Working with Amazon RDS on AWS Outposts

Amazon RDS on AWS Outposts extends Amazon RDS for MySQL and PostgreSQL databases to AWS Outposts environments. AWS Outposts uses the same hardware as in public AWS Regions to bring AWS services, infrastructure, and operation models on-premises. With RDS on Outposts, you can provision managed DB instances close to the business applications that must run on-premises. For more information about AWS Outposts, see AWS Outposts.

You use the same AWS Management Console, AWS CLI, and RDS API to provision and manage on-premises RDS on Outposts DB instances as you do for RDS DB instances running in the AWS Cloud. RDS on Outposts automates tasks, such as database provisioning, operating system and database patching, backup, and long-term archival in Amazon S3.

RDS on Outposts supports automated backups of DB instances. Network connectivity between your Outpost and your AWS Region is required to back up and restore DB instances. All DB snapshots and transaction logs from an Outpost are stored in your AWS Region. From your AWS Region, you can restore a DB instance from a DB snapshot to a different Outpost. For more information, see Working with backups.

RDS on Outposts supports automated maintenance and upgrades of DB instances. For more information, see Maintaining a DB instance.

RDS on Outposts uses encryption at rest for DB instances and DB snapshots using your AWS Key Management Service (AWS KMS) key. For more information about encryption at rest, see Encrypting Amazon RDS resources.

By default, EC2 instances in Outposts subnets can use the Amazon Route 53 DNS Service to resolve domain names to IP addresses. You might encounter longer DNS resolution times with Route 53, depending on the path latency between your Outpost and the AWS Region. In such cases, you can use the DNS servers installed locally in your on-premises environment. For more information, see DNS in the AWS Outposts User Guide.

When network connectivity to the AWS Region isn't available, your DB instance continues to run locally. You can continue to access DB instances using DNS name resolution by configuring a local DNS server as a secondary server. However, you can't create new DB instances or take new actions on existing DB instances. Automatic backups don't occur when there is no connectivity. If there is a DB instance failure, the DB instance isn't automatically replaced until connectivity is restored. We recommend restoring network connectivity as soon as possible.

Prerequisites for Amazon RDS on AWS Outposts

The following are prerequisites for using Amazon RDS on AWS Outposts:

• Install AWS Outposts in your on-premises data center. For more information about AWS Outposts, see AWS Outposts.

• Make sure that you have at least one subnet available for RDS on Outposts. You can use the same subnet for other workloads.

• Make sure that you have a reliable network connection between your Outpost and an AWS Region.

Amazon RDS on AWS Outposts support for Amazon RDS features

Feature	Supported	Notes	More information
DB instance provisioning	Yes	You can only create DB instances for RDS for MySQL and RDS for PostgreSQL DB engines. The following versions are supported: MySQL versions 8.0.17, 8.0.19, 8.0.20, and 8.0.21 PostgreSQL versions 12.2, 12.3, and 12.4	Creating an Amazon RDS DB instance
Modifying the master user password	Yes	—	Modifying an Amazon RDS DB instance
Renaming a DB instance	Yes	—	Modifying an Amazon RDS DB instance
Rebooting a DB instance	Yes	—	Rebooting a DB instance
Stopping a DB instance	Yes	—	Stopping an Amazon RDS DB instance temporarily
Starting a DB instance	Yes	—	Starting an Amazon RDS DB instance that was previously stopped
Multi-AZ deployments	No	—	High availability (Multi-AZ) for Amazon RDS
DB parameter groups	Yes	—	Working with DB parameter groups
Read replicas	No	—	Working with read replicas
Encryption at rest	Yes	RDS on Outposts doesn't support unencrypted DB instances.	Encrypting Amazon RDS resources
AWS Identity and Access Management (IAM) database authentication	No	—	IAM database authentication for MySQL and PostgreSQL
Associating an IAM role with a DB instance	No	—	add-role-to-db-instance CLI command and AddRoleToDBInstance RDS API operation
Kerberos authentication	No	—	Kerberos authentication
Tagging Amazon RDS resources	Yes	—	Tagging Amazon RDS resources
Option groups	Yes	—	Working with option groups
Modifying the maintenance window	Yes	—	Maintaining a DB instance
Automatic minor version upgrade	Yes	—	Automatically upgrading the minor engine version
Modifying the backup window	Yes	—	Working with backups and Modifying an Amazon RDS DB instance
DB instance scaling	Yes	To scale a DB instance, modify its on-premises DB instance class. Storage scaling isn't supported.	Modifying an Amazon RDS DB instance
Manual and automatic DB instance snapshots	Yes	Manual and automatic DB instance snapshots are stored in your AWS Region.	Creating a DB snapshot
Restoring from a DB snapshot	Yes	—	Restoring from a DB snapshot
Restoring a DB instance from Amazon S3	No	—	Restoring a backup into a MySQL DB instance
Exporting snapshot data to Amazon S3	Yes	—	Exporting DB snapshot data to Amazon S3
Point-in-time recovery	Yes	—	Restoring a DB instance to a specified time
Enhanced monitoring	No	—	Using Enhanced Monitoring
Amazon CloudWatch monitoring	No	—	Monitoring Amazon RDS metrics with Amazon CloudWatch
Publishing database engine logs to CloudWatch Logs	No	—	Publishing database logs to Amazon CloudWatch Logs
Event notification	Yes	—	Using Amazon RDS event notification
Amazon RDS Performance Insights	No	—	Using Performance Insights on Amazon RDS
Viewing or downloading database logs	No	RDS on Outposts doesn't support viewing database logs using the console or describing database logs using the CLI or RDS API. RDS on Outposts doesn't support downloading database logs using the console or downloading database logs using the CLI or RDS API.	Accessing Amazon RDS database log files
Amazon RDS Proxy	No	—	Managing connections with Amazon RDS Proxy
Stored procedures for Amazon RDS for MySQL	Yes	—	MySQL on Amazon RDS SQL reference
Replication with external databases for Amazon RDS for MySQL	No	—	Replication with a MySQL or MariaDB instance running external to Amazon RDS

