HeatWave on AWS  /  ...  /  Source Configuration When Using an Egress PrivateLink

8.3.1 Source Configuration When Using an Egress PrivateLink

If you are replicating from a database running in your AWS account using an Egress PrivateLink, configure your replication source and its surrounding network infrastructure with the following steps.
These are the prerequisites for this task:
  • Access to your AWS account through the AWS Console.
  • A MySQL source database (for example, a MySQL Community database inside your Amazon AWS tenancy), with ALL the configurations specified in Source Configuration.
  • Knowledge of the following information regarding your source database:
    • The VPC it is in
    • Its AWS Availability Zone IDs
    • Hostname and port of the source's primary endpoint
    • IP address of the source's primary endpoint. To find it, run this command on any system that can resolve your source’s private IP address (note that Amazon RDS and Aurora sources can be resolved from any Internet-connected machine): 
      nslookup <source instance hostname>
Do the following to configure your source and its surrounding network infrastructure:
  1. Create and configure a Target Group:
    • Go to AWS Console > EC2 > Target Groups (also reachable from the console's navigation pane under Load Balancing), and select Create target group
    • Under Basic configuration
      • Select IP addresses
      • Add a Target group name
      • For Protocol: Port, select TCP for protocol, and enter the port number of your source.
      • Under VPC, select the VPC in which the source is located to be included into the Target Group
    • Under Health checks
      • Select TCP for Health check protocol
      • Under Advanced health check settings, select Override, and enter any port number other than the port for your source (e.g., 40000). This is to prevent a loss of connection on the PrivateLink.
    • Click Next, to go to the Register targets page
    • Go to Step 2 on the Register targets page and enter the IP addresses for your source (see the prerequisites above).
    • Under Ports, make sure the port number for the source is correct.
    • Click Include as pending below, then click Create target group.
  2. Create and configure a Network Load Balancer:
    • Navigate to the AWS Console > EC2 > Load Balancers, and click Create load balancer. The Compare and select load balancer type page opens.
    • Under Load balancer types, select Network Load Balancer by clicking the Create button under its description. The Create Network Load Balancer page opens
    • Enter a Load balancer name.
    • For Scheme, select Internal.
    • Under Network mapping:
      • Make sure the source's VPC is selected.
      • For Mappings, select the Availability Zone IDs for your source.

        Note:

        Instead of the Availability Zone names, use the Availability Zone IDs when you make your selections.

        Note:

        Your target DB System in HeatWave on AWS must be in one of the Availability Zones you select here. See the discussion on Availability Zone selection in Creating a DB System.
      • For each of the Availability Zone IDs you selected, pick a private Subnet
    • Under Security Groups, click create a new security group. In the Create security group page that opens, configure the following before you click Create security group:
      • Security group name: Give a group name.
      • Description: Give a description.
      • For VPC, select the source's VPC.
      • For Inbound rules and Outbound rules, keep the default configurations.
    • Go back to the Create Network Load Balancers page and under Security Groups, select the security group you just created and deselect any other security groups.
    • Under Listeners and routing, configure the Listener with the Port the source is on, and Default action to Forward to and select the target group you created above in Step 1.
    • Click Create load balancer. The load balancer is created.
    • Select in AWS Console > EC2 > Load Balancers the load balancer you just created. A configuration page for the load balancer is opened.
    • Scroll down and select the Security tab. Make sure Enforce inbound rules on PrivateLink traffic is Off. If it is not, click Edit and then deselect it.
  3. Allow your source instance to receive traffic from your Network Load Balancer (the following steps use a MySQL instance on AWS RDS as an example):
    • Go to the AWS > RDS > Databases > your instance. Under Connectivity and security > Security, click on the security group associated with the database instance. The Security Groups page opens.
    • Check the security group, and then select Edit inbound rules under Actions. The Edit inbound rules page opens.
    • Click Add rule and add a new rule with the following specifications:
      • Choose Custom TCP for Type.
      • Choose Custom and then search for and select the security group created in Step 2 above for the Network Load Balancer.
      • Enter the source instance's port number for Port Range.
      • Provide an optional Description.
    • Click Save rules
  4. Create and configure an endpoint service:
    • Navigate to AWS> VPC > Endpoint services, and click Create endpoint service. The Create endpoint service page opens.
    • Configure your endpoint service with the following information:
      • Load balancer type: Select Network
      • Under Available load balancers, select the load balancer you created in Step 2 above.
      • Under Additional settings:
        • Select Acceptance required
        • Select IPv4 for Supported IP address types
        • Ensure Enable private DNS names is NOT selected.
    • Click Create. Note the Service name under Details of the VPC endpoint service you created. You will need it to configure your Egress PrivateLink.
    • Navigate to AWS > VPC > Endpoint services and choose the endpoint service you just created, and then under Actions choose Allow principals. The Allow principals page opens.
    • Under Principals to add, add the ARN of the HeatWave on AWS account:
      arn:aws:iam::612981981079:root
    • Click Allow principals
You are now ready to create an Egress PrivateLink. See Creating a PrivateLink for instructions.
After an Egress PrivateLink is created, you need to return to the Endpoint Service page to explicitly accept the connection.
  • Navigate to AWS Console > VPC > Endpoint services and choose the endpoint service you created in Step 4 above.
  • On the Endpoint connections tab, choose the Endpoint ID that matches the Endpoint ID of your Egress PrivateLink (see PrivateLink Details page for the information). Do not accept connections from any unknown Endpoint IDs.
  • Under Actions choose Accept endpoint connection request.
  • In the Accept endpoint connection request dialog box that opens, type "accept" in the accept field, and click Accept.
The State of the Endpoint ID becomes Available after some time, and the endpoint connection is now established.

PREV   HOME   UP   NEXT
Download this Manual
PDF (US Ltr) - 0.9Mb