Automatically connecting an EC2 instance and an Aurora DB cluster - Amazon Aurora

Automatically connecting an EC2 instance and an Aurora DB cluster

You can use the Amazon RDS console to simplify setting up a connection between an Amazon Elastic Compute Cloud (Amazon EC2) instance and an Aurora DB cluster. Often, your DB cluster is in a private subnet and your EC2 instance is in a public subnet within a VPC. You can use a SQL client on your EC2 instance to connect to your DB cluster. The EC2 instance can also run web servers or applications that access your private DB cluster.

Automatically connect an Aurora DB cluster with an EC2 instance.

If you want to connect to an EC2 instance that isn't in the same VPC as the Aurora DB cluster, see the scenarios in Scenarios for accessing a DB cluster in a VPC.

Overview of automatic connectivity with an EC2 instance

When you set up a connection between an EC2 instance and an Aurora DB cluster, Amazon RDSautomatically configures the VPC security group for your EC2 instance and for your DB cluster.

The following are requirements for connecting an EC2 instance with an Aurora DB cluster:

  • The EC2 instance must exist in the same VPC as the DB cluster.

    If no EC2 instances exist in the same VPC, then the console provides a link to create one.

  • Currently, the DB cluster can't be an Aurora Serverless DB cluster or part of an Aurora global database.

  • The user who sets up connectivity must have permissions to perform the following Amazon EC2 operations:

    • ec2:AuthorizeSecurityGroupEgress

    • ec2:AuthorizeSecurityGroupIngress

    • ec2:CreateSecurityGroup

    • ec2:DescribeInstances

    • ec2:DescribeNetworkInterfaces

    • ec2:DescribeSecurityGroups

    • ec2:ModifyNetworkInterfaceAttribute

    • ec2:RevokeSecurityGroupEgress

If the DB instance and EC2 instance are in different Availability Zones, your account may incur cross-Availability Zone costs.

When you set up a connection to an EC2 instance, Amazon RDS acts according to the current configuration of the security groups associated with the DB cluster and EC2 instance, as described in the following table.

Current RDS security group configuration Current EC2 security group configuration RDS action

There are one or more security groups associated with the DB cluster with a name that matches the pattern rds-ec2-n (where n is a number). A security group that matches the pattern hasn't been modified. This security group has only one inbound rule with the VPC security group of the EC2 instance as the source.

There are one or more security groups associated with the EC2 instance with a name that matches the pattern ec2-rds-n (where n is a number). A security group that matches the pattern hasn't been modified. This security group has only one outbound rule with the VPC security group of the DB cluster as the source.

RDS takes no action.

A connection was already configured automatically between the EC2 instance and DB cluster. Because a connection already exists between the EC2 instance and the RDS database, the security groups aren't modified.

Either of the following conditions apply:

  • There is no security group associated with the DB cluster with a name that matches the pattern rds-ec2-n.

  • There are one or more security groups associated with the DB cluster with a name that matches the pattern rds-ec2-n. However, Amazon RDS can't use any of these security groups for the connection with the EC2 instance. Amazon RDS can't use a security group that doesn't have one inbound rule with the VPC security group of the EC2 instance as the source. Amazon RDS also can't use a security group that has been modified. Examples of modifications include adding a rule or changing the port of an existing rule.

Either of the following conditions apply:

  • There is no security group associated with the EC2 instance with a name that matches the pattern ec2-rds-n.

  • There are one or more security groups associated with the EC2 instance with a name that matches the pattern ec2-rds-n. However, Amazon RDS can't use any of these security groups for the connection with the DB cluster. Amazon RDS can't use a security group that doesn't have one outbound rule with the VPC security group of the DB cluster as the source. Amazon RDS also can't use a security group that has been modified.

RDS action: create new security groups

There are one or more security groups associated with the DB cluster with a name that matches the pattern rds-ec2-n. A security group that matches the pattern hasn't been modified. This security group has only one inbound rule with the VPC security group of the EC2 instance as the source.

There are one or more security groups associated with the EC2 instance with a name that matches the pattern ec2-rds-n. However, Amazon RDS can't use any of these security groups for the connection with the DB cluster. Amazon RDS can't use a security group that doesn't have one outbound rule with the VPC security group of the DB cluster as the source. Amazon RDS also can't use a security group that has been modified.

RDS action: create new security groups

There are one or more security groups associated with the DB cluster with a name that matches the pattern rds-ec2-n. A security group that matches the pattern hasn't been modified. This security group has only one inbound rule with the VPC security group of the EC2 instance as the source.

