Creating a Multi-AZ DB cluster for Amazon RDS - Amazon Relational Database Service

Creating a Multi-AZ DB cluster for Amazon RDS

A Multi-AZ DB cluster has a writer DB instance and two reader DB instances in three separate Availability Zones. Multi-AZ DB clusters provide high availability, increased capacity for read workloads, and lower latency when compared to Multi-AZ deployments. For more information about Multi-AZ DB clusters, see Multi-AZ DB cluster deployments for Amazon RDS.

Note

Multi-AZ DB clusters are supported only for the MySQL and PostgreSQL DB engines.

DB cluster prerequisites

Important

Before you can create a Multi-AZ DB cluster, you must complete the tasks in Setting up your Amazon RDS environment.

The following are prerequisites to complete before creating a Multi-AZ DB cluster.

Configure the network for the DB cluster

You can create a Multi-AZ DB cluster only in a virtual private cloud (VPC) based on the Amazon VPC service. It must be in an AWS Region that has at least three Availability Zones. The DB subnet group that you choose for the DB cluster must cover at least three Availability Zones. This configuration ensures that each DB instance in the DB cluster is in a different Availability Zone.

To set up connectivity between your new DB cluster and an Amazon EC2 instance in the same VPC, do so when you create the DB cluster. To connect to your DB cluster from resources other than EC2 instances in the same VPC, configure the network connections manually.

Configure automatic network connectivity with an EC2 instance

When you create a Multi-AZ DB cluster, you can use the AWS Management Console to set up connectivity between an EC2 instance and the new DB cluster. When you do so, RDS configures your VPC and network settings automatically. The DB cluster is created in the same VPC as the EC2 instance so that the EC2 instance can access the DB cluster.

The following are requirements for connecting an EC2 instance with the DB cluster:

  • The EC2 instance must exist in the AWS Region before you create the DB cluster.

    If no EC2 instances exist in the AWS Region, the console provides a link to create one.

  • The user who is creating the DB cluster must have permissions to perform the following operations:

    • ec2:AssociateRouteTable

    • ec2:AuthorizeSecurityGroupEgress

    • ec2:AuthorizeSecurityGroupIngress

    • ec2:CreateRouteTable

    • ec2:CreateSubnet

    • ec2:CreateSecurityGroup

    • ec2:DescribeInstances

    • ec2:DescribeNetworkInterfaces

    • ec2:DescribeRouteTables

    • ec2:DescribeSecurityGroups

    • ec2:DescribeSubnets

    • ec2:ModifyNetworkInterfaceAttribute

    • ec2:RevokeSecurityGroupEgress

Using this option creates a private DB cluster. The DB cluster uses a DB subnet group with only private subnets to restrict access to resources within the VPC.

To connect an EC2 instance to the DB cluster, choose Connect to an EC2 compute resource in the Connectivity section on the Create database page.

Connect an EC2 instance

When you choose Connect to an EC2 compute resource, RDS sets the following options automatically. You can't change these settings unless you choose not to set up connectivity with an EC2 instance by choosing Don't connect to an EC2 compute resource.

Console option Automatic setting

Virtual Private Cloud (VPC)

RDS sets the VPC to the one associated with the EC2 instance.

DB subnet group

RDS requires a DB subnet group with a private subnet in the same Availability Zone as the EC2 instance. If a DB subnet group that meets this requirement exists, then RDS uses the existing DB subnet group. By default, this option is set to Automatic setup.

When you choose Automatic setup and there is no DB subnet group that meets this requirement, the following action happens. RDS uses three available private subnets in three Availability Zones where one of the Availability Zones is the same as the EC2 instance. If a private subnet isn’t available in an Availability Zone, RDS creates a private subnet in the Availability Zone. Then RDS creates the DB subnet group.

When a private subnet is available, RDS uses the route table associated with the subnet and adds any subnets it creates to this route table. When no private subnet is available, RDS creates a route table without internet gateway access and adds the subnets it creates to the route table.

RDS also allows you to use existing DB subnet groups. Select Choose existing if you want to use an existing DB subnet group of your choice.

Public access

RDS chooses No so that the DB cluster isn't publicly accessible.

For security, it is a best practice to keep the database private and make sure it isn't accessible from the internet.

