# Creating and connecting to an Aurora PostgreSQL DB cluster
There are two ways of creating an Aurora PostgreSQL cluster: full configuration and express configuration. Please refer to the sections below to understand more about these 2 types of creates.
**Topics**
+ [Create with full configuration](CHAP_GettingStartedAurora.AuroraPostgreSQL.FullConfig.md)
+ [Create with express configuration](CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.md)
# Create with full configuration
This tutorial creates an EC2 instance and an Aurora PostgreSQL DB cluster. The tutorial shows you how to access the DB cluster from the EC2 instance using a standard PostgreSQL client. As a best practice, this tutorial creates a private DB cluster in a virtual private cloud (VPC). In most cases, other resources in the same VPC, such as EC2 instances, can access the DB cluster, but resources outside of the VPC can't access it.
After you complete the tutorial, there is a public and private subnet in each Availability Zone in your VPC. In one Availability Zone, the EC2 instance is in the public subnet, and the DB instance is in the private subnet.
**Important**
There's no charge for creating an AWS account. However, by completing this tutorial, you might incur costs for the AWS resources that you use. You can delete these resources after you complete the tutorial if they are no longer needed.
The following diagram shows the configuration when the tutorial is complete.
![\[EC2 instance and Aurora PostgreSQL DB cluster.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/getting-started-aurora-postgresql.png)
This tutorial allows you to create your resources by using one of the following methods:
1. Use the AWS Management Console ‐ [Step 1: Create an EC2 instance](#CHAP_GettingStarted.Creating.AuroraPostgreSQL.EC2)and [Step 2: Create an Aurora PostgreSQL DB cluster](#CHAP_GettingStarted.AuroraPostgreSQL.CreateDBCluster)
1. Use CloudFormation to create the database instance and EC2 instance ‐ [(Optional) Create VPC, EC2 instance, and Aurora PostgreSQL cluster using CloudFormation](#CHAP_GettingStartedAurora.CFN.PostgreSQL)
The first method uses **Easy create** to create a private Aurora PostgreSQL DB cluster with the AWS Management Console. Here, you specify only the DB engine type, DB instance size, and DB cluster identifier. **Easy create** uses the default settings for the other configuration options.
When you use **Standard create** instead, you can specify more configuration options when you create a DB cluster. These options include settings for availability, security, backups, and maintenance. To create a public DB cluster, you must use **Standard create**. For information, see [Creating an Amazon Aurora DB cluster](Aurora.CreateInstance.md).
**Topics**
+ [Prerequisites](#CHAP_GettingStarted.Prerequisites.AuroraPostgreSQL)
+ [Step 1: Create an EC2 instance](#CHAP_GettingStarted.Creating.AuroraPostgreSQL.EC2)
+ [Step 2: Create an Aurora PostgreSQL DB cluster](#CHAP_GettingStarted.AuroraPostgreSQL.CreateDBCluster)
+ [(Optional) Create VPC, EC2 instance, and Aurora PostgreSQL cluster using CloudFormation](#CHAP_GettingStartedAurora.CFN.PostgreSQL)
+ [Step 3: Connect to an Aurora PostgreSQL DB cluster](#CHAP_GettingStartedAurora.AuroraPostgreSQL.Connect)
+ [Step 4: Delete the EC2 instance and DB cluster](#CHAP_GettingStartedAurora.Deleting.AuroraPostgreSQL)
+ [(Optional) Delete the EC2 instance and DB cluster created with CloudFormation](#CHAP_GettingStartedAurora.DeletingCFN.AuroraPostgreSQL)
+ [(Optional) Connect your DB cluster to a Lambda function](#CHAP_GettingStartedAurora.ComputeConnect.AuroraPostgreSQL)
## Prerequisites
Before you begin, complete the steps in the following sections:
+ [Sign up for an AWS account](CHAP_SettingUp_Aurora.md#sign-up-for-aws)
+ [Create a user with administrative access](CHAP_SettingUp_Aurora.md#create-an-admin)
## Step 1: Create an EC2 instance
Create an Amazon EC2 instance that you will use to connect to your database.
**To create an EC2 instance**
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the upper-right corner of the AWS Management Console, choose the AWS Region in which you want to create the EC2 instance.
1. Choose **EC2 Dashboard**, and then choose **Launch instance**, as shown in the following image.
![\[EC2 Dashboard.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/Tutorial_WebServer_11.png)
The **Launch an instance** page opens.
1. Choose the following settings on the **Launch an instance** page.
1. Under **Name and tags**, for **Name**, enter **ec2-database-connect**.
1. Under **Application and OS Images (Amazon Machine Image)**, choose **Amazon Linux**, and then choose the **Amazon Linux 2023 AMI**. Keep the default selections for the other choices.
![\[Choose an Amazon Machine Image.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/Tutorial_WebServer_12.png)
1. Under **Instance type**, choose **t2.micro**.
1. Under **Key pair (login)**, choose a **Key pair name** to use an existing key pair. To create a new key pair for the Amazon EC2 instance, choose **Create new key pair** and then use the **Create key pair** window to create it.
For more information about creating a new key pair, see [Create a key pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-key-pair) in the *Amazon EC2 User Guide*.
