Prepare source database

To set up PrivateLink for a database hosted on AWS RDS or AWS Aurora:

1. Create an RDS Proxy that will route requests to your database (MySQL and SQL Server only).
2. Create a network load balancer that will route incoming requests to the RDS proxy (or directly to the database for PostgreSQL).
3. Create an endpoint service through AWS PrivateLink.

Create RDS proxy

In the AWS Management Console, use the Services menu to locate and select Database > Aurora and RDS. Create an RDS proxy that can access your database.

The Proxy's IAM role must have the following permissions to access the database using the credentials secret and encryption key:

• secretsmanager:GetSecretValue
• secretsmanager:DescribeSecret
• kms:Decrypt

You can set the proxy's IAM role during creation in the Authentication section.

Create network load balancer

In the AWS Management Console, use the Services menu to locate and select Compute > EC2. Create a network load balancer with the following settings:

1. In Basic configuration:

   • Scheme: Select Internal.
   • Load balancer IP address type: Select IPv4.

2. In Network mapping, select the VPC and availability zone associated with your source database.

3. In Security groups, select the security group associated with your source database, or another security group that allows traffic from PrivateLink and allows traffic to the database.

4. In Listeners and routing:

   1. Select Create target group to create a target group with the following settings:

      1. In Specify group details:

         • Target type: Select IP Addresses.
         • Protocol : Port: Select TCP, and then enter the port number where your database is exposed.
         • The IP address type and VPC should be selected already and match the VPC you selected earlier.

      2. In Register targets, enter the static IP address of your RDS proxy (for MySQL and SQL Server) or your database (for PostgreSQL), enter the port, and select Include as pending below. Then, select Create target group to create your target group. Return to Listeners and routing in the Network Load Balancer setup.

         For MySQL and SQL Server: To get the static IP address of your RDS Proxy, run the following command on an EC2 instance in the same VPC as the Proxy:

         $ nslookup <proxy-endpoint>
         

         Replace <proxy-endpoint> with the endpoint of your RDS proxy.

         For PostgreSQL: To get the static IP address of your database, run the following command on an EC2 instance in the same VPC as the database:

         $ nslookup <database-endpoint>
         

         Replace <database-endpoint> with the endpoint of your RDS or Aurora PostgreSQL database.

   2. Set the following Listener properties:
      • Protocol: Select TCP.
      • Port: Enter your source database's port.
      • Default action: Select the target group you created in the previous step.

5. Review the network load balancer settings, and then select Create load balancer to continue.

6. After the network load balancer is active, select Security.

   If you selected the same security group as your source database, you must not enforce security group rules on PrivateLink traffic. Select Edit and then deselect Enforce inbound rules on PrivateLink traffic, and then select Save changes.

7. Select the security group ID to open the Security group settings.

8. Select Edit inbound rules, then Add rule to add a rule with the following settings:

   • Type: Select HTTP.
   • Source: Select Anywhere - IPv4. Select Save rules to save your changes.

Create endpoint service

In the AWS Management Console, use the Services menu to locate and select Networking & Content Delivery > VPC. There, select PrivateLink and Lattice > Endpoint services. Create an endpoint service with the following settings:

1. In Available load balancers, select the network load balancer you created.
2. In Additional settings, choose the following settings:
   • Require acceptance for endpoint: Select Acceptance required.
   • Supported IP address types: Select IPv4.
3. Select Create to create the endpoint service.

After you create the endpoint service, you need to add Redis Cloud as an Allowed Principal on your endpoint service VPC permissions.

1. In the Redis Cloud Console, copy the Amazon Resource Name (ARN) provided in the Setup connectivity section.
2. Return to the endpoint service list on the Amazon VPC console. Select the endpoint service you just created.
3. Navigate to Allow principals tab.
4. Add the Redis Cloud ARN you copied and choose Allow principals.
5. Save the service name for later.

For more details on AWS PrivateLink, see Share your services through AWS PrivateLink.

In the AWS Management Console, use the Services menu to locate and select Security, Identity, and Compliance > Secrets Manager. Create a secret of type Other type of secret with the following settings:

• Key/value pairs: Select Plaintext and enter the server certificate.

• Encryption key: Select the encryption key you created earlier.

• Resource permissions: Add the following permissions to your secret to allow the Redis data pipeline to access your secret. Replace <AWS ACCOUNT ID> with the AWS account ID for the Redis Cloud cluster that you saved earlier.

