--- title: "Ingest data from Amazon RDS" description: "How to stream data from Amazon RDS for MySQL to Materialize" menu: main: parent: "mysql" name: "Amazon RDS" identifier: "mysql-amazon-rds" --- This page shows you how to stream data from [Amazon RDS for MySQL](https://aws.amazon.com/rds/mysql/) to Materialize using the [MySQL source](/sql/create-source/mysql). {{< tip >}} {{< guided-tour-blurb-for-ingest-data >}} {{< /tip >}} ## Before you begin {{% mysql-direct/before-you-begin %}} ## A. Configure Amazon RDS ### 1. Enable GTID-based binlog replication Before creating a source in Materialize, you **must** configure Amazon RDS for GTID-based binlog replication. For guidance on enabling GTID-based binlog replication in RDS, see the [Amazon RDS for MySQL documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/mysql-replication-gtid.html). 1. [Enable automated backups in your RDS instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.Enabling) by setting the backup retention period to a value greater than `0` to enable binary logging. 1. [Create a custom RDS parameter group](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithDBInstanceParamGroups.html#USER_WorkingWithParamGroups.Creating). - Set **Parameter group family** to your MySQL version. - Set **Type** to **DB Parameter Group**. 1. Edit the new parameter group to set the configuration parameters to the following values: | Configuration parameter | Value | Details | |----------------------------------|-------|---------| | `log_bin_use_v1_row_events` | `ON` | AWS Management Console equivalent to MySQL's `log_bin` configuration parameter. | | `binlog_format` | `ROW` | This configuration is [deprecated as of MySQL 8.0.34](https://dev.mysql.com/doc/refman/8.0/en/replication-options-binary-log.html#sysvar_binlog_format). Newer versions of MySQL default to row-based logging. | | `binlog_row_image` | `FULL`| | | `gtid-mode` | `ON` | AWS Management Console equivalent to MySQL's `gtid_mode` configuration parameter. | | `enforce_gtid_consistency` | `ON` | | | `replica_preserve_commit_order` | `ON` | Only required when connecting Materialize to a read-replica for replication, rather than the primary server. | 1. [Associate the RDS parameter group to your database](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithDBInstanceParamGroups.html#USER_WorkingWithParamGroups.Associating). Use the **Apply Immediately** option. The database must be rebooted in order for the parameter group association to take effect. Keep in mind that rebooting the RDS instance can affect database performance. Do not move on to the next step until the database **Status** is **Available** in the RDS Console. 1. In addition to the step above, you **must** also ensure that [binlog retention](/sql/create-source/mysql/#binlog-retention) is set to a reasonable value. To check the current value of the [`binlog retention hours`](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/mysql-stored-proc-configuring.html#mysql_rds_set_configuration-usage-notes.binlog-retention-hours) configuration parameter, connect to your RDS instance and run: ```mysql CALL mysql.rds_show_configuration; ``` If the value returned is `NULL`, or less than `168` (i.e. 7 days), run: ```mysql CALL mysql.rds_set_configuration('binlog retention hours', 168); ``` Although 7 days is a reasonable retention period, we recommend using the default MySQL retention period (30 days) in order to not compromise Materialize’s ability to resume replication in case of failures or restarts. 1. To validate that all configuration parameters are set to the expected values after the above configuration changes, run: ```mysql -- Validate "binlog retention hours" configuration parameter CALL mysql.rds_show_configuration; ``` ```mysql -- Validate parameter group configuration parameters SHOW VARIABLES WHERE variable_name IN ( 'log_bin', 'binlog_format', 'binlog_row_image', 'gtid_mode', 'enforce_gtid_consistency', 'replica_preserve_commit_order' ); ``` ### 2. Create a user for replication {{% mysql-direct/create-a-user-for-replication %}} ## B. (Optional) Configure network security {{< note >}} If you are prototyping and your RDS instance is publicly accessible, **you can skip this step**. For production scenarios, we recommend configuring one of the network security options below. {{< /note >}} There are various ways to configure your database's network to allow Materialize to connect: - **Allow Materialize IPs:** If your database is