1. For **Allow SSH traffic** in **Network settings**, choose the source of SSH connections to the EC2 instance.
You can choose **My IP** if the displayed IP address is correct for SSH connections. Otherwise, you can determine the IP address to use to connect to EC2 instances in your VPC using Secure Shell (SSH). To determine your public IP address, in a different browser window or tab, you can use the service at [https://checkip.amazonaws.com](https://checkip.amazonaws.com/). An example of an IP address is 192.0.2.1/32.
In many cases, you might connect through an internet service provider (ISP) or from behind your firewall without a static IP address. If so, make sure to determine the range of IP addresses used by client computers.
**Warning**
If you use `0.0.0.0/0` for SSH access, you make it possible for all IP addresses to access your public EC2 instances using SSH. This approach is acceptable for a short time in a test environment, but it's unsafe for production environments. In production, authorize only a specific IP address or range of addresses to access your EC2 instances using SSH.
The following image shows an example of the **Network settings** section.
![\[Network settings for an EC2 instance.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/EC2_RDS_Connect_NtwkSettings.png)
1. Leave the default values for the remaining sections.
1. Review a summary of your EC2 instance configuration in the **Summary** panel, and when you're ready, choose **Launch instance**.
1. On the **Launch Status** page, note the identifier for your new EC2 instance, for example: `i-1234567890abcdef0`.
![\[EC2 instance identifier on Launch Status page.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/getting-started-ec2-id.png)
1. Choose the EC2 instance identifier to open the list of EC2 instances, and then select your EC2 instance.
1. In the **Details** tab, note the following values, which you need when you connect using SSH:
1. In **Instance summary**, note the value for **Public IPv4 DNS**.
![\[EC2 public DNS name on Details tab of Instances page.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/easy-create-ec2-public-dns.png)
1. In **Instance details**, note the value for **Key pair name**.
![\[EC2 key pair name on Details tab of Instance page.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/easy-create-ec2-key-pair.png)
1. Wait until the **Instance state** for your EC2 instance has a status of **Running** before continuing.
## Step 2: Create an Aurora PostgreSQL DB cluster
In this example, you use **Easy create** to create an Aurora PostgreSQL DB cluster with a db.t4g.large DB instance class.
**To create an Aurora PostgreSQL DB cluster with Easy create**
1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. In the upper-right corner of the Amazon RDS console, choose the AWS Region in which you want to create the DB cluster.
1. In the navigation pane, choose **Databases**.
1. Choose **Create database**, and make sure that **Easy create** is chosen.
![\[Create database section: Easy create option selected.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/easy-create-option.png)
1. In **Configuration**, choose **Aurora (PostgreSQL Compatible)** for **Engine type**.
1. For **DB instance size**, choose **Dev/Test**.
1. For **DB cluster identifier**, enter **database-test1**.
The **Create database** page should look similar to the following image.
![\[Configuration section with selections.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/easy-create-aurora-postgresql.png)
1. For **Master username**, enter a name for the user, or keep the default name (**postgres**).
1. To use an automatically generated master password for the DB cluster, select **Auto generate a password**.
To enter your master password, make sure **Auto generate a password** is cleared, and then enter the same password in **Master password** and **Confirm password**.
1. To set up a connection with the EC2 instance you created previously, open **Set up EC2 connection - *optional***.
Select **Connect to an EC2 compute resource**. Choose the EC2 instance you created previously.
![\[Set up EC2 connection option.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/EC2_RDS_Setup_Conn-EasyCreate.png)
1. Open **View default settings for Easy create**.
![\[Easy create default settings.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/easy-create-view-default-settings-aurora-postgresql.png)
You can examine the default settings used with **Easy create**. The **Editable after database is created** column shows which options you can change after you create the database.
+ If a setting has **No** in that column, and you want a different setting, you can use **Standard create** to create the DB cluster.
+ If a setting has **Yes** in that column, and you want a different setting, you can either use **Standard create** to create the DB cluster, or modify the DB cluster after you create it to change the setting.
1. Choose **Create database**.
To view the master username and password for the DB cluster, choose **View credential details**.
You can use the username and password that appears to connect to the DB cluster as the master user.
**Important**
You can't view the master user password again. If you don't record it, you might have to change it.
If you need to change the master user password after the DB cluster is available, you can modify the DB cluster to do so. For more information about modifying a DB cluster, see [Modifying an Amazon Aurora DB cluster](Aurora.Modifying.md).
1. In the **Databases** list, choose the name of the new Aurora PostgreSQL DB cluster to show its details.
The writer instance has a status of **Creating** until the DB cluster is ready to use.
![\[DB cluster details showing Region & AZ and Status.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/creating-status-aurora-postgresql.png)
When the status of the writer instance changes to **Available**, you can connect to the DB cluster. Depending on the DB instance class and the amount of storage, it can take up to 20 minutes before the new DB cluster is available.
## (Optional) Create VPC, EC2 instance, and Aurora PostgreSQL cluster using CloudFormation
Instead of using the console to create your VPC, EC2 instance, and Aurora PostgreSQL DB cluster, you can use CloudFormation to provision AWS resources by treating infrastructure as code. To help you organize your AWS resources into smaller and more manageable units, you can use the CloudFormation nested stack functionality. For more information, see [ Creating a stack on the CloudFormation console](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) and [Working with nested stacks](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html).
**Important**
CloudFormation is free, but the resources that CloudFormation creates are live. You incur the standard usage fees for these resources until you terminate them. For more information, see [Amazon Aurora Pricing](https://aws.amazon.com/rds/aurora/pricing/).
To create your resources using the CloudFormation console, complete the following steps:
+ Step 1: Download the CloudFormation template
+ Step 2: Configure your resources using CloudFormation
### Download the CloudFormation template
A CloudFormation template is a JSON or YAML text file that contains the configuration information about the resources you want to create in the stack. This template also creates a VPC and a bastion host for you along with the Aurora cluster.
To download the template file, open the following link, [Aurora PostgreSQL CloudFormation template](https://github.com/aws-ia/cfn-ps-amazon-aurora-postgresql/blob/main/templates/aurora_postgres-main.template.yaml).
In the Github page, click the *Download raw file* button to save the template YAML file.
### Configure your resources using CloudFormation
**Note**
Before starting this process, make sure you have a Key pair for an EC2 instance in your AWS account. For more information, see [Amazon EC2 key pairs and Linux instances](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/ec2-key-pairs.html).
When you use the CloudFormation template, you must select the correct parameters to make sure your resources are created properly. Follow the steps below:
1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. Choose **Create Stack**.
1. In the Specify template section, select **Upload a template file from your computer**, and then choose **Next**.
1. In the **Specify stack details** page, set the following parameters:
1. Set **Stack name** to **AurPostgreSQLTestStack**.
1. Under **Parameters**, set **Availability Zones** by selecting two availability zones.
1. Under **Linux Bastion Host configuration**, for **Key Name**, select a key pair to login to your EC2 instance.
1. In **Linux Bastion Host configuration** settings, set the **Permitted IP range** to your IP address. To connect to EC2 instances in your VPC using Secure Shell (SSH), determine your public IP address using the service at [https://checkip.amazonaws.com](https://checkip.amazonaws.com). An example of an IP address is 192.0.2.1/32.
**Warning**
If you use `0.0.0.0/0` for SSH access, you make it possible for all IP addresses to access your public EC2 instances using SSH. This approach is acceptable for a short time in a test environment, but it's unsafe for production environments. In production, authorize only a specific IP address or range of addresses to access your EC2 instances using SSH.
1. Under **Database General configuration**, set **Database instance class** to **db.t4g.large**.
1. Set **Database name** to **database-test1**.
1. For **Database master username**, enter a name for the master user.
1. Set **Manage DB master user password with Secrets Manager** to `false` for this tutorial.
1. For **Database password**, set a password of your choice. Remember this password for further steps in the tutorial.
1. Set **Multi-AZ deployment** to `false`.
1. Leave all other settings as the default values. Click **Next** to continue.
1. In the **Configure stack options** page, leave all the default options. Click **Next** to continue.
1. In the **Review stack** page, select **Submit** after checking the database and Linux bastion host options.
After the stack creation process completes, view the stacks with names *BastionStack* and *APGNS* to note the information you need to connect to the database. For more information, see [ Viewing CloudFormation stack data and resources on the AWS Management Console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html).
## Step 3: Connect to an Aurora PostgreSQL DB cluster
You can use any standard PostgreSQL client application to connect to the DB cluster. In this example, you connect to the Aurora PostgreSQL DB cluster using the psql command line client.
**To connect to the Aurora PostgreSQL DB cluster**
1. Find the endpoint (DNS name) and port number of the writer instance for your DB cluster.
1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. In the upper-right corner of the Amazon RDS console, choose the AWS Region for the DB cluster.
1. In the navigation pane, choose **Databases**.
1. Choose the Aurora PostgreSQL DB cluster name to display its details.
1. On the **Connectivity & security** tab, copy the endpoint of the writer instance. Also, note the port number. You need both the endpoint and the port number to connect to the DB cluster.
![\[Connectivity & security tab showing endpoint name.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/AuroraPostgreSQLLaunch01.png)
1. Connect to the EC2 instance that you created earlier by following the steps in [Connect to your Linux instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html) in the *Amazon EC2 User Guide*.
We recommend that you connect to your EC2 instance using SSH. If the SSH client utility is installed on Windows, Linux, or Mac, you can connect to the instance using the following command format:
```
ssh -i location_of_pem_file ec2-user@ec2-instance-public-dns-name
```
For example, assume that `ec2-database-connect-key-pair.pem` is stored in `/dir1` on Linux, and the public IPv4 DNS for your EC2 instance is `ec2-12-345-678-90.compute-1.amazonaws.com`. Your SSH command would look as follows:
```
ssh -i /dir1/ec2-database-connect-key-pair.pem ec2-user@ec2-12-345-678-90.compute-1.amazonaws.com
```
1. Get the latest bug fixes and security updates by updating the software on your EC2 instance. To do so, use the following command.
**Note**
The `-y` option installs the updates without asking for confirmation. To examine updates before installing, omit this option.