{
    "Version" : "2012-10-17",
    "Statement" : [ {
        "Sid" : "RedisDataIntegrationRoleAccess",
        "Effect" : "Allow",
        "Principal" : "*",
        "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ],
        "Resource" : "*",
        "Condition" : {
            "StringLike" : {
                "aws:PrincipalArn" : "arn:aws:iam::<AWS ACCOUNT ID>:role/redis-data-pipeline-secrets-role"
            }
        }
    } ]
}

After you store this secret, you can view and copy the Amazon Resource Name (ARN) of your secret on the secret details page. Save the secret ARN to use when you define your source database.

In the AWS Management Console, use the Services menu to locate and select Security, Identity, and Compliance > Secrets Manager. Create a secret of type Other type of secret with the following settings:

• Key/value pairs: Select Plaintext and enter the client certificate.

• Encryption key: Select the encryption key you created earlier.

• Resource permissions: Add the following permissions to your secret to allow the Redis data pipeline to access your secret. Replace <AWS ACCOUNT ID> with the AWS account ID for the Redis Cloud cluster that you saved earlier.

{
    "Version" : "2012-10-17",
    "Statement" : [ {
        "Sid" : "RedisDataIntegrationRoleAccess",
        "Effect" : "Allow",
        "Principal" : "*",
        "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ],
        "Resource" : "*",
        "Condition" : {
            "StringLike" : {
                "aws:PrincipalArn" : "arn:aws:iam::<AWS ACCOUNT ID>:role/redis-data-pipeline-secrets-role"
            }
        }
    } ]
}

After you store this secret, you can view and copy the Amazon Resource Name (ARN) of your secret on the secret details page. Save the secret ARN to use when you define your source database.

Use the AWS CLI create-secret command or the AWS CreateSecret API endpoint to create a binary secret containing the client key.

For example, using the AWS CLI, run the following command:

aws secretsmanager create-secret \
    --name <secret-name> \
    --secret-binary fileb://<path-to-client-key> \
    --kms-key-id <encryption-key-arn> 

Where:

• <secret-name> - Name of the secret
• <path-to-client-key> - Path to the client key file
• <encryption-key-arn> - ARN of the encryption key you created earlier

After you create the secret, you need to add permissions to allow the data pipeline to access it.

In the AWS Management Console, use the Services menu to locate and select Security, Identity, and Compliance > Secrets Manager. Select the private key secret you just created and then select Edit permissions.

Add the following permissions to your secret. Replace <AWS ACCOUNT ID> with the AWS account ID for the Redis Cloud cluster that you saved earlier.

{
    "Version" : "2012-10-17",
    "Statement" : [ {
        "Sid" : "RedisDataIntegrationRoleAccess",
        "Effect" : "Allow",
        "Principal" : "*",
        "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ],
        "Resource" : "*",
        "Condition" : {
            "StringLike" : {
                "aws:PrincipalArn" : "arn:aws:iam::<AWS ACCOUNT ID>:role/redis-data-pipeline-secrets-role"
            }
        }
    } ]
}

After you store this secret, you can view and copy the Amazon Resource Name (ARN) of your secret on the secret details page. Save the secret ARN to use when you define your source database.

In the AWS Management Console, use the Services menu to locate and select Security, Identity, and Compliance > Secrets Manager. Create a secret of type Other type of secret with the following settings:

• Key/value pairs: Select Plaintext and enter the client key passphrase.

• Encryption key: Select the encryption key you created earlier.

• Resource permissions: Add the following permissions to your secret to allow the Redis data pipeline to access your secret. Replace <AWS ACCOUNT ID> with the AWS account ID for the Redis Cloud cluster that you saved earlier.

{
    "Version" : "2012-10-17",
    "Statement" : [ {
        "Sid" : "RedisDataIntegrationRoleAccess",
        "Effect" : "Allow",
        "Principal" : "*",
        "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ],
        "Resource" : "*",
        "Condition" : {
            "StringLike" : {
                "aws:PrincipalArn" : "arn:aws:iam::<AWS ACCOUNT ID>:role/redis-data-pipeline-secrets-role"
            }
        }
    } ]
}

After you store this secret, you can view and copy the Amazon Resource Name (ARN) of your secret on the secret details page. Save the secret ARN to use when you define your source database.