- Newest
- Most votes
- Most comments
Hi, thanks for the answer!
According from here https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Replication.MySQL.html Aurora does support native binlog replication, although it does not use it apparently for read replicas. Would be possible to promote a read replica to a new cluster and enable MySQL binlog replication between the original cluster and the new one? Then I could redirect traffic to the new one once the replica lag is zero, minimizing the downtime
From the documentation : https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html
- You can't convert an unencrypted DB cluster to an encrypted one. However, you can restore an unencrypted snapshot to an encrypted Aurora DB cluster. To do this, specify a KMS key when you restore from the unencrypted snapshot.
- You can't create an encrypted Aurora Replica from an unencrypted Aurora DB cluster.
So the process could be something similar to below
- Schedule some down time for the application
- Stop all traffic to the database
- Create a final snapshot from the current unencrypted cluster
- Import that snapshot into a new encrypted cluster
- Bring up your application now pointing to the new cluster
Also note that Aurora does not use bin log replication - the replication is done on the storage layer and not within MySQL.
Alternative process to the one I mentioned above to minimize downtime by creating a new encrypted cluster and replicating data to it before cutting over.
We are mostly following guidance here : https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Replication.MySQL.html
-
Enable binary loggong on unencrypted Aurora cluster (note this requires a reboot as we are changing the cluster parameter group)
-
Enable binary log retention on the unencrypted cluster. You do this by setting a configuration as Aurora does not allow you access to underlying logs
-
Create a snapshot of the unencrypted database. This is a fairly straightforward process with the console or aws cli
-
Create a new encrypted cluster from snapshot Key step here is to make sure you have a KMS key and you use that kms key id when restoring the snapshot (https://docs.aws.amazon.com/cli/latest/reference/rds/restore-db-cluster-from-snapshot.html shows the --kms-key-id parameter to use)
-
Create a replication user on unencrypted cluster
-
enable replication on encrypted cluster
-
continue to replicate till ready to migrate
-
When ready to migrate stop all traffic to unencrypted cluster
-
monitor replication to ensure its complete to the encrypted cluster
-
Stop replication (on both encrypted cluster and unencrypted cluster)
-
do some sanity checks, maybe shutdown unencrypted cluster cleanly
-
Migrate application to new encrypted cluster
Please make sure you accept the answer if it helps!
Relevant content
- Accepted Answerasked 9 months ago
- asked 2 months ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
Can you replicate bin-logs from an Aurora Unencrypted cluster to a new Aurora Encrypted cluster? Yes : see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Replication.MySQL.html as it has more details than I can cover here.
Alternative: consider AWS Data Migration Service: https://aws.amazon.com/dms/ (I know this better than replication) Even though DMS is intended for migrations between different database engines - it should work for same database engines with different clusters. I would create a new cluster and migrate data via DMS in parallel and then cutover.