[AWS] Relational Database Service (RDS)

RDS is a “Database as a Service (DBaaS)” for OLTP (OnLine Transaction Processing). RDS is a managed Relational Database Service in AWS. The main purpose of RDS is to lower TCO (Total Cost of Ownership).

Databases

Relational Database Management Systems (RDBMS)

• RDBMS is used when the data, which needs to be managed, has formal and fixed relationships.
• Every table has a schema that defines a fixed layout.
• There are fixed relations between tables based on keys.
• RDBMs conform to the ACID system: Atomicity, Consistency, Isolation, and Durability.
• Oracle, MySQL, or SQL Server

Key/Value DB

• Data is stored as key-value pair: super fast query and easy scale-up.
• DynamoDB

Document DB

• Data is stored as structured documents (key-value pairs). 
• It is very useful for content management, such as blogs.
• MongoDB

Column DB

• Data is stored in columns (attribute sets) rather than in rows. 
• Warehousing and Analytics.
• Redshift 

Graph DB

• Dynamic relationships. Data is stored as nodes and the relationships between nodes.
• Amazon Neptune

---

RDS (Relational Database Service) Features

• RDS provides a fully functional database without the admin overhead. AWS provisions the infrastructure and handles common administrative tasks such as automated backups.
• RDS runs on virtual machines, and you cannot log in to the host. (Patching is AWS’s responsibility.)
• You can access RDS instances through endpoints.

• RSD is charged based on instance size and running hours, provisioned storage, IOPS (for IOPS SSD (io1)), Data transferred out, and backups/snapshots.

• An RDS database endpoint is represented as a domain name, hostname, or CNAME and is used to communicate with the primary instance. It is highly recommended to use the DNS Name to connect to a DB Instance as the underlying IP address can change (e.g., during failover).
• RDS can only run one primary instance at a time. If it is reaching its writing capacity, you need to scale the instance vertically.

Supported Database Engines

• Commercial Engines
  • Orale
  • MS SQL Server

• Open Source Engines
  • MySQL
  • MariaDB
  • PostgreSQL

• Cloud-Native Engines
  • Aurora

---

Terminologies

Database Instance

• A basic building block to host Amazon RDS
• An isolated environment that can host multiple user-created databases

Database Instance Class

• Determines the CUP and Memory Capacity similar to the EC2 Instance Type
• ex) db.m4.large

Primary Host

• a node within a DB instance
• handles the read/write traffic

Read Replica

• A node that handles read queries
• Reduces the traffic burden from the primary host

Secondary (Standby) Host

• a node within a DB instance, which is synchronized with the primary host but does not handle traffic

---

Provisioning/Configuring RDS

Provisioning

Create Subnet groups -> Select VPN, AZs, and subnets

1. Create database: Db Engine, Edition, Version
2. Select templates: Dev, Production, or Free
3. Configure settings: Instance Identifier (RDS name not a DB name), Admin user, password
4. Choose instance class
5. Choose storage (General Purpose SSD, Provisioned IOPS SSD)
6. Choose Single-AZ or Multi-AZ
7. Configure connectivity: VPN, Subnet groups, Security Groups
8. Setup additional Configuration: DB name, Encryption, Monitoring

• Database Identifier
  • Identifies the database instance
  • Unique in your account across the region
• Database name and port
  • The name of the database and TCP/IP port that will be created
• Database Parameter Group
  • A group of parameters that define the configuration of the DB instance
• Database Option Group
  • Optional functionality you can enable on the DB instance
• Encryption
  • Encryption at rest of your data
• Enhanced Monitoring
  • You can see the CPU usages of processes or threads
• Backups
  • Backup retention period: 0~35 days (7 days default)
  • Backup window: daily time range when automated backups occur
• Maintenance
  • Enable automatic minor version upgrade
  • Major version upgrades need to be done manually due to application compatibility issues.

Configuration

• Database Engine and Version
• License Model
  • Oracle: On-Demand Licence vs. BYO Licence
• Database Instance Class
  • T2/T3 Family: Bustable Instance & Moderate Network Performace
  • M3/M4 Family -> General Purpose & High Network Performance
  • R3/R4 Family -> Memory Optimized & High Network Performance
• DB Subnet groups and Multi-AZ Deployment
  • Primary and Standby in different AZs -> Achieve High Availability
• Storage Type and Size
  • Aurora uses a proprietary storage system. Other RDS engines use AWS EBS volumes.
  • General Purpose SSD Storage (GP2)
  • Provisioned IOPS Storage (IO1) for I/O intensive workload

Default ports

• MySQL/Aurora/MariaDB: 3306
• SQL Server: 1433
• PostgreSQL: 5432
• Oracle: 1521

---

RDS Pricing

• Instance Hours: based on region, instance type, database engine, and license
• Database Storage: EBS vs. Aurora, storage type and size
• Backup Storage: Size of backups (free up to 100% of database storage)
• Data Transfer: Outgoing traffic only + Copying data region to region

---

RDS – Shared Responsibility

• AWS is in charge of deploying the virtual infrastructure, patching OS and DB software, and backing up databases regularly.
• A customer is responsible for deploying the schema and setting up non-admin user accounts.

