SSL replication between Aurora clusters

0

A customer is trying to figure out how to make encrypted replication between aurora clusters in different regions. We have documentation for such use case here - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Replication.MySQL.html - but it's not very clear. It suggests generating keys using openssl on the source instance and importing them, but how is that going to work if destination cluster uses our own CA to issue public key? If source keys are self generated and destination cluster uses different CA how are they going to trust each other?

AWS
asked 5 years ago580 views
1 Answer
0
Accepted Answer

At this time, you cannot establish TLS encrypted binlog replication between two Aurora clusters when you set up binlog replication manually between the clusters. The link you provided outlines the process if you plan to replicate between on-premises (or EC2-based) MySQL and Aurora, where you have full access to the master OS and file system.

However, if you use our managed Cross-Region Read Replica capability in Aurora, then we will encrypt the binlog traffic across regions using an underlying tunnel managed by the service. Is there a reason the customer can't use cross-region read replicas?

AWS
EXPERT
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions