Skip to main content

DynamoDB Accelerator (DAX) Cluster Multi-AZ

Overview

This check verifies that your Amazon DynamoDB Accelerator (DAX) cluster has nodes distributed across multiple Availability Zones (AZs). DAX is an in-memory cache that sits in front of DynamoDB to accelerate read performance. Deploying nodes across multiple AZs ensures your cache remains available even if one AZ experiences an outage.

Risk

If your DAX cluster runs in a single Availability Zone, you face these risks:

  • Complete cache unavailability if that AZ has an outage
  • Application latency spikes as requests fall back to DynamoDB
  • Potential request throttling from sudden load increases on DynamoDB
  • Timeout cascades in read-heavy workloads that depend on DAX performance

Remediation Steps

Prerequisites

  • AWS account access with permissions to modify DAX clusters
  • Your DAX subnet group must include subnets from at least 2 different AZs

AWS Console Method

  1. Sign in to the AWS Console and navigate to DynamoDB
  2. In the left sidebar, expand DAX and click Subnet groups
  3. Verify your subnet group includes subnets from at least 2 different Availability Zones
    • If not, create a new subnet group or modify the existing one to include multi-AZ subnets
  4. Go to DAX > Clusters and select your cluster
  5. Click Modify
  6. Under Cluster size, set the number of nodes to 3 or more (recommended for production)
  7. Select at least 2 different Availability Zones for node placement
  8. Click Modify cluster
  9. Wait for the cluster status to return to Available
AWS CLI (optional)

Check current cluster configuration:

aws dax describe-clusters \
    --cluster-names my-dax-cluster \
    --region us-east-1 \
    --query 'Clusters[0].{Name:ClusterName,Nodes:TotalNodes,AZs:NodeIdsToReboot}'

Add nodes to distribute across multiple AZs:

aws dax increase-replication-factor \
    --cluster-name my-dax-cluster \
    --new-replication-factor 3 \
    --availability-zones us-east-1a us-east-1b us-east-1c \
    --region us-east-1

Parameters:

  • --cluster-name: Name of your existing DAX cluster
  • --new-replication-factor: Total number of nodes (must be greater than current)
  • --availability-zones: List of AZs to place the new nodes (specify multiple)

Monitor the modification:

aws dax describe-clusters \
    --cluster-names my-dax-cluster \
    --region us-east-1 \
    --query 'Clusters[0].Status'

Wait until the status changes from modifying to available.

CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: DAX Cluster with Multi-AZ deployment

Parameters:
  ClusterName:
    Type: String
    Description: Name of the DAX cluster
    Default: my-dax-cluster
  NodeType:
    Type: String
    Description: The compute and memory capacity of the nodes
    Default: dax.r5.large
  SubnetGroupName:
    Type: String
    Description: Name of the subnet group for DAX cluster
  IAMRoleArn:
    Type: String
    Description: ARN of the IAM role for DAX cluster
  AvailabilityZone1:
    Type: AWS::EC2::AvailabilityZone::Name
    Description: First availability zone
  AvailabilityZone2:
    Type: AWS::EC2::AvailabilityZone::Name
    Description: Second availability zone
  AvailabilityZone3:
    Type: AWS::EC2::AvailabilityZone::Name
    Description: Third availability zone

Resources:
  DAXCluster:
    Type: AWS::DAX::Cluster
    Properties:
      ClusterName: !Ref ClusterName
      Description: DAX cluster with multi-AZ deployment
      IAMRoleARN: !Ref IAMRoleArn
      NodeType: !Ref NodeType
      ReplicationFactor: 3
      SubnetGroupName: !Ref SubnetGroupName
      AvailabilityZones:
        - !Ref AvailabilityZone1
        - !Ref AvailabilityZone2
        - !Ref AvailabilityZone3
      SSESpecification:
        SSEEnabled: true

Outputs:
  ClusterArn:
    Description: ARN of the DAX cluster
    Value: !GetAtt DAXCluster.Arn
  ClusterEndpoint:
    Description: Endpoint of the DAX cluster
    Value: !GetAtt DAXCluster.ClusterDiscoveryEndpoint

Key configuration points:

  • ReplicationFactor: 3 ensures 3 nodes for high availability
  • AvailabilityZones list must contain zones from your subnet group
  • SSESpecification.SSEEnabled: true enables encryption at rest (recommended)
Terraform (optional)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "cluster_name" {
  description = "Name of the DAX cluster"
  type        = string
  default     = "my-dax-cluster"
}

variable "node_type" {
  description = "The compute and memory capacity of the nodes"
  type        = string
  default     = "dax.r5.large"
}

variable "subnet_ids" {
  description = "List of subnet IDs for the DAX subnet group (must span multiple AZs)"
  type        = list(string)
}

variable "iam_role_arn" {
  description = "ARN of the IAM role for DAX cluster"
  type        = string
}

variable "availability_zones" {
  description = "List of availability zones for DAX nodes (minimum 2 for multi-AZ)"
  type        = list(string)
  default     = ["us-east-1a", "us-east-1b", "us-east-1c"]
}

resource "aws_dax_subnet_group" "main" {
  name        = "${var.cluster_name}-subnet-group"
  description = "Subnet group for DAX cluster spanning multiple AZs"
  subnet_ids  = var.subnet_ids
}

resource "aws_dax_cluster" "main" {
  cluster_name       = var.cluster_name
  iam_role_arn       = var.iam_role_arn
  node_type          = var.node_type
  replication_factor = 3
  subnet_group_name  = aws_dax_subnet_group.main.name
  availability_zones = var.availability_zones

  server_side_encryption {
    enabled = true
  }

  tags = {
    Name        = var.cluster_name
    Environment = "production"
  }
}

output "cluster_arn" {
  description = "ARN of the DAX cluster"
  value       = aws_dax_cluster.main.arn
}

output "cluster_endpoint" {
  description = "Endpoint of the DAX cluster"
  value       = aws_dax_cluster.main.cluster_address
}

output "configuration_endpoint" {
  description = "Configuration endpoint for DAX clients"
  value       = aws_dax_cluster.main.configuration_endpoint
}

Key configuration points:

  • replication_factor = 3 creates 3 nodes for high availability
  • availability_zones must list at least 2 distinct AZs
  • Subnet group must include subnets spanning those AZs
  • server_side_encryption enables encryption at rest

Verification

After making changes, verify your cluster is properly configured:

  1. In the AWS Console, go to DynamoDB > DAX > Clusters
  2. Select your cluster and review the Nodes section
  3. Confirm nodes are distributed across at least 2 different Availability Zones
  4. Re-run the Prowler check to confirm remediation
CLI verification commands
# List all nodes and their AZs
aws dax describe-clusters \
    --cluster-names my-dax-cluster \
    --region us-east-1 \
    --query 'Clusters[0].Nodes[].{NodeId:NodeId,AZ:AvailabilityZone,Status:NodeStatus}' \
    --output table

# Run Prowler to verify the fix
prowler aws --checks dynamodb_accelerator_cluster_multi_az

Additional Resources

Notes

  • Cost consideration: Adding nodes increases costs. Each node is billed separately based on the node type.
  • Minimum for production: AWS recommends at least 3 nodes across 3 AZs for production workloads.
  • Subnet group requirement: Your subnet group must already contain subnets in multiple AZs before you can deploy multi-AZ nodes.
  • No downtime: Adding nodes to an existing cluster does not cause downtime; the cluster remains available during modification.
  • Node types: Ensure your chosen node type is available in all selected Availability Zones.