Creating a Multi-AZ DB cluster for Amazon RDS
A Multi-AZ DB cluster has a writer DB instance and two reader DB instances in three separate Availability Zones. Multi-AZ DB clusters provide high availability, increased capacity for read workloads, and lower latency when compared to Multi-AZ deployments. For more information about Multi-AZ DB clusters, see Multi-AZ DB cluster deployments for Amazon RDS.
Note
Multi-AZ DB clusters are supported only for the MySQL and PostgreSQL DB engines.
DB cluster prerequisites
Important
Before you can create a Multi-AZ DB cluster, you must complete the tasks in Setting up your Amazon RDS environment.
The following are prerequisites to complete before creating a Multi-AZ DB cluster.
Configure the network for the DB cluster
You can create a Multi-AZ DB cluster only in a virtual private cloud (VPC) based on the Amazon VPC service. It must be in an AWS Region that has at least three Availability Zones. The DB subnet group that you choose for the DB cluster must cover at least three Availability Zones. This configuration ensures that each DB instance in the DB cluster is in a different Availability Zone.
To set up connectivity between your new DB cluster and an Amazon EC2 instance in the same VPC, do so when you create the DB cluster. To connect to your DB cluster from resources other than EC2 instances in the same VPC, configure the network connections manually.
Configure automatic network connectivity with an EC2 instance
When you create a Multi-AZ DB cluster, you can use the AWS Management Console to set up connectivity between an EC2 instance and the new DB cluster. When you do so, RDS configures your VPC and network settings automatically. The DB cluster is created in the same VPC as the EC2 instance so that the EC2 instance can access the DB cluster.
The following are requirements for connecting an EC2 instance with the DB cluster:
-
The EC2 instance must exist in the AWS Region before you create the DB cluster.
If no EC2 instances exist in the AWS Region, the console provides a link to create one.
-
The user who is creating the DB cluster must have permissions to perform the following operations:
-
ec2:AssociateRouteTable
-
ec2:AuthorizeSecurityGroupEgress
-
ec2:AuthorizeSecurityGroupIngress
-
ec2:CreateRouteTable
-
ec2:CreateSubnet
-
ec2:CreateSecurityGroup
-
ec2:DescribeInstances
-
ec2:DescribeNetworkInterfaces
-
ec2:DescribeRouteTables
-
ec2:DescribeSecurityGroups
-
ec2:DescribeSubnets
-
ec2:ModifyNetworkInterfaceAttribute
-
ec2:RevokeSecurityGroupEgress
-
Using this option creates a private DB cluster. The DB cluster uses a DB subnet group with only private subnets to restrict access to resources within the VPC.
To connect an EC2 instance to the DB cluster, choose Connect to an EC2 compute resource in the Connectivity section on the Create database page.
When you choose Connect to an EC2 compute resource, RDS sets the following options automatically. You can't change these settings unless you choose not to set up connectivity with an EC2 instance by choosing Don't connect to an EC2 compute resource.
Console option | Automatic setting |
---|---|
Virtual Private Cloud (VPC) |
RDS sets the VPC to the one associated with the EC2 instance. |
DB subnet group |
RDS requires a DB subnet group with a private subnet in the same Availability Zone as
the EC2 instance. If a DB subnet group that meets this
requirement exists, then RDS uses the existing DB subnet group.
By default, this option is set to Automatic
setup. When you choose Automatic setup and there is no DB subnet group that meets this requirement, the following action happens. RDS uses three available private subnets in three Availability Zones where one of the Availability Zones is the same as the EC2 instance. If a private subnet isn’t available in an Availability Zone, RDS creates a private subnet in the Availability Zone. Then RDS creates the DB subnet group. When a private subnet is available, RDS uses the route table associated with the subnet and adds any subnets it creates to this route table. When no private subnet is available, RDS creates a route table without internet gateway access and adds the subnets it creates to the route table. RDS also allows you to use existing DB subnet groups. Select Choose existing if you want to use an existing DB subnet group of your choice. |
Public access |
RDS chooses No so that the DB cluster isn't publicly accessible. For security, it is a best practice to keep the database private and make sure it isn't accessible from the internet. |
VPC security group (firewall) |
RDS creates a new security group that is associated with the DB cluster. The security group is named
RDS also creates a new security group that is associated with the EC2 instance. The security group is named
You can add another new security group by choosing Create new and typing the name of the new security group. You can add existing security groups by choosing Choose existing and selecting security groups to add. |
Availability Zone |
RDS chooses the Availability Zone of the EC2 instance for one DB instance in the Multi-AZ DB cluster deployment. RDS randomly chooses a different Availability Zone for both of the other DB instances. The writer DB instance is created in the same Availability Zone as the EC2 instance. There is the possibility of cross Availability Zone costs if a failover occurs and the writer DB instance is in a different Availability Zone. |
For more information about these settings, see Settings for creating Multi-AZ DB clusters.
