How can I configure private and public Amazon Aurora endpoints for Aurora DB instances running in the Amazon Relational Database Service (Amazon RDS)?
An Amazon Aurora cluster can be launched only in Amazon Virtual Private Cloud (Amazon VPC), based on the Amazon VPC service. The DB subnet group that you choose for your DB cluster must span at least two Availability Zones in the Region you want to deploy your cluster. For the Aurora DB instance to be publicly accessible, or accessible only inside the VPC, configure the following two settings, one at the VPC subnet level, and the second at the DB instance level.
- You can make your DB subnets public or private-only based on the route table associated with the subnet. Be sure that the subnets in the DB subnet group all have the same configuration to avoid any connection issues after the failover.
- At the DB instance level, you can set the publicly accessible parameter to yes or no. This determines whether your DB instance is reachable through the internet or not.
It's also important to make sure that the VPC security group used by the DB instance allows the source IP address or CIDR range. For more information, see Security group rules for different use cases.
Creating a publicly accessible Aurora DB cluster
- When creating an Amazon Aurora DB cluster using the AWS Management Console, Amazon RDS automatically creates a VPC for you. Or you can use an existing VPC or create a new VPC for your Aurora DB cluster.
- Create a DB subnet group that defines at least two subnets in the VPC. Make sure that the route table associated with the subnets is configured for public access.
- Create an Aurora DB cluster in the VPC.
- On the Create database pane, from the Connectivity section, select the Virtual Private Cloud (VPC) that you created.
- From Subnet group, select the DB subnet group that has publicly available subnets.
- From the Connectivity section, set Public access to Yes.
- From VPC security group, choose a security group that grants access to the public IP addresses and CIDR ranges that you want to have access from.
To create a private only Aurora DB cluster, follow the preceding steps, but in step 6 set Public access to No.
Changing public accessibility of running instances in an Aurora DB cluster
To change whether the running instances in the Aurora cluster are publicly accessible:
- Sign in to the Amazon RDS console.
- In the navigation pane, choose Databases, and then select the Aurora DB instance in the Aurora Cluster that you want to modify.
- Choose Modify.
- From the Modify DB instance page, under Connectivity, expand the Additional Configuration section. Set Public access to Yes or No.
- Choose Continue, and check the summary of modifications.
- To apply the changes immediately, select Apply immediately. Changing this setting on the existing DB instance in the cluster affects the network connectivity.
Note: You can't give an Amazon Aurora Serverless DB cluster a public IP address. You can access an Aurora Serverless DB cluster only from within a virtual private cloud (VPC), based on the Amazon VPC service. For more information, see Using Amazon Aurora Serverless v1.
How to create a VPC for use with Amazon Aurora
Modify a DB instance in a DB cluster