```
sudo dnf update -y
```
1. Install the psql command line client from PostgreSQL on Amazon Linux 2023, using the following command:
```
sudo dnf install postgresql15
```
1. Connect to the Aurora PostgreSQL DB cluster. For example, enter the following command. This action lets you connect to the Aurora PostgreSQL DB cluster using the psql client.
Substitute the endpoint of the writer instance for `endpoint`, substitute the database name `--dbname` that you want to connect to for `postgres`, and substitute the master username that you used for `postgres`. Provide the master password that you used when prompted for a password.
```
psql --host=endpoint --port=5432 --dbname=postgres --username=postgres
```
After you enter the password for the user, you should see output similar to the following.
```
psql (14.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
postgres=>
```
For more information about connecting to an Aurora PostgreSQL DB cluster, see [Connecting to an Amazon Aurora PostgreSQL DB cluster](Aurora.Connecting.md#Aurora.Connecting.AuroraPostgreSQL). If you can't connect to your DB cluster, see [Can't connect to Amazon RDS DB instance](CHAP_Troubleshooting.md#CHAP_Troubleshooting.Connecting).
For security, it is a best practice to use encrypted connections. Only use an unencrypted PostgreSQL connection when the client and server are in the same VPC and the network is trusted. For information about using encrypted connections, see [Securing Aurora PostgreSQL data with SSL/TLS](AuroraPostgreSQL.Security.md#AuroraPostgreSQL.Security.SSL).
1. Run SQL commands.
For example, the following SQL command shows the current date and time:
```
SELECT CURRENT_TIMESTAMP;
```
## Step 4: Delete the EC2 instance and DB cluster
After you connect to and explore the sample EC2 instance and DB cluster that you created, delete them so you're no longer charged for them.
If you used CloudFormation to create resources, skip this step and go to the next step.
**To delete the EC2 instance**
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Instances**.
1. Select the EC2 instance, and choose **Instance state, Terminate instance**.
1. Choose **Terminate** when prompted for confirmation.
For more information about deleting an EC2 instance, see [Terminate your instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html) in the *Amazon EC2 User Guide*.
**To delete a DB cluster**
1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. Choose **Databases** and then choose the DB instance associated with the DB cluster.
1. For **Actions**, choose **Delete**.
1. Choose **Delete**.
After all of the DB instances associated with a DB cluster are deleted, the DB cluster is deleted automatically.
## (Optional) Delete the EC2 instance and DB cluster created with CloudFormation
If you used CloudFormation to create resources, delete the CloudFormation stack after you connect to and explore the sample EC2 instance and DB cluster, so you're no longer charged for them.
**To delete the CloudFormation resources**
1. Open the CloudFormation console.
1. On the **Stacks** page in the CloudFormation console, select the root stack (the stack without the name VPCStack, BastionStack or APGNS).
1. Choose **Delete**.
1. Select **Delete stack** when prompted for confirmation.
For more information about deleting a stack in CloudFormation, see [Deleting a stack on the CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) in the *AWS CloudFormation User Guide*.
## (Optional) Connect your DB cluster to a Lambda function
You can also connect your Aurora PostgreSQL DB cluster to a Lambda serverless compute resource. Lambda functions allow you to run code without provisioning or managing infrastructure. A Lambda function also allows you to automatically respond to code execution requests at any scale, from a dozen events a day to hundreds of per second. For more information, see [Automatically connecting a Lambda function and an Aurora DB cluster](lambda-rds-connect.md).
# Create with express configuration
You can create and connect to an Aurora PostgreSQL serverless database in seconds using express configuration which provides a streamlined database creation experience with preconfigured defaults to help you get started easily and quickly.
In two clicks, you can have an Aurora cluster with a serverless instance ready to use in seconds. You can also use the AWS Command Line Interface (AWS CLI) or [AWS SDKs](https://docs.aws.amazon.com/sdkref/latest/guide/overview.html) with the parameter `--express-configuration` to create both a cluster and an instance within the cluster with single API call which makes it ready for running queries in seconds. You have the flexibility to modify most of the settings during, and most other settings after the database creation. For more information about these settings, see [Express configuration settings](#CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.Settings). Once created, you have access to most of the features and benefits of Aurora such as the ability to add readers for high availability and scalability, and automatic failover capabilities. Some options, such as specifying a customer managed encryption key, selecting specific engine versions, or associating the clusters with an Amazon Virtual Private Cloud (VPC), are only available when using the [Create with full configuration](CHAP_GettingStartedAurora.AuroraPostgreSQL.FullConfig.md) option. This creation experience for Aurora PostgreSQL is also available with the [AWS Free Tier](https://aws.amazon.com/rds/free/).