VPC security group (firewall)

RDS creates a new security group that is associated with the DB cluster. The security group is named rds-ec2-n, where n is a number. This security group includes an inbound rule with the EC2 VPC security group (firewall) as the source. This security group that is associated with the DB cluster allows the EC2 instance to access the DB cluster.

RDS also creates a new security group that is associated with the EC2 instance. The security group is named ec2-rds-n, where n is a number. This security group includes an outbound rule with the VPC security group of the DB cluster as the source. This security group allows the EC2 instance to send traffic to the DB cluster.

You can add another new security group by choosing Create new and typing the name of the new security group.

You can add existing security groups by choosing Choose existing and selecting security groups to add.

Availability Zone

RDS chooses the Availability Zone of the EC2 instance for one DB instance in the Multi-AZ DB cluster deployment. RDS randomly chooses a different Availability Zone for both of the other DB instances. The writer DB instance is created in the same Availability Zone as the EC2 instance. There is the possibility of cross Availability Zone costs if a failover occurs and the writer DB instance is in a different Availability Zone.

For more information about these settings, see Settings for creating Multi-AZ DB clusters.

If you change these settings after the DB cluster is created, the changes might affect the connection between the EC2 instance and the DB cluster.

Configure the network manually

To connect to your DB cluster from resources other than EC2 instances in the same VPC, configure the network connections manually. If you use the AWS Management Console to create your Multi-AZ DB cluster, you can have Amazon RDS automatically create a VPC for you. Or you can use an existing VPC or create a new VPC for your Multi-AZ DB cluster. Your VPC must have at least one subnet in each of at least three Availability Zones for you to use it with a Multi-AZ DB cluster. For information on VPCs, see Amazon VPC and Amazon RDS.

If you don't have a default VPC or you haven't created a VPC, and you don't plan to use the console, do the following:

For information about limitations that apply to Multi-AZ DB clusters, see Limitations of Multi-AZ DB clusters for Amazon RDS.

If you want to connect to a resource that isn't in the same VPC as the Multi-AZ DB cluster, see the appropriate scenarios in Scenarios for accessing a DB instance in a VPC.

Additional prerequisites

Before you create your Multi-AZ DB cluster, consider the following additional prerequisites:

  • To tailor the configuration parameters for your DB cluster, specify a DB cluster parameter group with the required parameter settings. For information about creating or modifying a DB cluster parameter group, see Parameter groups for Multi-AZ DB clusters.

  • Determine the TCP/IP port number to specify for your DB cluster. The firewalls at some companies block connections to the default ports. If your company firewall blocks the default port, choose another port for your DB cluster. All DB instances in a DB cluster use the same port.

  • If the major engine version for your database reached the RDS end of standard support date, you must use the Extended Support CLI option or the RDS API parameter. For more information, see RDS Extended Support in Settings for creating Multi-AZ DB clusters.

Creating a DB cluster

You can create a Multi-AZ DB cluster using the AWS Management Console, the AWS CLI, or the RDS API.

You can create a Multi-AZ DB cluster by choosing Multi-AZ DB cluster in the Availability and durability section.

To create a Multi-AZ DB cluster using the console
  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the upper-right corner of the AWS Management Console, choose the AWS Region in which you want to create the DB cluster.

    For information about the AWS Regions that support Multi-AZ DB clusters, see Limitations of Multi-AZ DB clusters for Amazon RDS.

  3. In the navigation pane, choose Databases.

  4. Choose Create database.

    To create a Multi-AZ DB cluster, make sure that Standard Create is selected and Easy Create isn't.

  5. In Engine type, choose MySQL or PostgreSQL.

  6. For Version, choose the DB engine version.

    For information about the DB engine versions that support Multi-AZ DB clusters, see Limitations of Multi-AZ DB clusters for Amazon RDS.

  7. In Templates, choose the appropriate template for your deployment.

  8. In Availability and durability, choose Multi-AZ DB cluster.

    Multi-AZ DB cluster choice
  9. In DB cluster identifier, enter the identifier for your DB cluster.

  10. In Master username, enter your master user name, or keep the default setting.

  11. Enter your master password:

    1. In the Settings section, open Credential Settings.

    2. If you want to specify a password, clear the Auto generate a password box if it is selected.

    3. (Optional) Change the Master username value.

