Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: Amazon VPC for Use with an Amazon RDS DB Instance  (Read 8635 times)

0 Members and 1 Guest are viewing this topic.

Vineesh K P

  • Guest
Amazon VPC for Use with an Amazon RDS DB Instance
« on: November 03, 2018, 06:09:06 pm »
Hello All,

In this article, we will be looking on how to set up Amazon VPC for using with an Amazon RDS DB instance.

It is a common scenario that an Amazon RDS DB instance in an Amazon VPC, that shares data with a web server that is running in the same VPC. In this tutorial you create the VPC for this scenario.


The diagram given below shows this scenario.

Because your Amazon RDS DB instance only needs to be available to your web server, and not to the public Internet, you create a VPC with both public and private subnets. The web server is hosted in the public subnet, so that it can reach the public Internet. The Amazon RDS DB instance is hosted in a private subnet. The web server is able to connect to the Amazon RDS DB instance because it is hosted within the same VPC, but the Amazon RDS DB instance is not available to the public Internet, providing greater security.

Step One - Create a VPC with Private and Public Subnets

Use the following procedure to create a VPC with both public and private subnets.

To create a VPC and subnets


  • Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  • In the top-right corner of the AWS Management Console, choose the region to create your VPC in. This example uses the US West (Oregon) region.
  • In the upper-left corner, choose VPC Dashboard. To begin creating a VPC, choose Start VPC Wizard.
  • On the Step 1: Select a VPC Configuration page, choose VPC with Public and Private Subnets, and then choose Select.c
  • On the Step 2: VPC with Public and Private Subnets page, set these values:
Code: [Select]
IPv4 CIDR block: 10.0.0.0/16
IPv6 CIDR block: No IPv6 CIDR Block
VPC name: tutorial-vpc
Public subnet's IPv4 CIDR: 10.0.0.0/24
Availability Zone: us-west-2a
Public subnet name: Tutorial public
Private subnet's IPv4 CIDR: 10.0.1.0/24
Availability Zone: us-west-2a
Private subnet name: Tutorial Private 1
Instance type: t2.small
Important : If you do not see the Instance type box in the console, click Use a NAT instance instead. This link is on the right.
Key pair name: No key pair
Service endpoints: Skip this field.
Enable DNS hostnames: Yes
Hardware tenancy: Default

When you're finished, choose Create VPC.

Step Two - Create Additional Subnets

You must have either two private subnets or two public subnets available to create an Amazon RDS DB subnet group for an RDS DB instance to use in a VPC. Because the RDS DB instance for this tutorial is private, add a second private subnet to the VPC.

To create an additional subnet


  • Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  • To add the second private subnet to your VPC, choose VPC Dashboard, choose Subnets, and then choose Create Subnet.
  • On the Create Subnet page, set these values:
    Name tag: Tutorial private 2

    VPC: Choose the VPC that you created in the previous step, for example: vpc-identifier (10.0.0.0/16) | tutorial-vpc

    Availability Zone: us-west-2b

    Note : Choose an Availability Zone that is different from the one that you chose for the first private subnet.

    IPv4 CIDR block: 10.0.2.0/24
  • When you're finished, choose Yes, Create.
  • To ensure that the second private subnet that you created uses the same route table as the first private subnet, choose VPC Dashboard, choose Subnets, and then choose the first private subnet that you created for the VPC, Tutorial private 1.
  • Below the list of subnets, choose the Route Table tab, and note the value for Route Table—for example: rtb-98b613fd.
  • In the list of subnets, deselect the first private subnet.
  • In the list of subnets, choose the second private subnet Tutorial private 2, and choose the Route Table tab.
  • If the current route table is not the same as the route table for the first private subnet, choose Edit. For Change to, choose the route table that you noted earlier—for example: rtb-98b613fd.
  • To save your selection, choose Save.

Step Three - Create a VPC Security Group for a Public Web Server

Next you create a security group for public access. To connect to public instances in your VPC, you add inbound rules to your VPC security group that allow traffic to connect from the internet.