**Topics**
+ [Prerequisites](#CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.Prerequisites)
+ [Supported Regions](#CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.SupportedRegions)
+ [Internet access gateway](#CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.InternetAccessGateway)
+ [Creating a DB cluster with express configuration](#CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.CreatingDBCluster)
+ [Express configuration settings](#CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.Settings)
+ [Connecting to clusters with express configuration](#CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.Connecting)
+ [Restoring a cluster created through express configuration](#CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.Restoring)
+ [Limitations](#CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.Limitations)
## Prerequisites
Before you can create an Aurora PostgreSQL DB cluster with express configuration, you must at minimum have the following permissions:
+ `ec2:DescribeAvailabilityZones`
+ `iam:CreateServiceLinkedRole`
+ `rds:CreateDBCluster`
+ `rds:CreateDBInstance`
+ `rds:EnableInternetAccessGateway`
## Supported Regions
You can create an Aurora PostgreSQL serverless cluster with express configuration in all AWS Regions except the AWS China, AWS GovCloud (US), Middle East (UAE), and Middle East (Bahrain) Regions.
## Internet access gateway
Aurora also provides an internet access gateway enabled by default to connect securely with the clusters created through express configuration. This feature is currently supported only for express configuration clusters. It supports the PostgreSQL wire protocol and enables you to connect through the internet from a wide range of tools and development platforms that may be running outside of you AWS infrastructure - no VPN or AWS Direct Connect required. The gateway is distributed across multiple Availability Zones, offering the same level of high availability as your Aurora cluster. It is a managed component of Aurora, so there are no software updates or patches that need to be applied by you.
The internet access gateway is integrated with AWS Identity and Access Management (IAM), allowing you to enforce identity-based permissions for authorized access and safeguard your data with ephemeral token-based access. When using the gateway, the required setup for the database administrator user, including granting the rds\$1iam role, is automatically managed for you.
## Creating a DB cluster with express configuration
You can create an Aurora PostgreSQL DB cluster with express configuration using the AWS Management Console, the AWS CLI, or the RDS API.
### Console
To create with express configuration using the console:
**To create with express configuration using the console**
1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. In the upper-right corner of the AWS Management Console, choose the AWS Region in which you want to create the DB cluster.
1. In the navigation pane, choose Databases.
1. On the Welcome to Aurora and RDS page, locate the Create with express configuration in seconds section on the left side, and choose Create.
![\[The Welcome to Aurora and RDS page showing the Create with express configuration section.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/aurora-express-config-image1.png)
1. Review pre-configured settings in the Create with express configuration dialog.
![\[The Create with express configuration dialog showing pre-configured settings.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/aurora-express-config-image2.png)
1. (Optional) Modify the DB cluster identifier or the capacity range as per your need.
1. Choose Create database.
1. Your Aurora PostgreSQL Serverless database should be ready in seconds. A success banner confirms the creation, and the database status changes to "Available".
![\[The database status showing Available after successful creation.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/aurora-express-config-image3.png)
### CLI
You can use the AWS CLI to create an Aurora PostgreSQL clusters with express configuration.
For Linux or MacOS.
```
aws rds create-db-cluster --db-cluster-identifier sample-express-cluster \
--engine aurora-postgresql \
--with-express-configuration
```
For Windows:
```
aws rds create-db-cluster --db-cluster-identifier sample-express-cluster ^
--engine aurora-postgresql ^
--with-express-configuration
```
The express configuration parameter takes care of creating a database cluster, an Aurora serverless instance, setting up the internet access gateway, and IAM authentication for the admin database user (default = postgres).
### API
You can use the relevant AWS SDK and call the CreateDBCluster operation to create a DB cluster and database instance with the express configuration.
## Express configuration settings
The following table describes the settings for express configuration and indicates whether they can be modified after creation.
| Setting | Setting description | Default Setting and Limitations |
| --- | --- | --- |
| Auto minor version upgrade | This setting enables your Aurora DB cluster to receive preferred minor version upgrades to the DB engine automatically when they become available. For more information about engine updates for Aurora PostgreSQL, see [Database engine updates for Amazon Aurora PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Updates.html). | Enabled by default. Can be changed after the create operation completes. |
| AWS KMS key | [Clusters with express configuration are encrypted with AWS/RDS Service owned keys.](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html) | Enabled with AWS/RDS service owned key. Cannot be modified. |
| Certificate authority | Clusters with express configuration are enabled with internet access gateway, which uses the AWS root certificates. For more information, see [ACM root CAs](https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html) | Not applicable for connecting through internet access gateway |
| Cluster storage configuration | The storage type for the DB cluster: Aurora Standard or Aurora I/O-Optimized. For more information, see [Storage Configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html). | Aurora standard by default. Can be changed after the create operation completes. |
| Copy tags to snapshots | Choose this option to copy any DB instance tags to a DB snapshot when you create a snapshot. For more information, see [Tagging Amazon Aurora and Amazon RDS resources](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html). | Disabled by default. Can be changed during creation or after the creation. |
| Database authentication | Clusters with express configuration and internet access gateway only support IAM authentication. For more information, see [IAM database authentication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html). | Enabled with IAM Authentication by default. Cannot be modified. |