publicly accessible, you can configure your database's security group to allow connections from a set of static Materialize IP addresses. - **Use AWS PrivateLink**: If your database is running in a private network, you can use [AWS PrivateLink](/ingest-data/network-security/privatelink/) to connect Materialize to the database. For details, see [AWS PrivateLink](/ingest-data/network-security/privatelink/). - **Use an SSH tunnel:** If your database is running in a private network, you can use an SSH tunnel to connect Materialize to the database. {{< tabs >}} {{< tab "Allow Materialize IPs">}} 1. In the [SQL Shell](https://console.materialize.com/), or your preferred SQL client connected to Materialize, find the static egress IP addresses for the Materialize region you are running in: ```mzsql SELECT * FROM mz_egress_ips; ``` 1. In the RDS Console, [add an inbound rule to your RDS security group](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#adding-security-group-rule) for each IP address from the previous step. In each rule: - Set **Type** to **MySQL**. - Set **Source** to the IP address in CIDR notation. {{< /tab >}} {{< tab "Use AWS PrivateLink">}} [AWS PrivateLink](https://aws.amazon.com/privatelink/) lets you connect Materialize to your RDS instance without exposing traffic to the public internet. To use AWS PrivateLink, you create a network load balancer in the same VPC as your RDS instance and a VPC endpoint service that Materialize connects to. The VPC endpoint service then routes requests from Materialize to RDS via the network load balancer. {{< note >}} Materialize provides a Terraform module that automates the creation and configuration of AWS resources for a PrivateLink connection. For more details, see the [Terraform module repository](https://github.com/MaterializeInc/terraform-aws-rds-privatelink). {{}} 1. Get the IP address of your RDS instance. You'll need this address to register your RDS instance as the target for the network load balancer in the next step. To get the IP address of your RDS instance: 1. Select your database in the RDS Console. 1. Find your RDS endpoint under **Connectivity & security**. 1. Use the `dig` or `nslooklup` command to find the IP address that the endpoint resolves to: ```sh dig +short ``` 1. [Create a dedicated target group for your RDS instance](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-target-group.html). - Choose the **IP addresses** type. - Set the protocol and port to **TCP** and **3306**. - Choose the same VPC as your RDS instance. - Use the IP address from the previous step to register your RDS instance as the target. **Warning:** The IP address of your RDS instance can change without notice. For this reason, it's best to set up automation to regularly check the IP of the instance and update your target group accordingly. You can use a lambda function to automate this process - see Materialize's [Terraform module for AWS PrivateLink](https://github.com/MaterializeInc/terraform-aws-rds-privatelink/blob/main/lambda_function.py) for an example. Another approach is to [configure an EC2 instance as an RDS router](https://aws.amazon.com/blogs/database/how-to-use-amazon-rds-and-amazon-aurora-with-a-static-ip-address/) for your network load balancer. 1. [Create a network load balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html). - For **Network mapping**, choose the same VPC as your RDS instance and select all of the availability zones and subnets that you RDS instance is in. - For **Listeners and routing**, set the protocol and port to **TCP** and **3306** and select the target group you created in the previous step. 1. In the security group of your RDS instance, [allow traffic from the network load balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html). If [client IP preservation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#client-ip-preservation) is disabled, the easiest approach is to add an inbound rule with the VPC CIDR of the network load balancer. If you don't want to grant access to the entire VPC CIDR, you can add inbound rules for the private IP addresses of the load balancer subnets. - To find the VPC CIDR, go to your network load balancer and look under **Network mapping**. - To find the private IP addresses of the load balancer subnets, go to **Network Interfaces**, search for the name of the network load balancer, and look on the **Details** tab for each matching network interface. 