If you change these settings after the DB cluster is created, the changes might affect the connection between the EC2 instance and the DB cluster.
Configure the network manually
To connect to your DB cluster from resources other than EC2 instances in the same VPC, configure the network connections manually. If you use the AWS Management Console to create your Multi-AZ DB cluster, you can have Amazon RDS automatically create a VPC for you. Or you can use an existing VPC or create a new VPC for your Multi-AZ DB cluster. Your VPC must have at least one subnet in each of at least three Availability Zones for you to use it with a Multi-AZ DB cluster. For information on VPCs, see Amazon VPC and Amazon RDS.
If you don't have a default VPC or you haven't created a VPC, and you don't plan to use the console, do the following:
-
Create a VPC with at least one subnet in each of at least three of the Availability Zones in the AWS Region where you want to deploy your DB cluster. For more information, see Working with a DB instance in a VPC.
-
Specify a VPC security group that authorizes connections to your DB cluster. For more information, see Provide access to your DB instance in your VPC by creating a security group and Controlling access with security groups.
-
Specify an RDS DB subnet group that defines at least three subnets in the VPC that can be used by the Multi-AZ DB cluster. For more information, see Working with DB subnet groups.
For information about limitations that apply to Multi-AZ DB clusters, see Limitations of Multi-AZ DB clusters for Amazon RDS.
If you want to connect to a resource that isn't in the same VPC as the Multi-AZ DB cluster, see the appropriate scenarios in Scenarios for accessing a DB instance in a VPC.
Additional prerequisites
Before you create your Multi-AZ DB cluster, consider the following additional prerequisites:
-
To tailor the configuration parameters for your DB cluster, specify a DB cluster parameter group with the required parameter settings. For information about creating or modifying a DB cluster parameter group, see Parameter groups for Multi-AZ DB clusters.
-
Determine the TCP/IP port number to specify for your DB cluster. The firewalls at some companies block connections to the default ports. If your company firewall blocks the default port, choose another port for your DB cluster. All DB instances in a DB cluster use the same port.
-
If the major engine version for your database reached the RDS end of standard support date, you must use the Extended Support CLI option or the RDS API parameter. For more information, see RDS Extended Support in Settings for creating Multi-AZ DB clusters.
Creating a DB cluster
You can create a Multi-AZ DB cluster using the AWS Management Console, the AWS CLI, or the RDS API.
You can create a Multi-AZ DB cluster by choosing Multi-AZ DB cluster in the Availability and durability section.
To create a Multi-AZ DB cluster using the console
-
Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/
. -
In the upper-right corner of the AWS Management Console, choose the AWS Region in which you want to create the DB cluster.
For information about the AWS Regions that support Multi-AZ DB clusters, see Limitations of Multi-AZ DB clusters for Amazon RDS.
-
In the navigation pane, choose Databases.
-
Choose Create database.
To create a Multi-AZ DB cluster, make sure that Standard Create is selected and Easy Create isn't.
-
In Engine type, choose MySQL or PostgreSQL.
-
For Version, choose the DB engine version.
For information about the DB engine versions that support Multi-AZ DB clusters, see Limitations of Multi-AZ DB clusters for Amazon RDS.
-
In Templates, choose the appropriate template for your deployment.
-
In Availability and durability, choose Multi-AZ DB cluster.
-
In DB cluster identifier, enter the identifier for your DB cluster.
-
In Master username, enter your master user name, or keep the default setting.
-
Enter your master password:
In the Settings section, open Credential Settings.
If you want to specify a password, clear the Auto generate a password box if it is selected.
(Optional) Change the Master username value.
Enter the same password in Master password and Confirm password.
-
For DB instance class, choose a DB instance class. For a list of supported DB instance classes, see Instance class availability for Multi-AZ DB clusters.
-
(Optional) Set up a connection to a compute resource for this DB cluster.
You can configure connectivity between an Amazon EC2 instance and the new DB cluster during DB cluster creation. For more information, see Configure automatic network connectivity with an EC2 instance.
-
In the Connectivity section under VPC security group (firewall), if you select Create new, a VPC security group is created with an inbound rule that allows your local computer's IP address to access the database.