Note

RDS on Outposts doesn't support use cases that require all data to remain in your data center.

RDS on Outposts stores database backups and logs in your AWS Region.

Supported DB instance classes for Amazon RDS on AWS Outposts

Amazon RDS on AWS Outposts supports the following DB instance classes:

• General Purpose DB instance classes

  • db.m5.24xlarge

  • db.m5.12xlarge

  • db.m5.4xlarge

  • db.m5.2xlarge

  • db.m5.xlarge

  • db.m5.large

• Memory Optimized DB instance classes

  • db.r5.24xlarge

  • db.r5.12xlarge

  • db.r5.4xlarge

  • db.r5.2xlarge

  • db.r5.xlarge

  • db.r5.large

Only General Purpose SSD storage is supported for RDS on Outposts DB instances. For more information about DB instance classes, see DB instance classes.

Amazon RDS manages maintenance and recovery for your DB instances and requires active capacity on the Outpost to do so. We recommend that you configure N+1 EC2 instances for each DB instance class in your production environments. RDS on Outposts can use the extra capacity of these EC2 instances for maintenance and repair operations. For example, if your production environments have 3 db.m5.large and 5 db.r5.xlarge DB instance classes, then we recommend that they have at least 4 m5.large EC2 instances and 6 r5.xlarge EC2 instances. For more information, see Resilience in AWS Outposts in the AWS Outposts User Guide.

Customer-owned IP addresses for RDS on Outposts

AWS Outposts uses information that you provide about your on-premises network to create an address pool, known as a customer-owned IP address pool (CoIP pool). Customer-owned IP addresses (CoIPs) provide local or external connectivity to resources in your Outpost subnets through your on-premises network. For more information about CoIPs, see Customer-owned IP addresses in the AWS Outposts User Guide.

Each RDS on Outposts DB instance has a private IP address for traffic inside its virtual private cloud (VPC). This private IP address isn't publicly accessible. You can use the Public option to designate whether the DB instance also has a public IP address in addition to the private IP address. Using the public IP address for connections routes them through the internet and can result in high latencies in some cases.

Instead of using these private and public IP addresses, RDS on Outposts supports enabling a CoIP for DB instances through their subnets. When you enable a CoIP for an RDS on Outposts DB instance, you connect to the DB instance with the DB instance endpoint. RDS on Outposts automatically uses the CoIP for all connections from both inside and outside of the VPC.

CoIPs can provide the following benefits for RDS on Outposts DB instances:

• Lower connection latency

• Enhanced security

You can enable or disable a CoIP for an RDS on Outposts DB instance using the AWS Management Console, the AWS CLI, or the RDS API:

• With the AWS Management Console, use the Customer-owned IP address (CoIP) setting in Access type to enable a CoIP. Use one of the other settings to disable it.

  

• With the AWS CLI, use the --enable-customer-owned-ip | --no-enable-customer-owned-ip option.