1. [Create a VPC endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html). - For **Load balancer type**, choose **Network** and then select the network load balancer you created in the previous step. - After creating the VPC endpoint service, note its **Service name**. You'll use this service name when connecting Materialize later. **Remarks**: By disabling [Acceptance Required](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests), while still strictly managing who can view your endpoint via IAM, Materialze will be able to seamlessly recreate and migrate endpoints as we work to stabilize this feature. 1. Go back to the target group you created for the network load balancer and make sure that the [health checks](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html) are reporting the targets as healthy. {{< /tab >}} {{< tab "Use an SSH tunnel">}} To create an SSH tunnel from Materialize to your database, you launch an instance to serve as an SSH bastion host, configure the bastion host to allow traffic only from Materialize, and then configure your database's private network to allow traffic from the bastion host. {{< note >}} Materialize provides a Terraform module that automates the creation and configuration of resources for an SSH tunnel. For more details, see the [Terraform module repository](https://github.com/MaterializeInc/terraform-aws-ec2-ssh-bastion). {{}} 1. [Launch an EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/LaunchingAndUsingInstances.html) to serve as your SSH bastion host. - Make sure the instance is publicly accessible and in the same VPC as your RDS instance. - Add a key pair and note the username. You'll use this username when connecting Materialize to your bastion host. **Warning:** Auto-assigned public IP addresses can change in [certain cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses). For this reason, it's best to associate an [elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#ip-addressing-eips) to your bastion host. 1. Configure the SSH bastion host to allow traffic only from Materialize. 1. In the [SQL Shell](https://console.materialize.com/), or your preferred SQL client connected to Materialize, get the static egress IP addresses for the Materialize region you are running in: ```mzsql SELECT * FROM mz_egress_ips; ``` 1. For each static egress IP, [add an inbound rule](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) to your SSH bastion host's security group. In each rule: - Set **Type** to **MySQL**. - Set **Source** to the IP address in CIDR notation. 1. In the security group of your RDS instance, [add an inbound rule](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html) to allow traffic from the SSH bastion host. - Set **Type** to **All TCP**. - Set **Source** to **Custom** and select the bastion host's security group. {{< /tab >}} {{< /tabs >}} ## C. Ingest data in Materialize ### 1. (Optional) Create a cluster {{< note >}} If you are prototyping and already have a cluster to host your MySQL source (e.g. `quickstart`), **you can skip this step**. For production scenarios, we recommend separating your workloads into multiple clusters for [resource isolation](/sql/create-cluster/#resource-isolation). {{< /note >}} {{% mysql-direct/create-a-cluster %}} ### 2. Start ingesting data [//]: # "TODO(morsapaes) MySQL connections support multiple SSL modes. We should adapt to that, rather than just state SSL MODE REQUIRED." Now that you've configured your database network and created an ingestion cluster, you can connect Materialize to your MySQL database and start ingesting data. The exact steps depend on your networking configuration, so start by selecting the relevant option. {{< tabs >}} {{< tab "Allow Materialize IPs">}} {{% mysql-direct/ingesting-data/allow-materialize-ips %}} {{< /tab >}} {{< tab "Use AWS PrivateLink">}} {{% mysql-direct/ingesting-data/use-aws-privatelink %}} {{< /tab >}} {{< tab "Use an SSH tunnel">}} {{% mysql-direct/ingesting-data/use-ssh-tunnel %}} {{< /tab >}} {{< /tabs >}} [//]: # "TODO(morsapaes) Replace these Step 6. and 7. with guidance using the new progress metrics in mz_source_statistics + console monitoring, when available (also for PostgreSQL)." ### 3. Monitor the ingestion status {{% mysql-direct/check-the-ingestion-status %}} ### 4. Right-size the cluster {{% mysql-direct/right-size-the-cluster %}} ## D. Explore your data {{% mysql-direct/next-steps %}} ## Considerations {{% include-md file="shared-content/mysql-considerations.md" %}}