-
For the remaining sections, specify your DB cluster settings. For information about each setting, see Settings for creating Multi-AZ DB clusters.
-
Choose Create database.
If you chose to use an automatically generated password, the View credential details button appears on the Databases page.
To view the master user name and password for the DB cluster, choose View credential details.
To connect to the DB cluster as the master user, use the user name and password that appear.
Important
You can't view the master user password again.
-
For Databases, choose the name of the new DB cluster.
On the RDS console, the details for the new DB cluster appear. The DB cluster has a status of Creating until the DB cluster is created and ready for use. When the state changes to Available, you can connect to the DB cluster. Depending on the DB cluster class and storage allocated, it can take several minutes for the new DB cluster to be available.
Before you create a Multi-AZ DB cluster using the AWS CLI, make sure to fulfill the required prerequisites. These include creating a VPC and an RDS DB subnet group. For more information, see DB cluster prerequisites.
To create a Multi-AZ DB cluster by using the AWS CLI, call the create-db-cluster
command. Specify the --db-cluster-identifier
. For the --engine
option,
specify either mysql
or postgres
.
For information about each option, see Settings for creating Multi-AZ DB clusters.
For information about the AWS Regions, DB engines, and DB engine versions that support Multi-AZ DB clusters, see Limitations of Multi-AZ DB clusters for Amazon RDS.
The create-db-cluster
command creates the writer DB instance for your DB
cluster, and two reader DB instances. Each DB instance is in a different Availability Zone.
For example, the following command creates a MySQL 8.0 Multi-AZ DB cluster named
mysql-multi-az-db-cluster
.
For Linux, macOS, or Unix:
aws rds create-db-cluster \ --db-cluster-identifier
mysql-multi-az-db-cluster
\ --engine mysql \ --engine-version8.0.32
\ --master-usernameadmin
\ --manage-master-user-password \ --port3306
\ --backup-retention-period1
\ --db-subnet-group-namedefault
\ --allocated-storage4000
\ --storage-type io1 \ --iops10000
\ --db-cluster-instance-classdb.m5d.xlarge
For Windows:
aws rds create-db-cluster ^ --db-cluster-identifier
mysql-multi-az-db-cluster
^ --engine mysql ^ --engine-version8.0.32
^ --manage-master-user-password ^ --master-usernameadmin
^ --port3306
^ --backup-retention-period1
^ --db-subnet-group-namedefault
^ --allocated-storage4000
^ --storage-type io1 ^ --iops10000
^ --db-cluster-instance-classdb.m5d.xlarge
The following command creates a PostgreSQL 13.4 Multi-AZ DB cluster named
postgresql-multi-az-db-cluster
.
For Linux, macOS, or Unix:
aws rds create-db-cluster \ --db-cluster-identifier
postgresql-multi-az-db-cluster
\ --engine postgres \ --engine-version13.4
\ --manage-master-user-password \ --master-usernamepostgres
\ --port5432
\ --backup-retention-period1
\ --db-subnet-group-namedefault
\ --allocated-storage4000
\ --storage-type io1 \ --iops10000
\ --db-cluster-instance-classdb.m5d.xlarge
For Windows:
aws rds create-db-cluster ^ --db-cluster-identifier
postgresql-multi-az-db-cluster
^ --engine postgres ^ --engine-version13.4
^ --manage-master-user-password ^ --master-usernamepostgres
^ --port5432
^ --backup-retention-period1
^ --db-subnet-group-namedefault
^ --allocated-storage4000
^ --storage-type io1 ^ --iops10000
^ --db-cluster-instance-classdb.m5d.xlarge
Before you can create a Multi-AZ DB cluster using the RDS API, make sure to fulfill the required prerequisites, such as creating a VPC and an RDS DB subnet group. For more information, see DB cluster prerequisites.
To create a Multi-AZ DB cluster by using the RDS API, call the
CreateDBCluster operation. Specify the DBClusterIdentifier
. For the Engine
parameter,
specify either mysql
or postgresql
.
For information about each option, see Settings for creating Multi-AZ DB clusters.
The CreateDBCluster
operation creates the writer DB instance for your DB
cluster, and two reader DB instances. Each DB instance is in a different
Availability Zone.
Settings for creating Multi-AZ DB clusters
For details about settings that you choose when you create a Multi-AZ DB cluster, see the following table. For more information about the AWS CLI options, see create-db-cluster. For more information about the RDS API parameters, see CreateDBCluster.
