How do I move an Amazon RDS DB instance from a public subnet to a private subnet within the same VPC?

4 minute read
1

I have an Amazon Relational Database Service (Amazon RDS) DB instance that's in a public subnet. I want to move my DB instance to a private subnet within the same virtual private cloud (VPC) and make the DB instance private.

Short description

Amazon RDS doesn't provide an option to change the subnet group of your DB instance within the same VPC. However, you can use the following workaround to move your DB instance from a public subnet to a private subnet. When you use this workaround, you don't create a new DB instance or use the snapshot-restore process. The workaround minimizes downtime when you create a new instance and divert traffic. Only the failover time results in noticeable downtime.

Note: Use this workaround only for RDS DB instances. If your DB instance is part of an Amazon Aurora cluster, then use the clone option. Or, follow this resolution but don't turn off Multi-AZ. Instead, delete and recreate the readers.

Resolution

Turn off Multi-AZ deployments and public accessibility on your DB instance

Important: If you already set your DB instance to Single-AZ with the Public accessibility parameter set to No, then skip this step.

To turn off Multi-AZ deployments for your DB instance, complete the following steps:

  1. Open the Amazon RDS console.
  2. In the navigation pane, choose Databases. Then, select your DB instance.
  3. Choose Modify.
  4. From the Modify DB Instance page, for Multi-AZ deployment and Public accessibility, choose No.
  5. Choose Continue, and then review the summary of modifications.
  6. Choose Apply immediately or Apply during the next scheduled maintenance window.
    Note: If you choose Apply immediately, then downtime can occur because the modification causes your DB to reboot.
  7. Review your changes. If correct, then choose Modify DB Instance to save.

Discover the IP address of your DB instance

After your DB instance returns to the Available state, run dig on the DB instance's endpoint to find the instance's IP address:

dig rds_endpoint

Note: Replace rds_endpoint with your DB instance's endpoint.

Example output:

db-RDS-instance.xxxxxxxx.us-east-1.rds.amazonaws.com. 5 IN A 172.39.5.213

From the private IP address, you can find the subnet that your primary instance uses.

Example subnets:

  • subnet 1: 172.39.5.0/24
  • subnet 2: 172.39.4.0/24

Because the IP address is under 172.39.5.0/24, the instance is in subnet 1.

Remove the public subnets and add private subnets on your DB instance

Add all the private subnets in the subnet group. Also, delete all public subnets from the subnet group, except for the one that your primary instance uses. In the previous example, delete everything except subnet 1 because the DB instance uses this subnet.

Complete the following steps:

  1. Open the Amazon RDS console.
  2. In the navigation pane, choose Subnet groups. Then, choose the subnet group that's associated with your DB instance.
  3. Choose Edit.
  4. From the Add subnets section, select the Availability Zone and private subnets.
  5. Select the public subnets to delete, and then choose Remove.
  6. Choose Save.

Turn on Multi-AZ on your DB instance

To turn on the Multi-AZ deployment for your DB instance, modify your instance settings. The new secondary instance launches in one of the remaining private subnets.

Reboot your DB instance with failover and turn off Multi-AZ deployment

When your DB instance fails over, the secondary instance becomes the primary instance. As a result, your new primary instance uses the private IP address. After you reboot your DB instance with failover, remove the new secondary instance that's now in the public subnet. To remove the secondary instance, set Multi-AZ deployment to No to turn off Multi-AZ.

Remove the public subnet

Complete the following steps:

  1. Remove the remaining public subnet from the subnet group.
    Note: Remove the subnets from the subnet group in Amazon RDS. You don't need to delete any subnets from the VPC.
  2. Check that there are only private subnets in the subnet group.
  3. If your DB instance was previously in a Multi-AZ deployment, then turn on Multi-AZ deployment again.

Related information

Multi-AZ DB cluster deployments for Amazon RDS

How do I use an Amazon EC2 instance as a bastion host to connect to a private Amazon RDS DB instance from a local machine?

4 Comments

My subnet groups page in the console does not have an "EDIT" button. Why?

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 years ago

@RCA You need click EDIT button inside subnet group list page instead of individual subnet page, i.e. definition of individual subnet.

replied a year ago

After moving to a private subnet, do you have any suggestions on how to allow a client to access RDS DB instance from outside?

replied 3 months ago