| Database port | Clusters with express configuration and internet access gateway only support the default PostgreSQL port | Default value = 5432. Cannot be modified. |
| DB cluster identifier | Enter a name for your DB cluster that is unique for your account in the AWS Region that you chose. This identifier is used in the cluster endpoint address for your DB cluster. For information on the cluster endpoint, see [Amazon Aurora endpoint connections](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.Endpoints.html). The DB cluster identifier has the following constraints: It must contain from 1 to 63 alphanumeric characters or hyphens. Its first character must be a letter. It cannot end with a hyphen or contain two consecutive hyphens. It must be unique for all DB clusters per AWS account, per AWS Region. | Required parameter. Can be changed during creation or after the creation. |
| DB cluster parameter group | Clusters with express configuration use the Aurora default DB cluster parameter group. | Default parameter group. Can be changed after the create operation completes. |
| DB instance class | Clusters with express configuration start with an Aurora Serverless instance. | Serverless v2 instance. Can be changed after the create operation completes. |
| DB subnet group | Clusters with express configuration are not created within your VPC. Access is through the Aurora internet access gateway | No VPC associated. Cannot be set. |
| Enable deletion protection | Choose Enable deletion protection to prevent your DB cluster from being deleted. If you create a production DB cluster with the console, deletion protection is enabled by default. | Disabled by default. Can be changed during or after the creation completes. |
| Enable encryption | [Clusters with express configuration are encrypted with AWS/RDS Service owned keys.](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html) | Enabled with AWS/RDS service owned key. Cannot be modified. |
| Enable Enhanced Monitoring | Choose Enable enhanced monitoring to enable gathering metrics in real time for the operating system that your DB cluster runs on. For more information, see [Monitoring OS metrics with Enhanced Monitoring](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Monitoring.OS.html). | Disabled by default. Can be changed after the create operation completes. |
| Enable the RDS Data API | Choose Enable the RDS Data API to enable RDS Data API (Data API). Data API provides a secure HTTP endpoint for running SQL statements without managing connections. For more information, see [Using the Amazon RDS Data API](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html). | Disabled by default. Can be changed after the create operation completes. |
| Engine type | Clusters with express configuration clusters are only supported with Aurora PostgreSQL | Required paramater. Supported value: "aurora-postgresql". Cannot be modified. |
| Engine version | Clusters with express configuration use the default major and minor version. See [Aurora versions](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.VersionPolicy.Versioning.html), for details on default versions. | Default major and minor version. Engine version can be upgraded later. |
| Failover priority | Choose a failover priority for the instance. If you don't choose a value, the default is tier-1. This priority determines the order in which Aurora Replicas are promoted when recovering from a primary instance failure. For more information, see [Fault tolerance for an Aurora DB cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.AuroraHighAvailability.html). | Default value = 1. Can be changed after the create operation completes. |
| Initial database name | The name for your default database. If you don't provide a name for an Aurora PostgreSQL DB cluster, Amazon RDS creates a database named postgres. For Aurora PostgreSQL, the default database name has these constraints: It must contain 1–63 alphanumeric characters. It must begin with a letter. Subsequent characters can be letters, underscores, or digits (0–9). It can't be a word reserved by the database engine. To create additional databases, connect to the DB cluster and use the SQL command CREATE DATABASE. For more information about connecting to the DB cluster, see Connecting to an Amazon Aurora DB cluster with internet access gateway. | Default value = postgres. Can be changed during or after the creation completes. |
| Log exports | In the Log exports section, choose the logs that you want to start publishing to Amazon CloudWatch Logs. For more information about publishing Aurora MySQL logs to CloudWatch Logs, see Publishing Amazon Aurora MySQL logs to Amazon CloudWatch Logs. For more information about publishing Aurora PostgreSQL logs to CloudWatch Logs, see Publishing Aurora PostgreSQL logs to Amazon CloudWatch Logs. | Disabled by default. Can be changed during or after the creation. |
| Maintenance window | Choose Select window and specify the weekly time range during which system maintenance can occur. Or choose No preference for Amazon RDS to assign a period randomly. | Default maintenance window varies by [Region](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_UpgradeDBInstance.Maintenance.html). Can be changed during or after the creation. |
| Manage master credentials in AWS Secrets Manager | Clusters with express configuration and internet access gateway support IAM authentication only. This setting does not apply. | N/A |
| Master password | Clusters with express configuration and internet access gateway support IAM authentication only. This setting does not apply. | N/A |
| Master user authentication type | Clusters with express configuration automatically sets authentication type to IAM authentication. | Supported Value = iam-db-auth. Cannot be modified. |
| Master username | Enter a name to use as the master username to log on to your DB cluster. For Aurora PostgreSQL, it must contain 1–63 alphanumeric characters. The first character must be a letter. The name can't be a word reserved by the database engine. You can't change the master username after the DB cluster is created. | Default value = postgres. Can be changed during or after the creation. |
| Multi-AZ deployment | Clusters with express configuration are not associated with an VPC, and availability zones are automatically chosen for you. You can add read replicas after the database is created. | Availability zones are automatically chosen. The writer and reader instances are placed in different availability zones. |
| Network type | Clusters with express configuration are not associated with an VPC. | Not Applicable |
| Public access | Clusters with express configuration are created with the internet access gateway, which offers secure internet access with built-in integration with AWS Identity and Access Management and AWS Shield. | Not Applicable |
| RDS Extended Support | Select Enable RDS Extended Support to allow supported major engine versions to continue running past the Aurora end of standard support date. When you create a DB cluster, Amazon Aurora defaults to RDS Extended Support. To prevent the creation of a new DB cluster after the Aurora end of standard support date and to avoid charges for RDS Extended Support, disable this setting. Your existing DB clusters won't incur charges until the RDS Extended Support pricing start date. For more information, see [Amazon RDS Extended Support with Amazon Aurora](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/extended-support.html). | Not supported |
| RDS Proxy | RDS Proxy is not supported with clusters that are not associated with a VPC. For more information, see [Amazon RDS Proxy for Aurora](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy.html). | Not supported |
| Retention period | Choose the length of time, from 1 to 35 days, that Aurora retains backup copies of the database. Backup copies can be used for point-in-time restores (PITR) of your database down to the second. | Default value = 1. Can be changed after the create operation completes. |
| Backup window | A 30-minute window selected at random from an 8-hour block of time to take automatic backup of your database. | Uses the default parameter group. Can be changed later using parameter groups. |
| Turn on DevOps Guru | DevOps Guru for RDS provides detailed analysis of performance anomalies, Performance Insights must be turned on. For more information, see [Setting up DevOps Guru for RDS](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/devops-guru-for-rds.html). | Disabled by default. Can be changed after the create operation completes. |
| Turn on Performance Insights | Amazon RDS Performance Insights provides monitoring information for your database. For more information, see [Monitoring DB load with Performance Insights on Amazon Aurora](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_PerfInsights.html). | Disabled by default. Can be changed after the create operation completes. |
| Virtual Private Cloud (VPC) | Clusters with express configuration are not associated with an VPC | N/A |
| VPC security group (firewall) | Clusters with express configuration are not associated with an VPC | N/A |
| Write forwarding | Enables you to forward writes sent on the reader endpoint to the writer node for processing. Enables achieving read-after-write consistency. For more information see, [Local write forwarding in Aurora PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-postgresql-write-forwarding.html). | Disabled by default. Can be changed after the create operation completes. |
## Connecting to clusters with express configuration
Clusters created with express configuration are automatically set up with an internet access gateway, which provides public access to your database with IAM authentication. Ensure that the IAM identity you use to connect to the database has permissions to rds-db:connect to generate the authentication token needed to access the database. To learn more, see [IAM database authentication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html).
The following guide demonstrates how to use the various options in the "Connectivity & Security" tab in the AWS Management Console to connect to your database.
The RDS Console surfaces relevant information such as code snippets, endpoint details, and other connection details to help you connect to the database. It also offers a utility to generate a token and direct access through AWS CloudShell. Both the generate token utility and CloudShell connect using the master username you set up at the time of database creation.
### Using the Connectivity & security tab
After your database is created, navigate to the Connectivity & security tab to access connection options. The Connect to database section provides three methods for connecting:
#### Code snippets
Use when connecting through SDK, APIs, or third-party tools. The console provides ready-to-use code snippets for your selected programming language. The snippets also dynamically reflect the authentication configuration for your database.
The following steps show connecting to your database cluster using the psql command line utility code snippet.
**Prerequisites**
+ You can connect to Aurora PostgreSQL DB clusters by using tools like psql, the PostgreSQL interactive terminal. To install psql and learn more about using the PostgreSQL interactive terminal, see psql in the PostgreSQL documentation.
+ You must have the latest version of the AWS CLI installed. To install or update the AWS CLI, see [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
**Connecting with psql**
**To connect with psql**
1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. Navigate to your database cluster from the Databases list tab.
1. Under the connectivity & Security tab, select the PSQL code snippet for your respective operating system (macOS, linux, or Windows).
1. Copy the code shown in connection steps modal.
![\[The connection steps modal showing the PSQL code snippet.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/aurora-express-config-image4.png)
1. Open a terminal on your local development environment / machine.
1. (optional) If you have already configured the AWS CLI and credentials, you can skip this step. Otherwise, use the following command for a temporary login session.
```
aws login
```
1. Paste the command you copied in step 4. You should see psql login and the “postgres =>” prompt, enabling you to run SQL commands.
#### CloudShell
The console provides an automated way to connect to your cluster using AWS CloudShell. The following guide shows the steps to connect using psql and CloudShell.
**Prerequisites**
None
**Using CloudShell and PSQL**
**To connect using CloudShell and PSQL**
1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. Navigate to your database cluster from the Databases list tab.
1. Under the connectivity & Security tab, select CloudShell.
1. Click Launch Cloudshell
![\[The CloudShell launch button in the connectivity and security tab.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/aurora-express-config-image5.png)
1. Click Run on prompt window. The command is pre-prepopulated with relevant information to connect to your specific cluster.
![\[The CloudShell prompt window with pre-populated connection command.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/aurora-express-config-image6.png)
1. You should see psql login and the “postgres =>” prompt, enabling you to run SQL commands.
![\[The psql login prompt in CloudShell showing successful connection.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/aurora-express-config-image7.png)
Use for quick access to AWS CLI that launches directly from the AWS Management Console. CloudShell provides a browser-based shell environment with pre-authenticated AWS CLI access.