• With the RDS API, use the EnableCustomerOwnedIp parameter.

You can enable or disable a CoIP when you perform any of the following actions:

• Create a DB instance

  For more information, see Creating DB instances for Amazon RDS on AWS Outposts.

• Modify a DB instance

  For more information, see Modifying an Amazon RDS DB instance.

• Restore a DB instance from a snapshot

  For more information, see Restoring from a DB snapshot.

• Restore a DB instance to a specified time

  For more information, see Restoring a DB instance to a specified time.

Note

If you enable a CoIP for a DB instance, but Amazon RDS is unable to allocate a CoIP for the DB instance, the DB instance status is changed to incompatible-network. For more information about the DB instance status, see DB instance status.

The following limitations apply to CoIP support for RDS on Outposts DB instances:

• When a CoIP is enabled for a DB instance, make sure that public accessibility is disabled for the DB instance.

• You can't assign a CoIP from a CoIP pool to a DB instance. When you enable a CoIP for a DB instance, Amazon RDS automatically assigns a CoIP from a CoIP pool to the DB instance.

• You must use the AWS account that owns the Outpost resources (owner) or share the following resources with other AWS accounts (consumers) in the same organization.

  • The Outpost

  • The local gateway (LGW) route table for the DB instance's VPC

  • The CoIP pool or pools for the LGW route table

  For more information, see Working with shared AWS Outposts resources in the AWS Outposts User Guide.

Creating DB instances for Amazon RDS on AWS Outposts

Creating an Amazon RDS on AWS Outposts DB instance is similar to creating an Amazon RDS DB instance in the AWS Cloud. However, you must specify a DB subnet group that is associated with your Outpost.

An Amazon VPC can span all of the Availability Zones in an AWS Region. You can extend any VPC in the AWS Region to your Outpost by adding an Outpost subnet. To add an Outpost subnet to a VPC, specify the Amazon Resource Name (ARN) of the Outpost when you create the subnet.

Before you create an RDS on Outposts DB instance, you can create a DB subnet group that includes one subnet that is associated with your Outpost. When you create an RDS on Outposts DB instance, specify this DB subnet group. You can also choose to create a new DB subnet group when you create your DB instance.

For information about configuring AWS Outposts, see the AWS Outposts User Guide.

Console

To create an RDS on Outposts DB instance using the console

1. Create a DB subnet group with one subnet that is associated with your Outpost.

   To create a new DB subnet group for the Outpost when you create your DB instance, skip this step.

   Note

   To create a DB subnet group for the AWS Cloud, you specify at least two subnets. However, for an Outpost DB subnet group, you can specify only one subnet.

   1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

   2. In the upper-right corner of the Amazon RDS console, choose the AWS Region where you want to create the DB subnet group.

   3. Choose Subnet groups, and then choose Create DB Subnet Group.

      The Create DB subnet group page appears.

      

   4. Set the following values for your new DB subnet group:

      • Name – The name of the DB subnet group

      • Description – A description for the DB subnet group

      • VPC – The VPC for which you're creating the DB subnet group

   5. For Availability Zones, choose the Availability Zone for your Outpost.

   6. For Subnets, choose the subnet for use by RDS on Outposts.

      Your DB subnet group must have only one subnet.

   7. Choose Create to create the DB subnet group.

2. Create the DB instance, and choose the Outpost for your DB instance.

   1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

   2. In the upper-right corner of the Amazon RDS console, choose the AWS Region where you want to create the DB instance.

   3. In the navigation pane, choose Databases.

   4. Choose Create database.

      The AWS Management Console detects available Outposts that you have configured and presents the On-premises option in the Database location section.

      
      Note

      If you haven't configured any Outposts, either the Database location section doesn't appear or the RDS on Outposts option isn't available in the Choose an on-premises creation method section.

   5. Choose the following settings:

      • Database location – On-premises

      • On-premises creation method – RDS on Outposts

      • Outpost – The Outpost that uses the virtual private cloud (VPC) that has the DB subnet group for your DB instance. Your VPC here must be based on the Amazon VPC service.

      • Virtual Private Cloud (VPC) – The VPC that contains the DB subnet group for your DB instance.

      • VPC security group – The Amazon VPC security group for your DB instance.

      • Subnet group – The DB subnet group for your DB instance.

        You can choose an existing DB subnet group that is associated with the Outpost. If you didn't create a DB subnet group, you can create a new DB subnet group for the Outpost. Only one subnet is allowed in this DB subnet group.

