Scenario which gives you instructions on how to create a VPC for that scenario. For more informatation on Amazon VPC, see the Amazon VPC documentation for detailed instructions on creating a VPC.

If you are on the EC2 platform or you want to create your own VPC, here are some things you should know.

  • Your VPC must have at least one subnet in at least two of the Availability Zones in the region where you want to deploy your DB instance.

  • If you want your DB instance in the VPC to be publicly accessible, you must enable the VPC attributes DNS hostnames and DNS resolution.

  • Your VPC must have a DB subnet group. You create the DB subnet group by specifying the subnets you created in the previous step. Amazon RDS uses that DB subnet group and your preferred Availability Zone to select a subnet and an IP address within that subnet to assign to your DB instance.

  • Your VPC must have a VPC security group. You can use the default VPC security group provided.

  • The CIDR blocks in each of your subnets must be large enough to accomodate spare IP addresses for Amazon RDS to use during maintenance activities, including failover and compute scaling.

DB Subnet Groups

A DB subnet group is a collection of subnets (typically private) that you create for a VPC and that you then designate for your DB instances. A DB subnet group allows you to specify a particular VPC when creating DB instances using the CLI or API; if you use the console, you can just select the VPC and subnets you want to use.

Each DB subnet group should have subnets in at least two Availability Zones in a given region. When creating a DB instance in VPC, you must select a DB subnet group. Amazon RDS uses that DB subnet group and your preferred Availability Zone to select a subnet and an IP address within that subnet to associate with your DB instance. If the primary DB instance of a Multi-AZ deployment fails, Amazon RDS can promote the corresponding standby and subsequently create a new standby using an IP address of the subnet in one of the other Availability Zones.

When Amazon RDS creates a DB instance in a VPC, it assigns a network interface to your DB instance by using an IP address selected from your DB Subnet Group. However, we strongly recommend that you use the DNS Name to connect to your DB instance because the underlying IP address can change during failover.

Levels of Privacy

When you create a VPC, you can configure the level of privacy that you want. In the most private scenario, you can attach only a virtual private gateway and create an IPsec tunnel between your VPC and your local network. In that case, your instances have no direct exposure to the Internet.

Alternatively, you can configure your VPC with both a virtual private gateway and an Internet gateway. For example, your web servers could receive Internet traffic and your database servers could remain private. This is a common topology for running a multitier web application in the AWS cloud.

For more information about configuring privacy in your VPC, go to the Amazon VPC documentation.

Routing and Security

You can configure routing in your VPC to control where traffic flows (for example, to the Internet gateway or to a virtual private gateway). With an Internet gateway, your VPC has direct access to other AWS resources such as Amazon Simple Storage Service (Amazon S3). If you choose to have only a virtual private gateway with a connection to your local network, you can route your Internet-bound traffic over the VPN and control egress with your local security policies and firewall. In that case, you will incur additional bandwidth charges when you access AWS products over the Internet.

You can use DB security groups, network ACLs, and VPC security groups to help secure the instances in your VPC. Security groups act like a firewall at the instance level; network ACLs are an additional layer of security that act at the subnet level.

Note

If you associate a VPC with a DB security group, all the access rules within the DB security group should be from either VPC security groups or IP ranges. EC2 security groups and VPC security groups are not interchangeable.

DB instances that are deployed within an Amazon VPC can be accessed by Amazon EC2 instances that are deployed in the same VPC. If the EC2 instances are deployed in a public subnet with associated Elastic IPs, you can access the EC2 instances via the internet.

Note

We strongly recommend you use the DNS Name to connect to your DB instance because the underlying IP address can change during failovers.

DB instances deployed within a VPC can be accessed from the Internet or from EC2 instances outside the VPC. A DB instance is accessible through the IP addresses specified in DB security groups that it is a member of, and through the port specified when the DB instance was created. If a VPC security group specifies a port access such as TPC port 22, you would not be able to access the DB instance because the firewall for the DB instance provides access only via the IP addresses and the port defined when the DB instance was created. For more information on creating a VPC with both public and private subnets, see Scenario 2: VPC with Public and Private Subnets.

For more information about using Amazon RDS with Amazon Virtual Private Cloud, see Using Amazon RDS with Amazon Virtual Private Cloud (VPC).

Amazon VPC Documentation

Amazon VPC has its own set of documentation to describe how to create and use your VPC. The following table gives links to the Amazon VPC guides.

DescriptionDocumentation

How to get started using Amazon VPC

Amazon Virtual Private Cloud Getting Started Guide

How to use Amazon VPC through the AWS Management Console

Amazon Virtual Private Cloud User Guide

Complete descriptions of all the Amazon VPC commands

Amazon Elastic Compute Cloud Command Line Reference

(the Amazon VPC commands are part of the Amazon EC2 reference)

Complete descriptions of the Amazon VPC API actions, data types, and errors

Amazon Elastic Compute Cloud API Reference

(the Amazon VPC API actions are part of the Amazon EC2 reference)

Information for the network administrator who needs to configure the gateway at your end of an optional IPsec VPN connection

Amazon Virtual Private Cloud Network Administrator Guide

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...