---

Scaling

Vertical Scaling

• Scale compute (CPU) or memory
  • New host is attached to existing volumes – Small downtime
  • Multi-AZ: You can scale the Secondary host first to minimize the downtime.
• Scale Storage (EBS Volumes)
  • No downtime

Horizontal Scaling

• Scale with Read Replicas
  • No downtime

---

RDS Security

RDS Security is built with layers: Network Isolation, Access control, Encryption at rest, SSL for database connectivity.

Network Isolation

By putting an RDS instance in a VPC, you can take advantage of VPC security features. In general, you put an RDS instance in a private subnet.

• A DB Subnet Group is a collection of subnets that are designated for RDS DB Instances in a VPC.
• RDS uses a DB Subnet Group and specified AZ to select a subnet and an IP address within that subnet.
• User actions on RDS resources can be controlled by IAM policies.

Network access to an RDS instance is controlled by a Security Group (SG) associated with the RDS instance. By default, access to a DB instance is disabled. Three types of security groups are used for RDS.

• A VPC security group controls access to DB instances inside VPC.
  • When you add a rule to a group, you need to specify the protocol (TCP) and a port number.
• A DB security group controls access to EC2-Classic DB instances that are not in a VPC.
  • Each DB security group rule enables a specific source to access a DB instance. When you add a rule to a group, you do not need to specify the destination port number or protocol.
• An EC2-Classic security group controls access to an EC2-Classic instance.

Access control

For MySQL and PostgreSQL, you can enable IAM DB Authentication. With DB Authentication, you are using a temporary authentication token (, which has a lifetime of 15 minutes) instead of a password. There is no need to store user credentials in the database.

• With DB authentication, IAM manages access to the DB resources. Also, for applications running on EC2 instances, you can use instance profile credentials to access databases instead of a password.

Encryption at rest

• Encryption is done at the volume level with no cost
• Using AWK KMS (AES-256 Encryption)
• If the primary is encrypted, all nodes (secondary, read replica, and backups) need to be encrypted.
• Cannot unencrypt once you encrypt
• Two Tier Encryption
  • Master key is created by you, but each instance uses its own data key. Data keys are encrypted with a master key. Each instance is encrypted with a data key.

SSL connectivity

• Preventing traffic sniffing

---

RDS Encryption at Rest

All RDS engines support encryption at rest using the AWS Key Management Service (KMS).

When an instance is encrypted, the following items will be encrypted.

• Data in the underlying storage
• Automated backups
• Manual Snapshots
• Read Replicas

You can add encryption to an unencrypted DB instance:

1. Create a DB snapshot
2. Create a copy of that snapshot and specifying a KMS encryption key
3. Restore an encrypted DB instance from the encrypted snapshot

---

Import Data into RDS instances

There are DB Engine specific tool.

• MySQL: mysqldump or mysqlimport utilities
• PostgreSQL: pg_dump
• Oracle: Data Pump, import/export, or SQL Loader
• SQL Server: Import/Export wizard, full backup files (.bak files) or Bulk Copy Program (BCP)

AWS Database Migration Service (DMS) is an integrated service, which is easy and secure.

---

Maintenance Window and Maintenance Events

The Amazon RDS maintenance window controls when DB instance modifications, database engine version upgrades, and software patching occurs.

• Some maintenance events require DB instances offline:
  • Scale DB Instances
  • DB Engine upgrade and patching
• You can specify a preferred weekly maintenance window. (30 mins by default)
• Multi-AZ deployment can reduce the impact of a maintenance event.

---

Enhanced Monitoring for RDS

Enhanced Monitoring provides deeper visibility into the health of RDS instances.

• CloudWatch gathers metrics about CPU utilization from the hypervisor for a DB instance, and Enhanced Monitoring gathers its metrics from an agent on the instance.

• You need to enable the option, and you can see the graphic data in the console.
• Metrics that can be monitored in Enhanced Monitoring:
  • OS metrics: OS processes, RDS processes, and RDS child processes/threads
  • For each process, you are getting RES (actual physical memory), CPU%, and MEM%.
• The metrics can be delivered to CloudWatch Logs (for 30 days) can be analyzed.