    4. Enter the same password in Master password and Confirm password.

  12. For DB instance class, choose a DB instance class. For a list of supported DB instance classes, see Instance class availability for Multi-AZ DB clusters.

  13. (Optional) Set up a connection to a compute resource for this DB cluster.

    You can configure connectivity between an Amazon EC2 instance and the new DB cluster during DB cluster creation. For more information, see Configure automatic network connectivity with an EC2 instance.

  14. In the Connectivity section under VPC security group (firewall), if you select Create new, a VPC security group is created with an inbound rule that allows your local computer's IP address to access the database.

  15. For the remaining sections, specify your DB cluster settings. For information about each setting, see Settings for creating Multi-AZ DB clusters.

  16. Choose Create database.

    If you chose to use an automatically generated password, the View credential details button appears on the Databases page.

    To view the master user name and password for the DB cluster, choose View credential details.

    To connect to the DB cluster as the master user, use the user name and password that appear.

    Important

    You can't view the master user password again.

  17. For Databases, choose the name of the new DB cluster.

On the RDS console, the details for the new DB cluster appear. The DB cluster has a status of Creating until the DB cluster is created and ready for use. When the state changes to Available, you can connect to the DB cluster. Depending on the DB cluster class and storage allocated, it can take several minutes for the new DB cluster to be available.

Before you create a Multi-AZ DB cluster using the AWS CLI, make sure to fulfill the required prerequisites. These include creating a VPC and an RDS DB subnet group. For more information, see DB cluster prerequisites.

To create a Multi-AZ DB cluster by using the AWS CLI, call the create-db-cluster command. Specify the --db-cluster-identifier. For the --engine option, specify either mysql or postgres.

For information about each option, see Settings for creating Multi-AZ DB clusters.

For information about the AWS Regions, DB engines, and DB engine versions that support Multi-AZ DB clusters, see Limitations of Multi-AZ DB clusters for Amazon RDS.

The create-db-cluster command creates the writer DB instance for your DB cluster, and two reader DB instances. Each DB instance is in a different Availability Zone.

For example, the following command creates a MySQL 8.0 Multi-AZ DB cluster named mysql-multi-az-db-cluster.

For Linux, macOS, or Unix:

aws rds create-db-cluster \ --db-cluster-identifier mysql-multi-az-db-cluster \ --engine mysql \ --engine-version 8.0.32 \ --master-username admin \ --manage-master-user-password \ --port 3306 \ --backup-retention-period 1 \ --db-subnet-group-name default \ --allocated-storage 4000 \ --storage-type io1 \ --iops 10000 \ --db-cluster-instance-class db.m5d.xlarge

For Windows:

aws rds create-db-cluster ^ --db-cluster-identifier mysql-multi-az-db-cluster ^ --engine mysql ^ --engine-version 8.0.32 ^ --manage-master-user-password ^ --master-username admin ^ --port 3306 ^ --backup-retention-period 1 ^ --db-subnet-group-name default ^ --allocated-storage 4000 ^ --storage-type io1 ^ --iops 10000 ^ --db-cluster-instance-class db.m5d.xlarge

The following command creates a PostgreSQL 13.4 Multi-AZ DB cluster named postgresql-multi-az-db-cluster.

For Linux, macOS, or Unix:

aws rds create-db-cluster \ --db-cluster-identifier postgresql-multi-az-db-cluster \ --engine postgres \ --engine-version 13.4 \ --manage-master-user-password \ --master-username postgres \ --port 5432 \ --backup-retention-period 1 \ --db-subnet-group-name default \ --allocated-storage 4000 \ --storage-type io1 \ --iops 10000 \ --db-cluster-instance-class db.m5d.xlarge

For Windows:

aws rds create-db-cluster ^ --db-cluster-identifier postgresql-multi-az-db-cluster ^ --engine postgres ^ --engine-version 13.4 ^ --manage-master-user-password ^ --master-username postgres ^ --port 5432 ^ --backup-retention-period 1 ^ --db-subnet-group-name default ^ --allocated-storage 4000 ^ --storage-type io1 ^ --iops 10000 ^ --db-cluster-instance-class db.m5d.xlarge

Before you can create a Multi-AZ DB cluster using the RDS API, make sure to fulfill the required prerequisites, such as creating a VPC and an RDS DB subnet group. For more information, see DB cluster prerequisites.