A valid EC2 security group for the connection exists, but it is not associated with the EC2 instance. This security group has a name that matches the pattern ec2-rds-n. It hasn't been modified. It has only one outbound rule with the VPC security group of the DB cluster as the source.

RDS action: associate EC2 security group

Either of the following conditions apply:

  • There is no security group associated with the DB cluster with a name that matches the pattern rds-ec2-n.

  • There are one or more security groups associated with the DB cluster with a name that matches the pattern rds-ec2-n. However, Amazon RDS can't use any of these security groups for the connection with the EC2 instance. Amazon RDS can't use a security group that doesn't have one inbound rule with the VPC security group of the EC2 instance as the source. Amazon RDS also can't use security group that has been modified.

There are one or more security groups associated with the EC2 instance with a name that matches the pattern ec2-rds-n. A security group that matches the pattern hasn't been modified. This security group has only one outbound rule with the VPC security group of the DB cluster as the source.

RDS action: create new security groups
RDS action: create new security groups

Amazon RDS takes the following actions:

  • Creates a new security group that matches the pattern rds-ec2-n. This security group has an inbound rule with the VPC security group of the EC2 instance as the source. This security group is associated with the DB cluster and allows the EC2 instance to access the DB cluster.

  • Creates a new security group that matches the pattern ec2-rds-n. This security group has an outbound rule with the VPC security group of the DB cluster as the target. This security group is associated with the EC2 instance and allows the EC2 instance to send traffic to the DB cluster.

RDS action: associate EC2 security group

Amazon RDS associates the valid, existing EC2 security group with the EC2 instance. This security group allows the EC2 instance to send traffic to the DB cluster.

Automatically connecting an EC2 instance and an Aurora DB cluster

Before setting up a connection between an EC2 instance and an Aurora DB cluster, make sure you meet the requirements described in Overview of automatic connectivity with an EC2 instance.

If you make changes to security groups after you configure connectivity, the changes might affect the connection between the EC2 instance and the Aurora DB cluster.

Note

You can only set up a connection between an EC2 instance and an Aurora DB cluster automatically by using the AWS Management Console. You can't set up a connection automatically with the AWS CLI or RDS API.

To connect an EC2 instance and an Aurora DB cluster automatically
  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Databases, and then choose the DB cluster.

  3. From Actions, choose Set up EC2 connection.

    The Set up EC2 connection page appears.

  4. On the Set up EC2 connection page, choose the EC2 instance.

    Set up EC2 connection page.

    If no EC2 instances exist in the same VPC, choose Create EC2 instance to create one. In this case, make sure the new EC2 instance is in the same VPC as the DB cluster.

  5. Choose Continue.

    The Review and confirm page appears.

    EC2 connection review and confirmation page.
  6. On the Review and confirm page, review the changes that RDS will make to set up connectivity with the EC2 instance.

    If the changes are correct, choose Confirm and set up.

    If the changes aren't correct, choose Previous or Cancel.

Viewing connected compute resources

You can use the AWS Management Console to view the compute resources that are connected to an Aurora DB cluster. The resources shown include compute resource connections that were set up automatically. You can set up connectivity with compute resources automatically in the following ways:

The listed compute resources don't include ones that were connected to the database manually. For example, you can allow a compute resource to access a database manually by adding a rule to the VPC security group associated with the database.

For a compute resource to be listed, the following conditions must apply:

  • The name of the security group associated with the compute resource matches the pattern ec2-rds-n (where n is a number).

  • The security group associated with the compute resource has an outbound rule with the port range set to the port that the DB cluster uses.

  • The security group associated with the compute resource has an outbound rule with the source set to a security group associated with the DB cluster.

  • The name of the security group associated with the DB cluster matches the pattern rds-ec2-n (where n is a number).

  • The security group associated with the DB cluster has an inbound rule with the port range set to the port that the DB cluster uses.

  • The security group associated with the DB cluster has an inbound rule with the source set to a security group associated with the compute resource.

To view compute resources connected to an Aurora DB cluster
  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Databases, and then choose the name of the DB cluster.

  3. On the Connectivity & security tab, view the compute resources in the Connected compute resources.

    Connected compute resources.

Connecting to a DB instance that is running a specific DB engine

For information about connecting to a DB instance that is running a specific DB engine, follow the instructions for your DB engine: