Configuring Amazon Aurora MySQL for Syncari Connector Access via NLB

RDS Proxy + NLB (recommended for Aurora)

RDS Proxy sits in front of your Aurora cluster and provides a stable managed endpoint with connection pooling. It handles Aurora failovers transparently — the proxy absorbs the writer switch so Syncari sees an uninterrupted connection. This is the preferred pattern for Aurora. 

Prerequisites

• A VPC with an internet gateway attached
• A public subnet in this VPC for the NLB
• One or more private subnets in the same VPC for the RDS Proxy (one per Availability Zone recommended)
• An Aurora MySQL cluster running in the private subnet(s)
• A security group for the NLB allowing inbound TCP on port 3306, restricted to Syncari's egress IP ranges
• A security group on the Aurora cluster allowing inbound TCP on port 3306 from the private subnet CIDR(s) where RDS Proxy will be deployed
• A security group for RDS Proxy allowing inbound TCP on port 3306 from the NLB's subnet CIDR, and outbound TCP on port 3306 to the Aurora cluster's security group
• An AWS Secrets Manager secret containing the Aurora database username and password
• An IAM role allowing RDS Proxy to read that Secrets Manager secret (AWS will offer to create this automatically during proxy setup)

Steps

1. In the RDS Console, go to Proxies → Create proxy. Set the following:
   • Engine family: MySQL
   • Proxy identifier: a meaningful name
   • Database: select your Aurora cluster
   • Secrets Manager secret: select the secret containing your Aurora credentials
   • VPC: select the same VPC as your Aurora cluster
   • Subnets: select the private subnets
2. Create the proxy and wait for it to reach Available status. This may take a few minutes.
3. Copy the proxy’s endpoint hostname (e.g., myproxy.proxy-abc123.us-east-1.rds.amazonaws.com).
4. Find the private IPs of the proxy’s ENIs. In the EC2 Console, go to Network Interfaces and filter by description containing RDSProxy. Note the private IP of each ENI — there is typically one per subnet the proxy was placed in.
5. Create a target group: IP addresses type, TCP/3306, in the same VPC. Register each proxy ENI private IP from step 4. Click Include as pending below for each.
6. Create the target group.
7. Go to EC2 → Load Balancers → Create Load Balancer and select Network Load Balancer. Choose Internet-facing. Under Network mapping, select the VPC and public subnet from the prerequisites.
8. Attach the security group that allows inbound TCP on port 3306 from Syncari's IP ranges. 
9. Add a listener: protocol TCP, port 3306, forwarding to the target group created in step 6. 
10. Review and create the NLB. 

11. Set up IP synchronization for the proxy endpoint. While RDS Proxy ENI IPs are more stable than Aurora endpoint IPs, they can still change during proxy maintenance or scaling events. Deploy AWS's reference Lambda solution (search AWS docs or the AWS Solutions Library for "Hostname as Target for Network Load Balancers"), and configure it with the proxy endpoint hostname (from step 3) and the target group ARN from step 6. The Lambda runs on a schedule, resolves the hostname, and updates the target group's registered IPs automatically.

     

Configuring the Syncari MySQL Synapse

Use the NLB’s DNS name as the Host, port 3306, and the credentials stored in your Secrets Manager secret. Reference the MySQL Setup article for the Synapse configuration steps.