Creating a proxy for Amazon Aurora (original) (raw)
Engine family
The database network protocol the proxy recognizes when it interprets network traffic to and from the database.
Proxy identifier
A name that is unique within your AWS account ID and current AWS Region.
Idle client connection timeout
The proxy closes a client connection if it remains idle for a set period. By default, this is 1,800 seconds (30 minutes). A connection is idle when the application doesn’t submit a new request within the specified time after completing the previous request. The proxy keeps the underlying database connection open and returns it to the connection pool, making it available for new client connections.
To proactively remove stale connections, reduce the idle client connection timeout. To minimize connection costs during workload spikes, increase the timeout.
Database
The Aurora DB cluster to access through this proxy. The list only includes DB instances and clusters with compatible database engines, engine versions, and other settings. If the list is empty, create a new DB instance or cluster that's compatible with RDS Proxy. To do so, follow the procedure in Creating an Amazon Aurora DB cluster. Then, try creating the proxy again.
Connection pool maximum connections
A value between 1 and 100 to define the percentage of themax_connections limit that RDS Proxy can use. If you only intend to use one proxy with this DB instance or cluster, set this value to 100. For more information about how RDS Proxy uses this setting, see MaxConnectionsPercent.
Session pinning filters
Prevents RDS Proxy from pinning certain detected session states, which bypasses default safety measures for multiplexing connections. Currently, PostgreSQL doesn't support this setting, and the only available option isEXCLUDE_VARIABLE_SETS. Enabling it might cause session variables from one connection to affect others, leading to errors or correctness issues if queries rely on session variables set outside the current transaction. Use this option only after confirming that your applications can safely share database connections.
The following patterns are considered safe:
SETstatements where there is no change to the effective session variable value. In other words, there is no change to the session variable.- You change the session variable value and execute a statement in the same transaction.
For more information, see Avoiding pinning an RDS Proxy.
Connection borrow timeout
If you expect the proxy to use all available database connections, set the wait time before it returns a timeout error. You can specify up to five minutes. This setting applies only when the proxy has reached the maximum number of connections and all are in use.
Initialization query
Add or modify an initialization query by specifying one or more SQL statements for the proxy to run when it opens a new database connection. This setting is typically used with SET statements to ensure consistent connection settings. Make sure the query is valid, and use commas to separate multiple variables within a SET statement. For example:
SET variable1=value1, variable2=value2For multiple statements, separate them with semicolons.
AWS Identity and Access Management (IAM) role
An IAM role with permission to access the Secrets Manager secrets, which represent the credentials for database user accounts that the proxy can use. Alternatively, you can create a new IAM role from the AWS Management Console.
Secrets Manager secrets
Choose at least one Secrets Manager secret that contains database user credentials that allow the proxy to access the Aurora DB cluster.
Client authentication type
The type of authentication the proxy uses for connections from clients. Your choice applies to all Secrets Manager secrets that you associate with this proxy. If you need to specify a different client authentication type for each secret, create your proxy by using the AWS CLI or the API instead.
IAM authentication
Whether to require or disallow IAM authentication for connections to your proxy. Your choice applies to all Secrets Manager secrets that you associate with this proxy. If you need to specify a different IAM authentication for each secret, create your proxy by using the AWS CLI or the API instead.
Require Transport Layer Security
Enforces TLS/SSL for all client connections. The proxy uses the same encryption setting for its connection to the underlying database, whether the client connection is encrypted or unencrypted.
Subnets
This field is prepopulated with all subnets associated with your VPC. You can remove any subnets not needed for the proxy, but you must leave at least two subnets.
VPC security group
Choose an existing VPC security group or create a new one from the AWS Management Console. Configure the inbound rules to allow your applications to access the proxy and the outbound rules to permit traffic from your database targets.
Note
The security group must allow connections from the proxy to the database. It serves both for ingress from your applications to the proxy and egress from the proxy to the database. For example, if you use the same security group for both the database and the proxy, make sure that resources within that security group can communicate with each other.
When you use a shared VPC, avoid using the default security group for the VPC or one associated with another account. Instead, select a security group that belongs to your account. If none exists, create one. For more information, see Work with shared VPCs.
RDS deploys a proxy across multiple Availability Zones to ensure high availability. To enable cross-AZ communication, the network access control list (ACL) for your proxy subnet must allow egress on the engine port and ingress on all ports. For more information about network ACLs, see Control traffic to subnets using network ACLs. If the network ACL for your proxy and target are identical, you must add aTCP protocol ingress rule where theSource is set to the VPC CIDR. You must also add an engine port specific TCP protocol egress rule where the Destination is set to the VPC CIDR.
Activate enhanced logging
Enable this setting to troubleshoot proxy compatibility or performance issues. When enabled, RDS Proxy logs detailed performance information to help you debug SQL behavior or proxy connection performance and scalability.
Only enable this setting for debugging and ensure proper security measures are in place to protect sensitive information in the logs. To minimize overhead, RDS Proxy automatically disables this setting 24 hours after activation. Use it temporarily to troubleshoot specific issues.