How do I use Amazon RDS Proxy to connect to my Amazon RDS for MySQL DB instance or Aurora MySQL-Compatible DB cluster?

3 minuto de leitura
0

I want to use Amazon RDS Proxy to connect to my Amazon Relational Database Service (Amazon RDS) for MySQL DB instance. Or, I want to use Amazon RDS Proxy to connect to Amazon Aurora MySQL Compatible-Edition DB cluster.

Resolution

Before you begin, your Amazon RDS Proxy must be in the same virtual private cloud (VPC) as the database. You can make the database publicly accessible, but the proxy can't be publicly accessible.

1.     Create database credentials in AWS Secrets Manager.
Note: When you create the secret, use the same username and password as your database.

2.    (Optional) Create an AWS Identity and Access Management (IAM) policy and an IAM role.
Note: Amazon RDS Proxy automatically creates an IAM role in step 3. Follow step 2 to create your own IAM role.

3.     Create an Amazon RDS Proxy.

4.    To check that the proxy endpoint is reachable, run the following command:

nc -zv <proxy_endpoint> 3306

Example output:

nc -z test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com 3306Connection to test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com 3306 port [tcp/mysql] succeeded!

Note: Run the preceding command only on an Amazon Elastic Compute Cloud (Amazon EC2) machine that's in the same VPC as the Amazon RDS Proxy. The command doesn't run on local machines.

5.    To use the Amazon RDS Proxy to connect to the RDS DB instance, run the following command:

mysql -h <proxy_end_point> -u username -p

Example output:

mysql -h test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com -u admin -pEnter password: Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2946664484
Server version: 5.7.28-log
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> 

Or, use the Amazon RDS Proxy with an SSL/TLS connection to connect to the DB instance:

1.    (Optional) When you create the Amazon RDS Proxy, turn on Require Transport Layer Security. You can also modify an existing Amazon RDS Proxy.
Note: When you change the parameter to Required, connections must use SSL/TLS. The Amazon RDS Proxy rejects plaintext connections. If you don't change the parameter, then the Amazon RDS Proxy can connect to the DB instance with or without SSL/TLS.

2.    Download the Amazon Root CA 1 trust store .pem file from Amazon Trust Services:

wget https://www.amazontrust.com/repository/AmazonRootCA1.pem

3.    Use SSL to connect to the DB instance:

mysql -h test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com -u admin --ssl-mode=REQUIRED --ssl-ca=AmazonRootCA1.pem -p

Or, you can run the following command to use SSL/TLS to connect to the DB instance:

mysql -h test-proxy.proxy-xxxxxxxxxxxxx.eu-west-1.rds.amazonaws.com -u admin --ssl-mode=VERIFY_IDENTITY --ssl-ca=AmazonRootCA1.pem -p

Note: The Amazon RDS Proxy uses wildcard certificates. If you use the MySQL client to connect with the SSL/TLS VERIFY_IDENTITY mode, then you must use the MySQL 8.0-compatible mysql command.

After you connect, the DB instance returns the following output:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12659040
Server version: 5.7.28-log
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Related information

Troubleshooting for Amazon RDS Proxy

Using Amazon RDS Proxy

2 Comentários

Why don't use --ssl-ca=global-bundle.pem but --ssl-ca=AmazonRootCA1.pem?

respondeu há 5 dias

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERADOR
respondeu há 4 dias