Creating a read replica in a different Amazon Web Services Region
With Amazon RDS, you can create a read replica in a different Amazon Web Services Region from the source DB instance.
You create a read replica in a different Amazon Web Services Region to do the following:
-
Improve your disaster recovery capabilities.
-
Scale read operations into an Amazon Web Services Region closer to your users.
-
Make it easier to migrate from a data center in one Amazon Web Services Region to a data center in another Amazon Web Services Region.
Creating a read replica in a different Amazon Web Services Region from the source instance is similar to creating a replica in the same
Amazon Web Services Region. You can use the Amazon Web Services Management Console, run the create-db-instance-read-replica command, or call the CreateDBInstanceReadReplica API
operation.
Note
To create an encrypted read replica in a different Amazon Web Services Region from the source DB instance, the source DB instance must be encrypted.
Topics
Region and version availability
Feature availability and support varies across specific versions of each database engine, and across Amazon Web Services Regions. For more information on version and Region availability with cross-Region replication, see Supported Regions and DB engines for cross-Region read replicas in Amazon RDS.
Creating a cross-Region read replica
The following procedures show how to create a read replica from a source MariaDB, Microsoft SQL Server, MySQL, Oracle, or PostgreSQL DB instance in a different Amazon Web Services Region.
You can create a read replica across Amazon Web Services Regions using the Amazon Web Services Management Console.
To create a read replica across Amazon Web Services Regions with the console
-
Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at https://console.amazonaws.cn/rds/
. -
In the navigation pane, choose Databases.
-
Choose the MariaDB, Microsoft SQL Server, MySQL, Oracle, or PostgreSQL DB instance that you want to use as the source for a read replica.
-
For Actions, choose Create read replica.
-
For DB instance identifier, enter a name for the read replica.
-
Choose the Destination Region.
-
Choose the instance specifications that you want to use. We recommend that you use the same or larger DB instance class and storage type for the read replica.
-
To create an encrypted read replica in another Amazon Web Services Region:
-
Choose Enable encryption.
-
For Amazon KMS key, choose the Amazon KMS key identifier of the KMS key in the destination Amazon Web Services Region.
Note
To create an encrypted read replica, the source DB instance must be encrypted. To learn more about encrypting the source DB instance, see Encrypting Amazon RDS resources.
-
-
Choose other options, such as storage autoscaling.
-
Choose Create read replica.
To create a read replica from a source MySQL, Microsoft SQL Server, MariaDB, Oracle, or PostgreSQL DB instance in a different
Amazon Web Services Region, you can use the create-db-instance-read-replica command. In this case, you use create-db-instance-read-replica
from the Amazon Web Services Region where you want the read replica (destination Region) and specify the Amazon Resource Name
(ARN) for the source DB instance. An ARN uniquely identifies a resource created in Amazon Web Services.
For example, if your source DB instance is in the US East (N. Virginia) Region, the ARN looks similar to this example:
arn:aws-cn:rds:us-east-1:123456789012:db:mydbinstance
For information about ARNs, see Amazon Resource Names (ARNs) in Amazon RDS.
To create a read replica in a different Amazon Web Services Region from the source DB instance, you can use the Amazon CLI create-db-instance-read-replica
command from the destination Amazon Web Services Region. The following parameters are required for creating a read replica in
another Amazon Web Services Region:
-
--region– The destination Amazon Web Services Region where the read replica is created. -
--source-db-instance-identifier– The DB instance identifier for the source DB instance. This identifier must be in the ARN format for the source Amazon Web Services Region. -
--db-instance-identifier– The identifier for the read replica in the destination Amazon Web Services Region.
Example of a cross-Region read replica
The following code creates a read replica in the US West (Oregon) Region from a source DB instance in the US East (N. Virginia) Region.
For Linux, macOS, or Unix:
aws rds create-db-instance-read-replica \ --db-instance-identifiermyreadreplica\ --regionus-west-2\ --source-db-instance-identifier arn:aws-cn:rds:us-east-1:123456789012:db:mydbinstance
For Windows:
aws rds create-db-instance-read-replica ^ --db-instance-identifiermyreadreplica^ --regionus-west-2^ --source-db-instance-identifier arn:aws-cn:rds:us-east-1:123456789012:db:mydbinstance
The following parameter is also required for creating an encrypted read replica in another Amazon Web Services Region:
-
--kms-key-id– The Amazon KMS key identifier of the KMS key to use to encrypt the read replica in the destination Amazon Web Services Region.
Example of an encrypted cross-Region read replica
The following code creates an encrypted read replica in the US West (Oregon) Region from a source DB instance in the US East (N. Virginia) Region.