   6. For the remaining sections, specify your DB instance settings.

      For information about each setting when creating a DB instance, see Settings for DB instances.

   7. Choose Create database.

      If you chose to use an automatically generated password, the View credential details button appears on the Databases page.

      To view the master user name and password for the DB instance, choose View credential details.

      

      To connect to the DB instance as the master user, use the user name and password that appear.

      Important

      You can't view the master user password again. If you don't record it, you might have to change it. To change the master user password after the DB instance is available, modify the DB instance. For more information about modifying a DB instance, see Modifying an Amazon RDS DB instance.

   8. For Databases, choose the name of the new DB instance.

      On the RDS console, the details for the new DB instance appear. The DB instance has a status of Creating until the DB instance is created and ready for use. When the state changes to Available, you can connect to the DB instance. Depending on the DB instance class and storage allocated, it can take several minutes for the new DB instance to be available.

      

      After the DB instance is available, you can manage it the same way that you manage RDS DB instances in the cloud.

AWS CLI

To create a new DB instance in an Outpost with the AWS CLI, first create a DB subnet group for use by RDS on Outposts by calling the create-db-subnet-group command. For --subnet-ids, specify the subnet group in the Outpost for use by RDS on Outposts.

For Linux, macOS, or Unix:

aws rds create-db-subnet-group \
    --db-subnet-group-name myoutpostdbsubnetgr \
    --db-subnet-group-description "DB subnet group for RDS on Outposts" \
    --subnet-ids subnet-abc123
				

For Windows:

aws rds create-db-subnet-group ^
    --db-subnet-group-name myoutpostdbsubnetgr ^
    --db-subnet-group-description "DB subnet group for RDS on Outposts" ^
    --subnet-ids subnet-abc123
				

Next, call the create-db-instance command with the parameters below. Specify an Availability Zone for the Outpost, an Amazon VPC security group associated with the Outpost, and the DB subnet group you created for the Outpost. You can include the following options:

• --db-instance-identifier

• --db-instance-class

• --engine

• --availability-zone

• --vpc-security-group-ids

• --db-subnet-group-name

• --allocated-storage

• --master-user-name

• --master-user-password

• --backup-retention-period

• --storage-encrypted

• --kms-key-id

The following example creates a MySQL DB instance named myoutpostdbinstance.

For Linux, macOS, or Unix:

aws rds create-db-instance \
    --db-instance-identifier myoutpostdbinstance \
    --engine-version 8.0.17 \
    --db-instance-class db.m5.large \
    --engine mysql \
    --availability-zone us-east-1d \
    --vpc-security-group-ids outpost-sg \
    --db-subnet-group-name myoutpostdbsubnetgr \
    --allocated-storage 100 \
    --master-username masterawsuser \
    --master-user-password masteruserpassword \
    --backup-retention-period 3 \
    --storage-encrypted \
    --kms-key-id mykey
				

For Windows:

aws rds create-db-instance ^
    --db-instance-identifier myoutpostdbinstance ^
    --engine-version 8.0.17 ^				
    --db-instance-class db.m5.large ^
    --engine mysql ^
    --availability-zone us-east-1d ^
    --vpc-security-group-ids outpost-sg ^
    --db-subnet-group-name myoutpostdbsubnetgr ^
    --allocated-storage 100 ^
    --master-username masterawsuser ^
    --master-user-password masteruserpassword ^
    --backup-retention-period 3 ^
    --storage-encrypted ^
    --kms-key-id mykey
				

To create a PostgreSQL DB instance, specify postgres for the --engine option.

For information about each setting when creating a DB instance, see Settings for DB instances.

RDS API

To create a new DB instance in an Outpost with the RDS API, first create a DB subnet group for use by RDS on Outposts by calling the CreateDBSubnetGroup operation. For SubnetIds, specify the subnet group in the Outpost for use by RDS on Outposts.

Next, call the CreateDBInstance operation with the parameters below. Specify an Availability Zone for the Outpost, an Amazon VPC security group associated with the Outpost, and the DB subnet group you created for the Outpost.

• AllocatedStorage

• AvailabilityZone

• BackupRetentionPeriod

• DBInstanceClass

• DBInstanceIdentifier

• VpcSecurityGroupIds

• DBSubnetGroupName

• Engine

• EngineVersion

• MasterUsername

• MasterUserPassword

• StorageEncrypted

• KmsKeyID

For information about each setting when creating a DB instance, see Settings for DB instances.