Amazon Relational Database Service
User Guide (API Version 2012-04-23)
AWS Documentation » Amazon Relational Database Service (RDS) » User Guide » Amazon RDS Terminology and Concepts » Amazon RDS and Amazon Virtual Private Cloud (VPC)
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

Amazon RDS and Amazon Virtual Private Cloud (VPC)

[Important]Important

You should have an understanding of how Amazon VPC works before reading this section. Please refer to the Amazon Virtual Private Cloud documentation for detailed information about Amazon VPC.

Amazon Virtual Private Cloud enables you to create a virtual network in the AWS cloud. With a Virtual Private Cloud (VPC), you can define a virtual network that closely resembles a traditional data center. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of routing and access control lists.

The basic functionality of Amazon RDS is the same when using Amazon VPC; Amazon RDS manages backups, software patching, automatic failure detection and recovery whether your DB Instances are deployed inside or outside a VPC.

[Note]Note

Multi-AZ deployments are not supported for DB Instances running in a VPC.

Amazon RDS DB Instances deployed outside a VPC are assigned an external IP address (to which the Endpoint/DNS Name resolves) that provides connectivity from EC2 or the Internet. In Amazon VPC, Amazon RDS DB instances have only a private IP address within a subnet that you define, and a random IP address from that subnet is chosen and assigned to the DNS name of the DB Instance.

Prerequisites

Following are the prerequisites for creating a DB Instances within a VPC:

  • You need to have a VPC set up with at least one subnet created in every Availability Zone in the Region you want to deploy your DB Instance.

  • You need to have a DB Subnet Group defined for your VPC.

  • You need to have a DB Security Group defined for your VPC (or you can use the default provided).

  • You should allocate adequately large CIDR blocks to each of your subnets so that there are spare IP addresses for Amazon RDS to use during maintenance activities, including failover and compute scaling.

When creating a DB Instance in VPC, you will need to create or select a DB Subnet Group. Amazon RDS uses that DB Subnet Group and your preferred Availability Zone to select a subnet and an IP address within that subnet to associate with your DB Instance.

DB Subnet Groups

A DB Subnet Group for a VPC is a collection of subnets (typically private) that you may want to designate for your backend RDS DB Instances. Each DB Subnet Group should have at least one subnet for every Availability Zone in a given Region. When creating a DB Instance in VPC, you will need to select a DB Subnet Group. Amazon RDS uses that DB Subnet Group and your preferred Availability Zone to select a subnet and an IP address within that subnet to associate with your DB Instance.

You must specify a subnet for every Availability Zone while defining a DB Subnet Group. In case the primary DB Instance of a Multi-AZ deployment fails, Amazon RDS can promote the corresponding standby and subsequently create a new standby using an IP address of the subnet in one of the other Availability Zones.

While creating a DB Instance in a VPC, Amazon RDS associates an Elastic Network Interface to your DB Instance using the IP address selected from your DB Subnet Group. However, we strongly recommend you use the DNS Name to connect to your DB Instance as the underlying IP address can change during failover.

Levels of Privacy

When you create a VPC, you can configure it based on the level of privacy you want. In the most private scenario, you can attach only a virtual private gateway, and create an IPsec tunnel between your VPC and home network. In this scenario, your EC2 instances have no direct exposure to the Internet.

You can configure your VPC to be somewhere in between, with both a virtual private gateway and an Internet gateway. Here, some instances could receive Internet traffic (e.g., web servers), whereas others could remain unexposed (e.g., database servers). This is a common scenario for running a multi-tier web application in the AWS cloud.

These different scenarios are discussed in more detail in the Amazon VPC documentation.

Routing and Security

You can configure routing in your VPC to control where traffic flows (e.g., to the Internet gateway, virtual private gateway, etc). With an Internet gateway, your VPC has direct access to other AWS products such as Amazon Simple Storage Service (Amazon S3). If you choose to have only a virtual private gateway with a connection to your home network, you can route your Internet-bound traffic over the VPN and control its egress with your security policies and corporate firewall. In the latter case, you incur additional bandwidth charges when accessing AWS products over the Internet.

You can use DB Security Groups, network ACLs, and VPC Security Groups to help secure the instances in your VPC. Security groups act like a firewall at the instance level, whereas network ACLs are an additional layer of security that act at the subnet level.

[Note]Note

If you associate a VPC to a DB Security Group, all the access rules within that DB Security Group should be either from VPC Security Groups or IP ranges. EC2 Security Groups and VPC Security Groups are not interchangeable.

DB Instances deployed within an Amazon VPC can be accessed by Amazon EC2 Instances deployed in the same VPC. If these EC2 Instances are deployed in a public subnet with associated Elastic IPs, you can access the EC2 Instances via the internet.

[Note]Note

We strongly recommend you use the DNS Name to connect to your DB Instance as the underlying IP address can change during failovers.

DB Instances deployed within a VPC can be accessed from the Internet or from EC2 Instances outside the VPC via bastion hosts that you can launch in your public subnet or via VPN. You will need to set up a public subnet with an EC2 instance that acts as a SSH Bastion. This public subnet must have an internet gateway and routing rules that allow traffic to be directed via the SSH host, which must then forward requests to the private IP address of your RDS DB instance. You can also set up a VPN Gateway that extends your corporate network into your VPC, and allows access to the RDS DB instance in that VPC.

[Important]Important

Please refer to the Amazon Virtual Private Cloud documentation for detailed information about Amazon VPC.

For more information on using Amazon RDS with Amazon Virtual Private Cloud, go to Using Amazon RDS with Amazon Virtual Private Cloud (VPC).

Amazon VPC Documentation

Amazon VPC has its own set of documentation to describe how to create and use your VPC. The following table gives links to the Amazon VPC guides.

DescriptionDocumentation

How to get started using Amazon VPC

Amazon Virtual Private Cloud Getting Started Guide

How to use Amazon VPC through the AWS Management Console

Amazon Virtual Private Cloud User Guide

Complete descriptions of all the Amazon VPC commands

Amazon Elastic Compute Cloud Command Line Reference

(the Amazon VPC commands are part of the Amazon EC2 reference)

Complete descriptions of the Amazon VPC API actions, data types, and errors

Amazon Elastic Compute Cloud API Reference

(the Amazon VPC API actions are part of the Amazon EC2 reference)

Information for the network administrator who needs to configure the gateway at your end of an optional IPsec VPN connection

Amazon Virtual Private Cloud Network Administrator Guide

Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...