To create a Multi-AZ DB cluster by using the RDS API, call the CreateDBCluster operation. Specify the DBClusterIdentifier. For the Engine parameter, specify either mysql or postgresql.

For information about each option, see Settings for creating Multi-AZ DB clusters.

The CreateDBCluster operation creates the writer DB instance for your DB cluster, and two reader DB instances. Each DB instance is in a different Availability Zone.

Settings for creating Multi-AZ DB clusters

For details about settings that you choose when you create a Multi-AZ DB cluster, see the following table. For more information about the AWS CLI options, see create-db-cluster. For more information about the RDS API parameters, see CreateDBCluster.

Console setting Setting description CLI option and RDS API parameter

Allocated storage

The amount of storage to allocate for each DB instance in your DB cluster (in gibibyte). For more information, see Amazon RDS DB instance storage.

CLI option:

--allocated-storage

API parameter:

AllocatedStorage

Auto minor version upgrade

Enable auto minor version upgrade to have your DB cluster receive preferred minor DB engine version upgrades automatically when they become available. Amazon RDS performs automatic minor version upgrades in the maintenance window.

CLI option:

--auto-minor-version-upgrade

--no-auto-minor-version-upgrade

API parameter:

AutoMinorVersionUpgrade

Backup retention period

The number of days that you want automatic backups of your DB cluster to be retained. For a Multi-AZ DB cluster, this value must be set to 1 or greater.

For more information, see Introduction to backups.

CLI option:

--backup-retention-period

API parameter:

BackupRetentionPeriod

Backup window

The time period during which Amazon RDS automatically takes a backup of your DB cluster. Unless you have a specific time that you want to have your database backed up, use the default of No preference.

For more information, see Introduction to backups.

CLI option:

--preferred-backup-window

API parameter:

PreferredBackupWindow

Certificate authority

The certificate authority (CA) for the server certificate used by the DB cluster.

For more information, see Using SSL/TLS to encrypt a connection to a DB instance or cluster.

CLI option:

--ca-certificate-identifier

RDS API parameter:

CACertificateIdentifier

Copy tags to snapshots

This option copies any DB cluster tags to a DB snapshot when you create a snapshot.

For more information, see Tagging Amazon RDS resources.

CLI option:

-copy-tags-to-snapshot

-no-copy-tags-to-snapshot

RDS API parameter:

CopyTagsToSnapshot

Database authentication

The database authentication option that you want to use.

Choose Password authentication to authenticate database users with database passwords only.

Choose Password and IAM DB authentication to authenticate database users with database passwords and user credentials through users and roles. For more information, see IAM database authentication for MariaDB, MySQL, and PostgreSQL.

CLI option:

--enable-iam-database-authentication

--no-enable-iam-database-authentication

RDS API parameter:

EnableIAMDatabaseAuthentication

Database port

The port that you want to access the DB cluster through. The default port is shown.

The port can't be changed after the DB cluster is created.

The firewalls at some companies block connections to the default ports. If your company firewall blocks the default port, enter another port for your DB cluster.

CLI option:

--port

RDS API parameter:

Port

DB cluster identifier

The name for your DB cluster. Name your DB clusters in the same way that you name your on-premises servers. Your DB cluster identifier can contain up to 63 alphanumeric characters, and must be unique for your account in the AWS Region you chose.

CLI option:

--db-cluster-identifier

RDS API parameter:

DBClusterIdentifier

DB instance class

The compute and memory capacity of each DB instance in the Multi-AZ DB cluster, for example db.m5d.xlarge.

If possible, choose a DB instance class large enough that a typical query working set can be held in memory. When working sets are held in memory the system can avoid writing to disk, which improves performance.

For a list of supported DB instance classes, see Instance class availability for Multi-AZ DB clusters.

CLI option:

--db-cluster-instance-class

RDS API parameter:

DBClusterInstanceClass

DB cluster parameter group

The DB cluster parameter group that you want associated with the DB cluster.

For more information, see Parameter groups for Multi-AZ DB clusters.

CLI option:

--db-cluster-parameter-group-name

RDS API parameter:

DBClusterParameterGroupName

DB engine version

The version of database engine that you want to use.

