Amazon RDS is a service which provides database connectivity through the Internet. RDS makes it very simple and easy to set-up a relational database in the cloud.
Instead of concentrating on database features, you can concentrate more on the application to provide high availability, security, and compatibility. RDS is a fully managed RDBMS service.
Amazon RDS stands for Relational Database Service
It’s a managed DB service for DB use SQL as a query language.
RDS is a managed service:
- Automated provisioning, OS patching
- Continuous backups and restore to specific timestamp (Point in Time Restore)!
- Monitoring dashboards
- Read replicas for improved read performance
- Multi AZ setup for DR (Disaster Recovery)
- Maintenance windows for upgrades
- Scaling capability (vertical and horizontal)
- Storage backed by EBS (gp2 or io1)
BUT you can’t SSH into your instances.
Benefits of Amazon RDS:
- Reduced Administration Burden: Using RDS, you can easily deploy the database from project conception to production.
There is no need to install any database software and provide the infrastructure. AWS automatically installs the latest software patches to the RDS instance which you have launched.
- Cost-effective: You just pay for what you use, and nothing more. No upfront payment is needed, just the monthly usage payment.
- Security: Using AWS Key Management Service (KMS), you can create encryption keys for maintaining security and authorized access for your database.
- High Availability and Durability: The automated recovery feature of RDS enables point-in-time recovery for your database instance. Multi-AZs provide high availability and durability across the globe.
- Scalability: It just takes a few minutes to scale your infrastructure up or down, and you can scale up to a maximum of 32 vCPUs and 244 GiB.
- Free Tier: AWS gives you a free tier usage of Amazon RDS for 750 hours/month for 12 months.
There are six database engines which RDS provides, and they are:
Microsoft SQL Server
Backups are automatically enabled in RDS
- Daily full backup of the database (during the maintenance window)
- Transaction logs are backed-up by RDS every 5 minutes
- ability to restore to any point in time (from oldest backup to 5 minutes ago)
- 7 days retention (can be increased to 35 days)
- Manually triggered by the user
- Retention of backup for as long as you want
Amazon RDS Read Replicas for read scalability:
Up to 5 Read Replicas
Within AZ, Cross AZ or Cross Region
Replication is ASYNC, so reads are eventually consistent
Replicas can be promoted to their own DB
Applications must update the connection string to leverage read replicas
Read replicas are used for SELECT (=read) only kind of statements (not INSERT, UPDATE, DELETE)
RDS Read Replicas – Network Cost:
In AWS there’s a network cost when data goes from one AZ to another
To reduce the cost, you can have your Read Replicas in the same AZ
RDS Multi AZ (Disaster Recovery):
- SYNC replication
- One DNS name – automatic app failover to standby
- Increase availability
- Failover in case of loss of AZ, loss of network, instance or storage failure
- No manual intervention in apps
- Not used for scaling
RDS Security – Encryption
At rest encryption:
Possibility to encrypt the master & read replicas with AWS KMS – AES-256 encryption
Encryption has to be defined at launch time
If the master is not encrypted, the read replicas cannot be encrypted
Transparent Data Encryption (TDE) available for Oracle and SQL Server
SSL certificates to encrypt data to RDS in flight
Provide SSL options with trust certificate when connecting to database
Encrypting RDS backups:
- Snapshots of un-encrypted RDS databases are un-encrypted
- Snapshots of encrypted RDS databases are encrypted
- Can copy a snapshot into an encrypted one
To encrypt an un-encrypted RDS database:
- Create a snapshot of the un-encrypted database
- Copy the snapshot and enable encryption for the snapshot
- Restore the database from the encrypted snapshot
- Migrate applications to the new database, and delete the old database
Network Security of RDS:
- RDS databases are usually deployed within a private subnet, not in a public one
- RDS security works by leveraging security groups
Access Management of RDS:
IAM policies help control who can manage AWS RDS (through the RDS API)
Traditional Username and Password can be used to login into the database
IAM-based authentication can be used to login into RDS MySQL & PostgreSQL
IAM database authentication works with MySQL and PostgreSQL
Auth token has a lifetime of 15 minutes
- Network in/out must be encrypted using SSL
- IAM to centrally manage users instead of DB
- Can leverage IAM Roles and EC2 Instance profiles for easy integration