How to move AWS RDS Aurora Postgres cluster into Private Subnet

Background

The idea for this article was brought to me after I hadn’t found any solution on the Internet.

You could make a mistake or simply put your Aurora Postgres RDS Cluster into a public subnet because you never thought it would be in production. But later, you realise you need a more secure environment. Then, you need to move the Database into private subnets.

You might refer me to this article. However, it works for a specific RDS database that supports multi-AZ deployment. The article provides more details.

For databases that don’t support Multi-AZ deployment, you need to perform some manual operations to prevent data loss.

Implementation

I. Prepare a maintenance window for your applications. The database cluster can be unavailable for approximately 1 hour.

II. Create a new Subnet Group with Private subnets: RDS -> Subnet groups -> Create

III. Create Cluster Snapshot: RDS->Select cluster->Create snapshot

IV. Restore the snapshot to a new instance and cluster with the temporary name

1. Go to snapshots.
2. Choose snapshot from Step I and click “Restore snapshot.”
3. Select all settings as your original cluster has.
4. Select Subnet group created in Step 1 (with private subnets)
5. Choose Public access->NO.
6. Write a new temporary name in DB snapshot ID - which you will later change to the original name of your cluster.

V. Rename the old cluster and instance to a random name

At this point, your application might fail to connect to the cluster.

VI. Rename the new cluster and instance from the snapshot to your old original cluster name

1. Select cluster → modify → write your cluster original name → apply immediately.
2. Select instance → modify → write your cluster original name → apply immediately.

At this point you are all set. If you have RDS proxy, you need to switch it to a new cluster. All your applications should already work, because new cluster will have same endpoint as old had, because of same name.

Cleaning up resources

1. Delete old instances.
2. Disable cluster deletion protection
3. Delete old clusters — 1. min
4. Delete old subnet groups
5. Delete snapshots (optionally)

Summary

Moving an AWS RDS Aurora Postgres cluster into a private subnet can be a bit tricky, especially for databases that don’t support Multi-AZ deployments. But by carefully following the steps outlined, you can ensure a smooth transition with minimal downtime.

The key steps are preparing a maintenance window, properly creating and restoring snapshots, and ensuring your application reconnects without issues.

This process not only secures your database by moving it to a private subnet but also improves your overall security. While it might feel a bit overwhelming, the payoff is a safer and better-controlled database environment. Happy migrating!