CLI option:

--engine-version

RDS API parameter:

EngineVersion

DB cluster parameter group

The DB instance parameter group to associate with the DB cluster.

For more information, see Parameter groups for Multi-AZ DB clusters.

CLI option:

--db-cluster-parameter-group-name

RDS API parameter:

DBClusterParameterGroupName

DB subnet group

The DB subnet group you want to use for the DB cluster.

Select Choose existing to use an existing DB subnet group. Then choose the required subnet group from the Existing DB subnet groups dropdown list.

Choose Automatic setup to let RDS select a compatible DB subnet group. If none exist, RDS creates a new subnet group for your cluster.

For more information, see Working with DB subnet groups.

CLI option:

--db-subnet-group-name

RDS API parameter:

DBSubnetGroupName

Deletion protection

Enable deletion protection to prevent your DB cluster from being deleted. If you create a production DB cluster with the console, deletion protection is turned on by default.

For more information, see Deleting a DB instance.

CLI option:

--deletion-protection

--no-deletion-protection

RDS API parameter:

DeletionProtection

Encryption

Enable Encryption to turn on encryption at rest for this DB cluster.

Encryption is turned on by default for Multi-AZ DB clusters.

For more information, see Encrypting Amazon RDS resources.

CLI options:

--kms-key-id

--storage-encrypted

--no-storage-encrypted

RDS API parameters:

KmsKeyId

StorageEncrypted

Enhanced Monitoring

Enable enhanced monitoring to turn on metrics gathering in real time for the operating system that your DB cluster runs on.

For more information, see Monitoring OS metrics with Enhanced Monitoring.

CLI options:

--monitoring-interval

--monitoring-role-arn

RDS API parameters:

MonitoringInterval

MonitoringRoleArn

Initial database name

The name for the database on your DB cluster. If you don't provide a name, Amazon RDS doesn't create a database on the DB cluster for MySQL. However, it does create a database on the DB cluster for PostgreSQL. The name can't be a word reserved by the database engine. It has other constraints depending on the DB engine.

MySQL:

  • It must contain 1–64 alphanumeric characters.

PostgreSQL:

  • It must contain 1–63 alphanumeric characters.

  • It must begin with a letter or an underscore. Subsequent characters can be letters, underscores, or digits (0-9).

  • The initial database name is postgres.

CLI option:

--database-name

RDS API parameter:

DatabaseName

Log exports

The types of database log files to publish to Amazon CloudWatch Logs.

For more information, see Publishing database logs to Amazon CloudWatch Logs.

CLI option:

-enable-cloudwatch-logs-exports

RDS API parameter:

EnableCloudwatchLogsExports

Maintenance window

The 30-minute window in which pending modifications to your DB cluster are applied. If the time period doesn't matter, choose No preference.

For more information, see Amazon RDS maintenance window.

CLI option:

--preferred-maintenance-window

RDS API parameter:

PreferredMaintenanceWindow

Manage master credentials in AWS Secrets Manager

Select Manage master credentials in AWS Secrets Manager to manage the master user password in a secret in Secrets Manager.

Optionally, choose a KMS key to use to protect the secret. Choose from the KMS keys in your account, or enter the key from a different account.

For more information, see Password management with Amazon RDS and AWS Secrets Manager.

CLI option:

--manage-master-user-password | --no-manage-master-user-password

--master-user-secret-kms-key-id

RDS API parameter:

ManageMasterUserPassword

MasterUserSecretKmsKeyId

Master password

The password for your master user account.

CLI option:

--master-user-password

RDS API parameter:

MasterUserPassword

Master username

The name that you use as the master user name to log on to your DB cluster with all database privileges.

  • It can contain 1–16 alphanumeric characters and underscores.

  • Its first character must be a letter.

  • It can't be a word reserved by the database engine.

You can't change the master user name after the Multi-AZ DB cluster is created.

For more information on privileges granted to the master user, see Master user account privileges.

CLI option:

--master-username

RDS API parameter:

MasterUsername

Performance Insights

Enable Performance Insights to monitor your DB cluster load so that you can analyze and troubleshoot your database performance.

Choose a retention period to determine how much Performance Insights data history to keep. The retention setting in the free tier is Default (7 days). To retain your performance data for longer, specify 1–24 months. For more information about retention periods, see Pricing and data retention for Performance Insights.