To create a VPC security group


  • Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  • Choose VPC Dashboard, choose Security Groups, and then choose Create Security Group.
  • On the Create Security Group page, set these values:
    Name tag: tutorial-securitygroup

    Group name: tutorial-securitygroup

    Description: Tutorial Security Group

    VPC: Choose the VPC that you created earlier, for example: vpc-identifier (10.0.0.0/16) | tutorial-vpc
  • To create the security group, choose Yes, Create.

To add inbound rules to the security group

  • Determine the IP address that you will use to connect to instances in your VPC. To determine your public IP address, you can use the service at https://checkip.amazonaws.com. An example of an IP address is 203.0.113.25/32.

    If you are connecting through an Internet service provider (ISP) or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.

    Warning : If you use 0.0.0.0/0, you enable all IP addresses to access your public instances. This approach is acceptable for a short time in a test environment, but it's unsafe for production environments. In production, you'll authorize only a specific IP address or range of addresses to access your instances.
  • Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  • Choose VPC Dashboard, choose Security Groups, and then choose the tutorial-securitygroup security group that you created in the previous procedure.
  • Choose the Inbound Rules tab, and then choose Edit.
  • Set the following values for your new inbound rule to allow Secure Shell (SSH) access to your EC2 instance. If you do this, you can connect to your EC2 instance to install the web server and other utilities, and to upload content for your web server.

    Type: SSH (22)

    Source: The IP address or range from Step 1, for example: 203.0.113.25/32.
  • Choose Add another rule.
  • Set the following values for your new inbound rule to allow HTTP access to your web server.

    Type: HTTP (80)

    Source: 0.0.0.0/0.
  • To save your settings, choose Save.

Step Four - Create a VPC Security Group for a Private Amazon RDS DB Instance

To keep your Amazon RDS DB instance private, create a second security group for private access. To connect to private instances in your VPC, you add inbound rules to your VPC security group that allow traffic from your web server only.

To create a VPC security group


  • Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  • Choose VPC Dashboard, choose Security Groups, and then choose Create Security Group.
  • On the Create Security Group page, set these values:

    Name tag: tutorial-db-securitygroup

    Group name: tutorial-db-securitygroup

    Description: Tutorial DB Instance Security Group

    VPC: Choose the VPC that you created earlier, for example: vpc-identifier (10.0.0.0/16) | tutorial-vpc
  • To create the security group, choose Yes, Create.

To add inbound rules to the security group

  • Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  • Choose VPC Dashboard, choose Security Groups, and then choose the tutorial-db-securitygroup security group that you created in the previous procedure.
  • Choose the Inbound Rules tab, and then choose Edit.
  • Set the following values for your new inbound rule to allow MySQL traffic on port 3306 from your EC2 instance. If you do this, you can connect from your web server to your DB instance to store and retrieve data from your web application to your database.

    Type: MySQL/Aurora (3306)

    Source: The identifier of the tutorial-securitygroup security group that you created previously in this tutorial, for example: sg-9edd5cfb.
  • To save your settings, choose Save.

Step Five - Create a DB Subnet Group

A DB subnet group is a collection of subnets that you create in a VPC and that you then designate for your DB instances. A DB subnet group allows you to specify a particular VPC when creating DB instances.

To create a DB subnet group


  • Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
  • In the navigation pane, choose Subnet groups.
  • Choose Create DB Subnet Group.
  • On the Create DB subnet group page, set these values in Subnet group details:

    Name: tutorial-db-subnet-group

    Description: Tutorial DB Subnet Group

    VPC: tutorial-vpc (vpc-identifier)
  • In the Add subnets section, click the Add all the subnets related to this VPC link.
  • Choose Create.

Your new DB subnet group appears in the DB subnet groups list on the RDS console. You can click the DB subnet group to see details, including all of the subnets associated with the group, in the details pane at the bottom of the window.
« Last Edit: November 03, 2018, 11:49:00 pm by Vineesh K P »