[AWS] Relational Database Service (RDS)

RDS is a “Database as a Service (DBaaS)” for OLTP (OnLine Transaction Processing).


Relational Database Management Systems (RDBMS)

  • RDBMS is used when the data, which needs to be managed, has formal and fixed relationships.
  • Every table has a schema that defines a fixed layout.
  • There are fixed relations between tables based on keys.
  • RDBMs conform to the ACID system: Atomicity, Consistency, Isolation, and Durability.
  • Oracle, MySQL, or SQL Server

Key/Value DB

  • Data is stored as key-value pair: super fast query and easy scale-up.
  • DynamoDB

Document DB

  • Data is stored as structured documents (key-value pairs). 
  • It is very useful for content management, such as blogs.
  • MongoDB

Column DB

  • Data is stored in columns (attribute sets) rather than in rows. 
  • Warehousing and Analytics.
  • Redshift 

Graph DB

  • Dynamic relationships. Data is stored as nodes and the relationships between nodes.
  • Amazon Neptune

RDS (Relational Database Service) Features

  • RDS provides a fully functional database without the admin overhead. AWS provisions the infrastructure and handles common administrative tasks such as automated backups.
  • RDS runs on virtual machines, and you cannot log in to the host. (Patching is AWS’s responsibility.)
  • You can access RDS instances through endpoints.
  • Supported Engines are Aurora, MySQL, MariaDB, PostgreSQL, Oracle, and MS SQL Server.
  • RSD is charged based on instance size and running hours, provisioned storage, IOPS (for IOPS SSD (io1)), Data transferred out, and backups/snapshots.
  • An RDS database endpoint is represented as a domain name, hostname, or CNAME and is used to communicate with the primary instance. It is highly recommended to use the DNS Name to connect to a DB Instance as the underlying IP address can change (e.g., during failover).
  • RDS can only run one primary instance at a time. If it is reaching its writing capacity, you need to scale the instance vertically.

Provisioning/Configuring RDS

Create Subnet groups -> Select VPN, AZs, and subnets

  1. Create database: Db Engine, Edition, Version
  2. Select templates: Dev, Production, or Free
  3. Configure settings: Instance Identifier (RDS name not a DB name), Admin user, password
  4. Choose instance size
  5. Choose storage (General Purpose SSD, Provisioned IOPS SSD)
  6. Choose Single-AZ or Multi-AZ
  7. Configure connectivity: VPN, Subnet groups, Security Groups
  8. Setup additional Configuration: DB name, Encryption, Monitoring

Default ports

  • MySQL/Aurora/MariaDB: 3306
  • SQL Server: 1433
  • PostgreSQL: 5432
  • Oracle: 1521

RDS – Shared Responsibility

  • AWS is in charge of deploying the virtual infrastructure, patching OS and DB software, and backing up databases regularly.
  • A customer is responsible for deploying the schema and setting up non-admin user accounts.

RDS Security

By putting an RDS instance in a VPC, you can take advantage of VPC security features. In general, you put an RDS instance in a private subnet.

  • A DB Subnet Group is a collection of subnets that are designated for RDS DB Instances in a VPC.
  • RDS uses a DB Subnet Group and specified AZ to select a subnet and an IP address within that subnet.
  • User actions on RDS resources can be controlled by IAM policies.

Network access to an RDS instance is controlled by a Security Group (SG) associated with the RDS instance. By default, access to a DB instance is disabled. Three types of security groups are used for RDS.

  • A VPC security group controls access to DB instances inside VPC.
    • When you add a rule to a group, you need to specify the protocol (TCP) and a port number.
  • A DB security group controls access to EC2-Classic DB instances that are not in a VPC.
    • Each DB security group rule enables a specific source to access a DB instance. When you add a rule to a group, you do not need to specify the destination port number or protocol.
  • An EC2-Classic security group controls access to an EC2-Classic instance.

For MySQL and PostgreSQL, you can enable IAM DB Authentication. With DB Authentication, you are using a temporary authentication token (, which has a lifetime of 15 minutes) instead of a password. There is no need to store user credentials in the database.

  • With DB authentication, IAM manages access to the DB resources. Also, for applications running on EC2 instances, you can use instance profile credentials to access databases instead of a password.

RDS Encryption at Rest

All RDS engines support encryption at rest using the AWS Key Management Service (KMS).

When an instance is encrypted, the following items will be encrypted.

  • Data in the underlying storage
  • Automated backups
  • Manual Snapshots
  • Read Replicas

You can add encryption to an unencrypted DB instance:

  1. Create a DB snapshot
  2. Create a copy of that snapshot and specifying a KMS encryption key
  3. Restore an encrypted DB instance from the encrypted snapshot

Import Data into RDS instances

There are DB Engine specific tool.

  • MySQL: mysqldump or mysqlimport utilities
  • PostgreSQL: pg_dump
  • Oracle: Data Pump, import/export, or SQL Loader
  • SQL Server: Import/Export wizard, full backup files (.bak files) or Bulk Copy Program (BCP)

AWS Database Migration Service (DMS) is an integrated service, which is easy and secure.

Maintenance Window and Maintenance Events

The Amazon RDS maintenance window controls when DB instance modifications, database engine version upgrades, and software patching occurs.

  • Some maintenance events require DB instances offline:
    • Scale DB Instances
    • DB Engine upgrade and patching
  • You can specify a preferred weekly maintenance window. (30 mins by default)
  • Multi-AZ deployment can reduce the impact of a maintenance event.

Enhanced Monitoring for RDS

Enhanced Monitoring provides deeper visibility into the health of RDS instances.

  • CloudWatch gathers metrics about CPU utilization from the hypervisor for a DB instance, and Enhanced Monitoring gathers its metrics from an agent on the instance.
  • You need to enable the option, and you can see the graphic data in the console.
  • Metrics that can be monitored in Enhanced Monitoring:
    • OS metrics: OS processes, RDS processes, and RDS child processes/threads
    • For each process, you are getting RES (actual physical memory), CPU%, and MEM%.
  • The metrics can be delivered to CloudWatch Logs (for 30 days) can be analyzed.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s