# Network prerequisites for Aurora MySQL database activity streams
<a name="DBActivityStreams.Prereqs"></a>

In the following section, you can find how to configure your virtual private cloud (VPC) for use with database activity streams.

**Note**  
Aurora MySQL network prerequisites are applicable to the following engine versions:  
Aurora MySQL version 2, up to 2.11.3
Aurora MySQL version 2.12.0
Aurora MySQL version 3, up to 3.04.2

**Topics**
+ [Prerequisites for Amazon KMS endpoints](#DBActivityStreams.Prereqs.KMS)
+ [Prerequisites for public availability](#DBActivityStreams.Prereqs.Public)
+ [Prerequisites for private availability](#DBActivityStreams.Prereqs.Private)

## Prerequisites for Amazon KMS endpoints
<a name="DBActivityStreams.Prereqs.KMS"></a>

Instances in an Aurora MySQL cluster that use activity streams must be able to access Amazon KMS endpoints. Make sure this requirement is satisfied before enabling database activity streams for your Aurora MySQL cluster. If the Aurora cluster is publicly available, this requirement is satisfied automatically.

**Important**  
If the Aurora MySQL DB cluster can't access the Amazon KMS endpoint, the activity stream stops. In that case, Aurora notifies you about this issue using RDS Events. 

## Prerequisites for public availability
<a name="DBActivityStreams.Prereqs.Public"></a>

For an Aurora DB cluster to be public, it must meet the following requirements:
+ **Publicly Accessible** is **Yes** in the Amazon Web Services Management Console cluster details page.
+ The DB cluster is in an Amazon VPC public subnet. For more information about publicly accessible DB instances, see [Working with a DB cluster in a VPC](USER_VPC.WorkingWithRDSInstanceinaVPC.md). For more information about public Amazon VPC subnets, see [Your VPC and Subnets](https://docs.amazonaws.cn/vpc/latest/userguide/VPC_Subnets.html).

## Prerequisites for private availability
<a name="DBActivityStreams.Prereqs.Private"></a>

If your Aurora DB cluster is in a VPC public subnet and isn't publicly accessible, it's private. To keep your cluster private and use it with database activity streams, you have the following options:
+ Configure Network Address Translation (NAT) in your VPC. For more information, see [NAT Gateways](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-nat-gateway.html).
+ Create an Amazon KMS endpoint in your VPC. This option is recommended because it's easier to configure.

**To create an Amazon KMS endpoint in your VPC**

1. Open the Amazon VPC console at [https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/).

1. In the navigation pane, choose **Endpoints**.

1. Choose **Create Endpoint**.

   The **Create Endpoint** page appears.

1. Do the following:
   + In **Service category**, choose **Amazon services**.
   + In **Service Name**, choose **com.amazonaws.{{region}}.kms**, where {{region}} is the Amazon Web Services Region where your cluster is located.
   + For **VPC**, choose the VPC where your cluster is located.

1. Choose **Create Endpoint**.

For more information about configuring VPC endpoints, see [VPC Endpoints](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-endpoints.html).