Console setting | Setting description | CLI option and RDS API parameter |
---|---|---|
Allocated storage |
The amount of storage to allocate for each DB instance in your DB cluster (in gibibyte). For more information, see Amazon RDS DB instance storage. |
CLI option:
API parameter:
|
Auto minor version upgrade |
Enable auto minor version upgrade to have your DB cluster receive preferred minor DB engine version upgrades automatically when they become available. Amazon RDS performs automatic minor version upgrades in the maintenance window. |
CLI option:
API parameter:
|
Backup retention period |
The number of days that you want automatic backups of your DB cluster to be retained. For a Multi-AZ DB cluster, this
value must be set to For more information, see Introduction to backups. |
CLI option:
API parameter:
|
Backup window |
The time period during which Amazon RDS automatically takes a backup of your DB cluster. Unless you have a specific time that you want to have your database backed up, use the default of No preference. For more information, see Introduction to backups. |
CLI option:
API parameter:
|
Certificate authority |
The certificate authority (CA) for the server certificate used by the DB cluster. For more information, see Using SSL/TLS to encrypt a connection to a DB instance or cluster. |
CLI option:
RDS API parameter:
|
Copy tags to snapshots |
This option copies any DB cluster tags to a DB snapshot when you create a snapshot. For more information, see Tagging Amazon RDS resources. |
CLI option:
RDS API parameter:
|
Database authentication |
The database authentication option that you want to use. Choose Password authentication to authenticate database users with database passwords only. Choose Password and IAM DB authentication to authenticate database users with database passwords and user credentials through users and roles. For more information, see IAM database authentication for MariaDB, MySQL, and PostgreSQL. |
CLI option:
RDS API parameter:
|
Database port |
The port that you want to access the DB cluster through. The default port is shown. The port can't be changed after the DB cluster is created. The firewalls at some companies block connections to the default ports. If your company firewall blocks the default port, enter another port for your DB cluster. |
CLI option:
RDS API parameter:
|
DB cluster identifier |
The name for your DB cluster. Name your DB clusters in the same way that you name your on-premises servers. Your DB cluster identifier can contain up to 63 alphanumeric characters, and must be unique for your account in the AWS Region you chose. |
CLI option:
RDS API parameter:
|
DB instance class |
The compute and memory capacity of each DB instance in the Multi-AZ DB cluster, for example
If possible, choose a DB instance class large enough that a typical query working set can be held in memory. When working sets are held in memory the system can avoid writing to disk, which improves performance. For a list of supported DB instance classes, see Instance class availability for Multi-AZ DB clusters. |
CLI option:
RDS API parameter:
|
DB cluster parameter group |
The DB cluster parameter group that you want associated with the DB cluster. For more information, see Parameter groups for Multi-AZ DB clusters. |
CLI option:
RDS API parameter:
|
DB engine version |
The version of database engine that you want to use. |
CLI option:
RDS API parameter:
|
DB cluster parameter group |
The DB instance parameter group to associate with the DB cluster. For more information, see Parameter groups for Multi-AZ DB clusters. |
CLI option:
RDS API parameter:
|
DB subnet group | The DB subnet group you want to use for the DB cluster. Select Choose existing to use an existing DB subnet group. Then choose the required subnet group from the Existing DB subnet groups dropdown list.Choose Automatic setup to let RDS select a compatible DB subnet group. If none exist, RDS creates a new subnet group for your cluster. For more information, see Working with DB subnet groups. |
CLI option:
RDS API parameter:
|
Deletion protection |
Enable deletion protection to prevent your DB cluster from being deleted. If you create a production DB cluster with the console, deletion protection is turned on by default. For more information, see Deleting a DB instance. |
CLI option:
RDS API parameter:
|
Encryption |
Enable Encryption to turn on encryption at rest for this DB cluster. Encryption is turned on by default for Multi-AZ DB clusters. For more information, see Encrypting Amazon RDS resources. |
CLI options:
RDS API parameters:
|
Enhanced Monitoring |
Enable enhanced monitoring to turn on metrics gathering in real time for the operating system that your DB cluster runs on. For more information, see Monitoring OS metrics with Enhanced Monitoring. |
CLI options:
RDS API parameters:
|
Initial database name |
The name for the database on your DB cluster. If you don't provide a name, Amazon RDS doesn't create a database on the DB cluster for MySQL. However, it does create a database on the DB cluster for PostgreSQL. The name can't be a word reserved by the database engine. It has other constraints depending on the DB engine. MySQL:
PostgreSQL:
|
CLI option:
RDS API parameter:
|
Log exports |
The types of database log files to publish to Amazon CloudWatch Logs. For more information, see Publishing database logs to Amazon CloudWatch Logs. |
CLI option:
RDS API parameter:
|
Maintenance window |
The 30-minute window in which pending modifications to your DB cluster are applied. If the time period doesn't matter, choose No preference. For more information, see Amazon RDS maintenance window. |
CLI option:
RDS API parameter:
|
Manage master credentials in AWS Secrets Manager |
Select Manage master credentials in AWS Secrets Manager to manage the master user password in a secret in Secrets Manager. Optionally, choose a KMS key to use to protect the secret. Choose from the KMS keys in your account, or enter the key from a different account. For more information, see Password management with Amazon RDS and AWS Secrets Manager. |
CLI option:
RDS API parameter:
|
Master password |
The password for your master user account. |
CLI option:
RDS API parameter:
|
Master username |
The name that you use as the master user name to log on to your DB cluster with all database privileges.