For Linux, macOS, or Unix:
aws rds create-db-instance-read-replica \ --db-instance-identifiermyreadreplica\ --regionus-west-2\ --source-db-instance-identifier arn:aws-cn:rds:us-east-1:123456789012:db:mydbinstance\ --kms-key-idmy-us-west-2-key
For Windows:
aws rds create-db-instance-read-replica ^ --db-instance-identifiermyreadreplica^ --regionus-west-2^ --source-db-instance-identifier arn:aws-cn:rds:us-east-1:123456789012:db:mydbinstance^ --kms-key-idmy-us-west-2-key
The --source-region option is required when you are creating an encrypted read replica
between the China (Beijing) and China (Ningxia) Amazon Web Services Regions. For --source-region, specify
the Amazon Web Services Region of the source DB instance.
If --source-region isn't specified, specify a --pre-signed-url value.
A presigned URL is a URL that contains a Signature Version 4 signed request for
the create-db-instance-read-replica command that's called in the source Amazon Web Services Region. To learn more
about presigned URLs, see CreateDBInstanceReadReplica in the Amazon RDS API Reference.
To create a read replica from a source MySQL, Microsoft SQL Server, MariaDB, Oracle, or PostgreSQL DB instance in a different Amazon Web Services Region, you can call the Amazon RDS API operation CreateDBInstanceReadReplica. In this case, you call CreateDBInstanceReadReplica from the Amazon Web Services Region where you want the read replica (destination Region) and specify the Amazon Resource Name (ARN) for the source DB instance. An ARN uniquely identifies a resource created in Amazon Web Services.
To create an encrypted read replica in a different Amazon Web Services Region from the source DB instance, you can use the Amazon RDS
API CreateDBInstanceReadReplica
operation from the destination Amazon Web Services Region. To create an encrypted read replica in another Amazon Web Services Region, you must
specify a value for PreSignedURL. PreSignedURL should contain a request for the CreateDBInstanceReadReplica
operation to call in the source Amazon Web Services Region where the read replica is created in. To learn more about
PreSignedUrl, see CreateDBInstanceReadReplica.
For example, if your source DB instance is in the US East (N. Virginia) Region, the ARN looks similar to the following.
arn:aws-cn:rds:us-east-1:123456789012:db:mydbinstance
For information about ARNs, see Amazon Resource Names (ARNs) in Amazon RDS.
Example
https://us-west-2.rds.amazonaws.com/ ?Action=CreateDBInstanceReadReplica &KmsKeyId=my-us-east-1-key &PreSignedUrl=https%253A%252F%252Frds.us-west-2.amazonaws.com%252F %253FAction%253DCreateDBInstanceReadReplica %2526DestinationRegion%253Dus-east-1 %2526KmsKeyId%253Dmy-us-east-1-key %2526SourceDBInstanceIdentifier%253Darn%25253Aaws%25253Ards%25253Aus-west-2%123456789012%25253Adb%25253Amydbinstance %2526SignatureMethod%253DHmacSHA256 %2526SignatureVersion%253D4%2526SourceDBInstanceIdentifier%253Darn%25253Aaws%25253Ards%25253Aus-west-2%25253A123456789012%25253Ainstance%25253Amydbinstance %2526Version%253D2014-10-31 %2526X-Amz-Algorithm%253DAWS4-HMAC-SHA256 %2526X-Amz-Credential%253DAKIADQKE4SARGYLE%252F20161117%252Fus-west-2%252Frds%252Faws4_request %2526X-Amz-Date%253D20161117T215409Z %2526X-Amz-Expires%253D3600 %2526X-Amz-SignedHeaders%253Dcontent-type%253Bhost%253Buser-agent%253Bx-amz-content-sha256%253Bx-amz-date %2526X-Amz-Signature%253D255a0f17b4e717d3b67fad163c3ec26573b882c03a65523522cf890a67fca613 &DBInstanceIdentifier=myreadreplica &SourceDBInstanceIdentifier=®ion-arn;rds:us-east-1:123456789012:db:mydbinstance &Version=2012-01-15 &SignatureVersion=2 &SignatureMethod=HmacSHA256 &Timestamp=2012-01-20T22%3A06%3A23.624Z &AWSAccessKeyId=<&AWS; Access Key ID> &Signature=<Signature>
How Amazon RDS does cross-Region replication
Amazon RDS uses the following process to create a cross-Region read replica. Depending on the Amazon Web Services Regions involved and the amount of data in the databases, this process can take hours to complete. You can use this information to determine how far the process has proceeded when you create a cross-Region read replica:
-
Amazon RDS begins configuring the source DB instance as a replication source and sets the status to modifying.
