Please enable JavaScript.
Coggle requires JavaScript to display documents.
RDS - Relational Database Service - Coggle Diagram
RDS - Relational
Database Service
Supported DBs
Postgres
MySQL
MariaDB
Oracle
Microsoft SQL Server
Aurora
Creates DBs in the cloud
that are managed by AWS
Why RDS over
DB on EC2?
Automated provisioning, OS patching
Continuous backups and restore to specific timestamp
Monitoring dashboards
Read replicas for improved read performance
Multi AZ setup for DR
Maintenance windows for upgrades
Scaling capability(vertical and horizontal)
Storage backed by EBS(gp2 or io1)
No SSH, however
RDS backups
Automatically enabled
Automated backups
Daily full backup(during maintenance window)
Transaction logs are backed-up by RDS every 5 mins
Ablity to retore to any point in time
7 days retention(can be increased to 35 days)
DB Snapshots
Manually triggered by the users
Retention of backup for as long as you want
Read Replicas
scaling DB reads
UP to 5 Read Replicas
Within AZ, Cross AZ/Region
ASYNC Replication - reads are evenutally consistent
Replicas can be promoted
to its own DB
Apps must update their
connection string to
the read replicas
https://imgur.com/a/eHVOptW
Use cases
https://imgur.com/a/ZL3qFRA
Production DB taking normal load
You want to run reporting
Create read replica to run
new workload
Production app is not affected
Read replicas should only
be used for SELECT statements
(not INSERT, UPDATE, DELETE)
Network Cost
https://imgur.com/a/zXQnJwx
There is cost associate on
cross AZ data transfer
To reduce cost, you can have
your read replicas in the same AZ
Multi-AZ(Disaster Recovery)
https://imgur.com/a/hCOxjzv
SYNC replication
One DNS name - autofailover to standby
Increases availability
Failover in case of loss of AZ,
network, instance or storage failure
No manual intervention in app
Not used for scaling
Read replicas can be etup as Multi AZ for DR
Security
Encryption
At rest
Encrypt master/read replicas
using AWS KMS - AES-256
encryption
Should be defined at launch time
If master is not encrypted,
read replicas cannot be
encrypted
Transparent Data Encryption(TDE)
is available for Oracle and SQL server
In-flight
SSL certificates to encrypt data to
RDS in flight
Provide SSL options with trust certificate
when connecting to the database
To enforse SSL
PostgreSQL: rds.force_ssl = 1 in the AWS RDS console
MySQL: WIthin the DB: GRANT USAGE ON
.
TO 'mysqluser'
'%'
REQUIRE SSL
Operations
Encrypting RDS backups/DBs
Snapshots of unencrpypted RDS
are unencrypted
Copy unencrypted snapshot to
an encrypted one
Can restore DB from encrypted backup
Point app to new DB and delete
old unencrypted DB
Network
RDS is should be deployed in a
private subnet, not a public one
Leverages security groups - it
controls which IP/security group
can communicate with RDS
Access management
IAM policies via RDS API
controls who can manage RDS
Traditional usename/password
can be used to login to RDS
IAM based auth can be used to login
for just MySQL and PostgreSQL
No need for password,
auth tokens can be obtained
through IAM and RDS API calls
Token lasts 15 mins
Network in /out must be enrcypted
using SSL
IAM to manage users instead of DB
Can leverage IAM roles
and EC2 instance profiles
for easy integration