#### Endpoints with Get token utility
If you are using tools that only support using username and password credentials, you can use the Get token utility to connect. In this case, you use the token generated by the utility in the password field. The token is generated for the master username that you setup at the time of creating the database. The token is valid for 15 minutes at a time. If the tool you are using terminates the connection, you would need to generate the token again.
The following steps show, how to use the Get token utility to connect to your database cluster using pgAdmin.
**Prerequisites**
+ You can use the pgAdmin utility to connect to Aurora PostgreSQL DB clusters by using a UI interface. For more information, see the [Download](https://www.pgadmin.org/download/) page from the pgAdmin website.
**Connecting to pgAdmin**
**To connect using pgAdmin**
1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. Navigate to your database cluster from the Databases list tab.
1. Under the connectivity & Security tab, select the “Endpoints” tab.
![\[The Endpoints tab showing writer endpoint, port, and database details.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/aurora-express-config-image8.png)
1. Copy the relevant information, including the writer endpoint, port, master username, and database name.
1. Generate and copy a new token (short lived password) from the Get token utility.
![\[The Get token utility for generating an authentication token.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/aurora-express-config-image9.png)
1. Open pgAdmin on your machine, and “Add a new server”. Enter the details in the Connection tab. Use the token in the password field.
![\[The pgAdmin connection dialog with server details.\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/images/aurora-express-config-image10.png)
The connection panel displays: internet access gateway status (Enabled), IAM Authentication status (Enabled), and IAM authentication token option. Select your programming language from the dropdown and follow the connection steps to paste the code and run the commands.
## Restoring a cluster created through express configuration
The restore process for express configuration clusters follows the same workflow as standard clusters. You can restore from a manual snapshot using the [restore-db-cluster-from-snapshot](https://docs.aws.amazon.com/cli/latest/reference/rds/restore-db-cluster-from-snapshot.html) operation or restore to a specific point in time using the [restore-db-cluster-to-point-in-time](https://docs.aws.amazon.com/cli/latest/reference/rds/restore-db-cluster-to-point-in-time.html) operation. You can restore a cluster with express configuration to either a cluster with full configuration or a cluster with express configuration. If you want to restore to a cluster with express configuration, both restore operations require two additional parameters—VPCNetworkingEnabled must be set to false and InternetAccessGatewayEnabled must be set to true. If you're restoring a regular cluster that used master username and password authentication to an express configuration cluster, you'll need to modify the restored DB cluster to update MasterUserAuthenticationType to iam-db-auth.
## Limitations
The following limitations apply to clusters created with express configuration and the internet access gateway that is enabled by default.
+ You can only use express configuration with Aurora PostgreSQL only.
+ Cluster created with express configuration are encrypted with AWS/RDS service managed key. You cannot use a custom AWS KMS key to encrypt the database.
+ You cannot associate express clusters with an Amazon Virtual Private Cloud (VPC). When connecting from a machine that is inside a VPC to the database with the express cluster with internet access gateway enabled, ensure that the machine allows inbound and outbound traffic from the internet.
+ You cannot disable the internet access gateway for clusters created with express configuration.
+ You can only use RDS IAM authentication with the internet access gateway. See, [IAM database authentication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html) for list of limitations and recommendation. Features related to other forms of authentication such as managed credentials in AWS Secrets Manager, and Kerberos authentication cannot be used with clusters that have internet access gateway enabled. You also cannot disable IAM authentication.
**Warning**
If you disable the `rds_iam` role for the master username, you will lose access to new connections to the database. You can restore access by modifying the cluster and setting the `--master-user-authentication-type` to `iam-db-auth`. See, [modify-db-cluster](https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-cluster.html).
+ You cannot select a specific engine version with express configuration. Engine version can be upgraded but not downgraded.
+ Clusters with express configuration only support creating an Aurora Serverless v2 instance. You can modify the instance type or add instances after the database is created.
+ Clusters with express configuration only support the default parameter group. The parameter group can be updated after the database is created.
+ The following features are not supported with clusters created with express configuration as they are not associated with a VPC.
+ Aurora limitless database
+ Aurora global database
+ RDS Proxy
+ Aurora Zero-ETL integration
+ RDS Query Editor
+ Blue/Green Deployments
+ Database Activity Streams
+ Zero Downtime Patching
+ Babelfish
+ Data API can be enabled for a cluster with express configuration after creation using the ModifyDBCluster operation. However, it doesn't support authentication with master username/password. You must create new user credentials to access Data API.
+ Database Insights Advanced mode can be enabled on a cluster with express configuration after creation using the ModifyDBCluster operation.
+ Clusters with express configuration support IPv4 addresses only. IPv6 is not supported.
+ Clusters with express configuration does not support changing all settings at the time of create operations. For example, you can only choose Aurora standard storage when creating with express configuration. You can change the storage type after the cluster is created. See, Express configuration settings for a list of all other settings and default values that apply with express configuration.
+ Clusters created through express configuration with internet access gateway enabled do not support configurable cipher suites. Although Amazon RDS for PostgreSQL allows you to configure the ssl\$1ciphers parameter to restrict allowed SSL cipher suites, this parameter is ignored on clusters with internet access gateway enabled, which use the default cipher suite configuration instead.