How do I connect to my Amazon RDS MySQL DB instance or Aurora MySQL DB cluster using Amazon RDS Proxy?

Short description

You can use Amazon RDS Proxy to manage connections to your application. For more information on what engines are supported by RDS Proxy, see Managing connections with Amazon RDS Proxy.

Resolution

Before you begin, your Amazon RDS Proxy must be in the same VPC as the database. Although you can make the database publicly accessible, the proxy can't be publicly accessible.

1.    Create database credentials in AWS Secrets Manager.
Note: Use the same user name and password as your database when you create your secret.

2.    Create an AWS Identity and Access Management (IAM) policy and an IAM role.
Note: This step is optional. Amazon RDS Proxy can create an IAM role automatically in step 3. Follow this step if you want to create your own IAM role.

3.    Create an Amazon RDS Proxy.

4.    Check that the proxy endpoint is reachable:

nc -zv <proxy_endpoint> 3306

This command returns an output similar to the following:

nc -z test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com 3306
Connection to test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com 3306 port [tcp/mysql] succeeded!

Note: You can only run this command on an EC2 machine that is in the same VPC as the RDS Proxy. This command doesn’t run on local machines.

5.    Connect to the RDS DB instance using the Amazon RDS Proxy:

mysql -h <proxy_end_point> -u username -p

This command returns an output similar to the following:

mysql -h test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com -u admin -p
Enter password: 

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2946664484
Server version: 5.7.28-log
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> 

Or, you can connect to the RDS DB instance using Amazon RDS Proxy with an SSL connection by following these steps:

1.    Optionally, enable Require Transport Layer Security when you create the Amazon RDS Proxy. You can also modify an existing RDS Proxy to enable this option.
Note: Changing the parameter to Required means that connections must use SSL. Any plaintext connections are rejected. If this parameter isn't enabled, then Amazon RDS Proxy can connect to the RDS DB instance with and without SSL.

2.    Download the Amazon Root CA 1 trust store .pem file from Amazon Trust Services:

wget https://www.amazontrust.com/repository/AmazonRootCA1.pem

3.    Connect using SSL:

mysql -h test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com -u admin --ssl-mode=REQUIRED --ssl-ca=AmazonRootCA1.pem -p

Or connect using SSL by running this command:

mysql -h test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com -u admin --ssl-mode=VERIFY_IDENTITY --ssl-ca=AmazonRootCA1.pem -p

Note: Because Amazon RDS Proxy uses wildcard certificates, you must use the MySQL 8.0-compatible mysql command if you use the MySQL client to connect with SSL mode VERIFY_IDENTITY.

When you connect, the following output is returned:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12659040
Server version: 5.7.28-log
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Related information

Troubleshooting for RDS Proxy