Choose a KMS key to use to protect the key used to encrypt this database volume. Choose from the KMS keys in your account, or enter the key from a different account.

For more information, see Monitoring DB load with Performance Insights on Amazon RDS.

CLI options:

--enable-performance-insights

--no-enable-performance-insights

--performance-insights-retention-period

--performance-insights-kms-key-id

RDS API parameters:

EnablePerformanceInsights

PerformanceInsightsRetentionPeriod

PerformanceInsightsKMSKeyId

Provisioned IOPS

The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for the DB cluster.

CLI option:

--iops

RDS API parameter:

Iops

Public access

Publicly accessible to give the DB cluster a public IP address, meaning that it's accessible outside the VPC. To be publicly accessible, the DB cluster also has to be in a public subnet in the VPC.

Not publicly accessible to make the DB cluster accessible only from inside the VPC.

For more information, see Hiding a DB instance in a VPC from the internet.

To connect to a DB cluster from outside of its VPC, the DB cluster must be publicly accessible. Also, access must be granted using the inbound rules of the DB cluster's security group, and other requirements must be met. For more information, see Can't connect to Amazon RDS DB instance.

If your DB cluster isn't publicly accessible, you can use an AWS Site-to-Site VPN connection or an AWS Direct Connect connection to access it from a private network. For more information, see Internetwork traffic privacy.

CLI option:

--publicly-accessible

--no-publicly-accessible

RDS API parameter:

PubliclyAccessible

RDS Extended Support

Select Enable RDS Extended Support to allow supported major engine versions to continue running past the RDS end of standard support date.

When you create a DB cluster, Amazon RDS defaults to RDS Extended Support. To prevent the creation of a new DB cluster after the RDS end of standard support date and to avoid charges for RDS Extended Support, disable this setting. Your existing DB clusters won't incur charges until the RDS Extended Support pricing start date.

For more information, see Amazon RDS Extended Support with Amazon RDS.

CLI option:

--engine-lifecycle-support

RDS API parameter:

EngineLifecycleSupport

Storage throughput

The storage throughput value for the DB cluster. This setting is visible only if you choose General Purpose SSD (gp3) for the storage type.

This setting is not configurable and is automatically set based on the IOPS that you specify.

For more information, see gp3 storage (recommended).

This value is automatically calculated and doesn't have a CLI option.

RDS Proxy

Choose Create an RDS Proxy to create a proxy for your DB cluster. Amazon RDS automatically creates an IAM role and a Secrets Manager secret for the proxy.

Not available when creating a DB cluster.

Storage type

The storage type for your DB cluster.

Only General Purpose SSD (gp3), Provisioned IOPS (io1), and Provisioned IOPS SSD (io2) storage are supported.

For more information, see Amazon RDS storage types.

CLI option:

--storage-type

RDS API parameter:

StorageType

Virtual Private Cloud (VPC)

A VPC based on the Amazon VPC service to associate with this DB cluster.

For more information, see Amazon VPC and Amazon RDS.

For the CLI and API, you specify the VPC security group IDs.

VPC security group (firewall)

The security groups to associate with the DB cluster.

For more information, see Overview of VPC security groups.

CLI option:

--vpc-security-group-ids

RDS API parameter:

VpcSecurityGroupIds

Settings that don't apply when creating Multi-AZ DB clusters

The following settings in the AWS CLI command create-db-cluster and the RDS API operation CreateDBCluster don't apply to Multi-AZ DB clusters.

You also can't specify these settings for Multi-AZ DB clusters in the console.

AWS CLI setting RDS API setting

--availability-zones

AvailabilityZones

--backtrack-window

BacktrackWindow

--character-set-name

CharacterSetName

--domain

Domain

--domain-iam-role-name

DomainIAMRoleName

--enable-global-write-forwarding | --no-enable-global-write-forwarding

EnableGlobalWriteForwarding

--enable-http-endpoint | --no-enable-http-endpoint

EnableHttpEndpoint

--global-cluster-identifier

GlobalClusterIdentifier

--option-group-name

OptionGroupName

--pre-signed-url

PreSignedUrl

--replication-source-identifier

ReplicationSourceIdentifier

--scaling-configuration

ScalingConfiguration