You can't change the master user name after the Multi-AZ DB cluster is created. For more information on privileges granted to the master user, see Master user account privileges. |
CLI option:
RDS API parameter:
|
Performance Insights |
Enable Performance Insights to monitor your DB cluster load so that you can analyze and troubleshoot your database performance. Choose a retention period to determine how much Performance Insights data history to keep. The retention setting in the free tier is Default (7 days). To retain your performance data for longer, specify 1–24 months. For more information about retention periods, see Pricing and data retention for Performance Insights. Choose a KMS key to use to protect the key used to encrypt this database volume. Choose from the KMS keys in your account, or enter the key from a different account. For more information, see Monitoring DB load with Performance Insights on Amazon RDS. |
CLI options:
RDS API parameters:
|
Provisioned IOPS |
The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for the DB cluster. |
CLI option:
RDS API parameter:
|
Public access |
Publicly accessible to give the DB cluster a public IP address, meaning that it's accessible outside the VPC. To be publicly accessible, the DB cluster also has to be in a public subnet in the VPC. Not publicly accessible to make the DB cluster accessible only from inside the VPC. For more information, see Hiding a DB instance in a VPC from the internet. To connect to a DB cluster from outside of its VPC, the DB cluster must be publicly accessible. Also, access must be granted using the inbound rules of the DB cluster's security group, and other requirements must be met. For more information, see Can't connect to Amazon RDS DB instance. If your DB cluster isn't publicly accessible, you can use an AWS Site-to-Site VPN connection or an AWS Direct Connect connection to access it from a private network. For more information, see Internetwork traffic privacy. |
CLI option:
RDS API parameter:
|
RDS Extended Support | Select Enable RDS Extended Support to allow supported major engine versions to continue running past the RDS end of standard support date. When you create a DB cluster, Amazon RDS defaults to RDS Extended Support. To prevent the creation of a new DB cluster after the RDS end of standard support date and to avoid charges for RDS Extended Support, disable this setting. Your existing DB clusters won't incur charges until the RDS Extended Support pricing start date. For more information, see Amazon RDS Extended Support with Amazon RDS. |
CLI option:
RDS API parameter:
|
Storage throughput |
The storage throughput value for the DB cluster. This setting is visible only if you choose General Purpose SSD (gp3) for the storage type. This setting is not configurable and is automatically set based on the IOPS that you specify. For more information, see gp3 storage (recommended). |
This value is automatically calculated and doesn't have a CLI option. |
RDS Proxy |
Choose Create an RDS Proxy to create a proxy for your DB cluster. Amazon RDS automatically creates an IAM role and a Secrets Manager secret for the proxy. |
Not available when creating a DB cluster. |
Storage type |
The storage type for your DB cluster. Only General Purpose SSD (gp3), Provisioned IOPS (io1), and Provisioned IOPS SSD (io2) storage are supported. For more information, see Amazon RDS storage types. |
CLI option:
RDS API parameter:
|
Virtual Private Cloud (VPC) |
A VPC based on the Amazon VPC service to associate with this DB cluster. For more information, see Amazon VPC and Amazon RDS. |
For the CLI and API, you specify the VPC security group IDs. |
VPC security group (firewall) |
The security groups to associate with the DB cluster. For more information, see Overview of VPC security groups. |
CLI option:
RDS API parameter:
|
Settings that don't apply when creating Multi-AZ DB clusters
The following settings in the AWS CLI command create-db-cluster
and the RDS API operation CreateDBCluster
don't apply to Multi-AZ DB clusters.
You also can't specify these settings for Multi-AZ DB clusters in the console.
AWS CLI setting | RDS API setting |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|