-
Amazon RDS begins setting up the specified read replica in the destination Amazon Web Services Region and sets the status to creating.
-
Amazon RDS creates an automated DB snapshot of the source DB instance in the source Amazon Web Services Region. The format of the DB snapshot name is
rds:<InstanceID>-<timestamp>, where<InstanceID>is the identifier of the source instance, and<timestamp>is the date and time the copy started. For example,rds:mysourceinstance-2013-11-14-09-24was created from the instancemysourceinstanceat2013-11-14-09-24. During the creation of an automated DB snapshot, the source DB instance status remains modifying, the read replica status remains creating, and the DB snapshot status is creating. The progress column of the DB snapshot page in the console reports how far the DB snapshot creation has progressed. When the DB snapshot is complete, the status of both the DB snapshot and source DB instance are set to available. -
Amazon RDS begins a cross-Region snapshot copy for the initial data transfer. The snapshot copy is listed as an automated snapshot in the destination Amazon Web Services Region with a status of creating. It has the same name as the source DB snapshot. The progress column of the DB snapshot display indicates how far the copy has progressed. When the copy is complete, the status of the DB snapshot copy is set to available.
-
Amazon RDS then uses the copied DB snapshot for the initial data load on the read replica. During this phase, the read replica is in the list of DB instances in the destination, with a status of creating. When the load is complete, the read replica status is set to available, and the DB snapshot copy is deleted.
-
When the read replica reaches the available status, Amazon RDS starts by replicating the changes made to the source instance since the start of the create read replica operation. During this phase, the replication lag time for the read replica is greater than 0.
For information about replication lag time, see Monitoring read replication.
Cross-Region replication considerations
All of the considerations for performing replication within an Amazon Web Services Region apply to cross-Region replication. The following extra considerations apply when replicating between Amazon Web Services Regions:
-
A source DB instance can have cross-Region read replicas in multiple Amazon Web Services Regions. Because of the limit on the number of access control list (ACL) entries for the source VPC, RDS can't guarantee more than five cross-Region read replica DB instances.
-
You can replicate between the GovCloud (US-East) and GovCloud (US-West) Regions, but not into or out of GovCloud (US).
-
For the following RDS engines, you can create a cross-Region Amazon RDS read replica from a source Amazon RDS DB instance only when it isn't a read replica of another Amazon RDS DB instance:
-
RDS for SQL Server
-
RDS for Oracle
-
RDS for PostgreSQL versions lower than 14.1
This limitation doesn't apply to DB instances running RDS for PostgreSQL version 14.1 and higher, RDS for MariaDB, and RDS for MySQL.
-
-
You can expect to see a higher level of lag time for any read replica that is in a different Amazon Web Services Region than the source instance. This lag time comes from the longer network channels between regional data centers.
-
For cross-Region read replicas, any of the create read replica commands that specify the
--db-subnet-group-nameparameter must specify a DB subnet group from the same VPC. -
In most cases, the read replica uses the default DB parameter group and DB option group for the specified DB engine.
For the MySQL and Oracle DB engines, you can specify a custom parameter group for the read replica in the
--db-parameter-group-nameoption of the Amazon CLI commandcreate-db-instance-read-replica. You can't specify a custom parameter group when you use the Amazon Web Services Management Console. -
The read replica uses the default security group.
-
For MariaDB, Microsoft SQL Server, MySQL, and Oracle DB instances, when the source DB instance for a cross-Region read replica is deleted, the read replica is promoted.
-
For PostgreSQL DB instances, when the source DB instance for a cross-Region read replica is deleted, the replication status of the read replica is set to
terminated. The read replica isn't promoted.You have to promote the read replica manually or delete it.
Requesting a cross-Region read replica
To communicate with the source Region to request the creation of a cross-Region read replica, the requester (IAM role or IAM user) must have access to the source DB instance and the source Region.
Certain conditions in the requester's IAM policy can cause the request to fail. The following examples assume that the source DB instance is in US East (Ohio) and the read replica is created in US East (N. Virginia). These examples show conditions in the requester's IAM policy that cause the request to fail:
-
The requester's policy has a condition for
aws:RequestedRegion.... "Effect": "Allow", "Action": "rds:CreateDBInstanceReadReplica", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-east-1" } }The request fails because the policy doesn't allow access to the source Region. For a successful request, specify both the source and destination Regions.
... "Effect": "Allow", "Action": "rds:CreateDBInstanceReadReplica", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": [ "us-east-1", "us-east-2" ] } } -
The requester's policy doesn't allow access to the source DB instance.
... "Effect": "Allow", "Action": "rds:CreateDBInstanceReadReplica", "Resource": "arn:aws-cn:rds:us-east-1:123456789012:db:myreadreplica" ...For a successful request, specify both the source instance and the replica.
... "Effect": "Allow", "Action": "rds:CreateDBInstanceReadReplica", "Resource": [ "arn:aws-cn:rds:us-east-1:123456789012:db:myreadreplica", "arn:aws-cn:rds:us-east-2:123456789012:db:mydbinstance" ] ... -
The requester's policy denies
aws:ViaAWSService.... "Effect": "Allow", "Action": "rds:CreateDBInstanceReadReplica", "Resource": "*", "Condition": { "Bool": {"aws:ViaAWSService": "false"} }Communication with the source Region is made by RDS on the requester's behalf. For a successful request, don't deny calls made by Amazon services.
-
The requester's policy has a condition for
aws:SourceVpcoraws:SourceVpce.These requests might fail because when RDS makes the call to the remote Region, it isn't from the specified VPC or VPC endpoint.
If you need to use one of the previous conditions that would cause a request to fail, you can include a second
statement with aws:CalledVia in your policy to make the request succeed. For example, you can use
aws:CalledVia with aws:SourceVpce as shown here:
... "Effect": "Allow", "Action": "rds:CreateDBInstanceReadReplica", "Resource": "*", "Condition": { "Condition" : { "ForAnyValue:StringEquals" : { "aws:SourceVpce": "vpce-1a2b3c4d" } } }, { "Effect": "Allow", "Action": [ "rds:CreateDBInstanceReadReplica" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "rds.amazonaws.com" ] } } }
For more information, see Policies and permissions in IAM in the IAM User Guide.
Authorizing the read replica
After a cross-Region DB read replica creation request returns success, RDS starts the replica creation in
the background. An authorization for RDS to access the source DB instance is created. This authorization links the
source DB instance to the read replica, and allows RDS to copy only to the specified read replica.
The authorization is verified by RDS using the rds:CrossRegionCommunication permission in the
service-linked IAM role. If the replica is authorized, RDS communicates with the source Region and completes the replica
creation.
RDS doesn't have access to DB instances that weren't authorized previously by a
CreateDBInstanceReadReplica request. The authorization is revoked when read replica creation
completes.
RDS uses the service-linked role to verify the authorization in the source Region. If you delete the service-linked role during the replication creation process, the creation fails.
For more information, see Using service-linked roles in the IAM User Guide.
Using Amazon Security Token Service credentials
Session tokens from the global Amazon Security Token Service (Amazon STS) endpoint are valid only in Amazon Web Services Regions that are enabled by default
(commercial Regions). If you use credentials from the assumeRole API operation in Amazon STS, use the regional
endpoint if the source Region is an opt-in Region. Otherwise, the request fails. This happens because your credentials
must be valid in both Regions, which is true for opt-in Regions only when the regional Amazon STS endpoint is used.
To use the global endpoint, make sure that it's enabled for both Regions in the operations. Set the global
endpoint to Valid in all Amazon Web Services Regions in the Amazon STS account settings.
The same rule applies to credentials in the presigned URL parameter.
For more information, see Managing Amazon STS in an Amazon Web Services Region in the IAM User Guide.
Cross-Region replication costs
The data transferred for cross-Region replication incurs Amazon RDS data transfer charges. These cross-Region replication actions generate charges for the data transferred out of the source Amazon Web Services Region:
-
When you create a read replica, Amazon RDS takes a snapshot of the source instance and transfers the snapshot to the read replica Amazon Web Services Region.
-
For each data modification made in the source databases, Amazon RDS transfers data from the source Amazon Web Services Region to the read replica Amazon Web Services Region.
For MySQL and MariaDB instances, you can reduce your data transfer costs by reducing the number of cross-Region read replicas that you create. For example, suppose that you have a source DB instance in one Amazon Web Services Region and want to have three read replicas in another Amazon Web Services Region. In this case, you create only one of the read replicas from the source DB instance. You create the other two replicas from the first read replica instead of the source DB instance.
For example, if you have source-instance-1 in one Amazon Web Services Region, you can do the following:
-
Create
read-replica-1in the new Amazon Web Services Region, specifyingsource-instance-1as the source. -
Create
read-replica-2fromread-replica-1. -
Create
read-replica-3fromread-replica-1.
In this example, you are only charged for the data transferred from source-instance-1 to
read-replica-1. You aren't charged for the data transferred from read-replica-1 to the
other two replicas because they are all in the same Amazon Web Services Region. If you create all three replicas directly from
source-instance-1 in another Amazon Web Services Region, you are charged for the data transfers to all three replicas.