[AWS] Relational Database Service (RDS)

RDS is a “Database as a Service (DBaaS)” for OLTP (OnLine Transaction Processing). RDS is a managed Relational Database Service in AWS. The main purpose of RDS is to lower TCO (Total Cost of Ownership).


Relational Database Management Systems (RDBMS)

  • RDBMS is used when the data, which needs to be managed, has formal and fixed relationships.
  • Every table has a schema that defines a fixed layout.
  • There are fixed relations between tables based on keys.
  • RDBMs conform to the ACID system: Atomicity, Consistency, Isolation, and Durability.
  • Oracle, MySQL, or SQL Server

Key/Value DB

  • Data is stored as key-value pair: super fast query and easy scale-up.
  • DynamoDB

Document DB

  • Data is stored as structured documents (key-value pairs). 
  • It is very useful for content management, such as blogs.
  • MongoDB

Column DB

  • Data is stored in columns (attribute sets) rather than in rows. 
  • Warehousing and Analytics.
  • Redshift 

Graph DB

  • Dynamic relationships. Data is stored as nodes and the relationships between nodes.
  • Amazon Neptune

RDS (Relational Database Service) Features

  • RDS provides a fully functional database without the admin overhead. AWS provisions the infrastructure and handles common administrative tasks such as automated backups.
  • RDS runs on virtual machines, and you cannot log in to the host. (Patching is AWS’s responsibility.)
  • You can access RDS instances through endpoints.
  • RSD is charged based on instance size and running hours, provisioned storage, IOPS (for IOPS SSD (io1)), Data transferred out, and backups/snapshots.
  • An RDS database endpoint is represented as a domain name, hostname, or CNAME and is used to communicate with the primary instance. It is highly recommended to use the DNS Name to connect to a DB Instance as the underlying IP address can change (e.g., during failover).
  • RDS can only run one primary instance at a time. If it is reaching its writing capacity, you need to scale the instance vertically.

Supported Database Engines

  • Commercial Engines
    • Orale
    • MS SQL Server
  • Open Source Engines
    • MySQL
    • MariaDB
    • PostgreSQL
  • Cloud-Native Engines
    • Aurora


Database Instance

  • A basic building block to host Amazon RDS
  • An isolated environment that can host multiple user-created databases

Database Instance Class

  • Determines the CUP and Memory Capacity similar to the EC2 Instance Type
  • ex) db.m4.large

Primary Host

  • a node within a DB instance
  • handles the read/write traffic

Read Replica

  • A node that handles read queries
  • Reduces the traffic burden from the primary host

Secondary (Standby) Host

  • a node within a DB instance, which is synchronized with the primary host but does not handle traffic

Provisioning/Configuring RDS


Create Subnet groups -> Select VPN, AZs, and subnets

  1. Create database: Db Engine, Edition, Version
  2. Select templates: Dev, Production, or Free
  3. Configure settings: Instance Identifier (RDS name not a DB name), Admin user, password
  4. Choose instance class
  5. Choose storage (General Purpose SSD, Provisioned IOPS SSD)
  6. Choose Single-AZ or Multi-AZ
  7. Configure connectivity: VPN, Subnet groups, Security Groups
  8. Setup additional Configuration: DB name, Encryption, Monitoring
  • Database Identifier
    • Identifies the database instance
    • Unique in your account across the region
  • Database name and port
    • The name of the database and TCP/IP port that will be created
  • Database Parameter Group
    • A group of parameters that define the configuration of the DB instance
  • Database Option Group
    • Optional functionality you can enable on the DB instance
  • Encryption
    • Encryption at rest of your data
  • Enhanced Monitoring
    • You can see the CPU usages of processes or threads
  • Backups
    • Backup retention period: 0~35 days (7 days default)
    • Backup window: daily time range when automated backups occur
  • Maintenance
    • Enable automatic minor version upgrade
    • Major version upgrades need to be done manually due to application compatibility issues.


  • Database Engine and Version
  • License Model
    • Oracle: On-Demand Licence vs. BYO Licence
  • Database Instance Class
    • T2/T3 Family: Bustable Instance & Moderate Network Performace
    • M3/M4 Family -> General Purpose & High Network Performance
    • R3/R4 Family -> Memory Optimized & High Network Performance
  • DB Subnet groups and Multi-AZ Deployment
    • Primary and Standby in different AZs -> Achieve High Availability
  • Storage Type and Size
    • Aurora uses a proprietary storage system. Other RDS engines use AWS EBS volumes.
    • General Purpose SSD Storage (GP2)
    • Provisioned IOPS Storage (IO1) for I/O intensive workload

Default ports

  • MySQL/Aurora/MariaDB: 3306
  • SQL Server: 1433
  • PostgreSQL: 5432
  • Oracle: 1521

RDS Pricing

  • Instance Hours: based on region, instance type, database engine, and license
  • Database Storage: EBS vs. Aurora, storage type and size
  • Backup Storage: Size of backups (free up to 100% of database storage)
  • Data Transfer: Outgoing traffic only + Copying data region to region

RDS – Shared Responsibility

  • AWS is in charge of deploying the virtual infrastructure, patching OS and DB software, and backing up databases regularly.
  • A customer is responsible for deploying the schema and setting up non-admin user accounts.


Vertical Scaling

  • Scale compute (CPU) or memory
    • New host is attached to existing volumes – Small downtime
    • Multi-AZ: You can scale the Secondary host first to minimize the downtime.
  • Scale Storage (EBS Volumes)
    • No downtime

Horizontal Scaling

  • Scale with Read Replicas
    • No downtime

RDS Security

RDS Security is built with layers: Network Isolation, Access control, Encryption at rest, SSL for database connectivity.

Network Isolation

By putting an RDS instance in a VPC, you can take advantage of VPC security features. In general, you put an RDS instance in a private subnet.

  • A DB Subnet Group is a collection of subnets that are designated for RDS DB Instances in a VPC.
  • RDS uses a DB Subnet Group and specified AZ to select a subnet and an IP address within that subnet.
  • User actions on RDS resources can be controlled by IAM policies.

Network access to an RDS instance is controlled by a Security Group (SG) associated with the RDS instance. By default, access to a DB instance is disabled. Three types of security groups are used for RDS.

  • A VPC security group controls access to DB instances inside VPC.
    • When you add a rule to a group, you need to specify the protocol (TCP) and a port number.
  • A DB security group controls access to EC2-Classic DB instances that are not in a VPC.
    • Each DB security group rule enables a specific source to access a DB instance. When you add a rule to a group, you do not need to specify the destination port number or protocol.
  • An EC2-Classic security group controls access to an EC2-Classic instance.

Access control

For MySQL and PostgreSQL, you can enable IAM DB Authentication. With DB Authentication, you are using a temporary authentication token (, which has a lifetime of 15 minutes) instead of a password. There is no need to store user credentials in the database.

  • With DB authentication, IAM manages access to the DB resources. Also, for applications running on EC2 instances, you can use instance profile credentials to access databases instead of a password.

Encryption at rest

  • Encryption is done at the volume level with no cost
  • Using AWK KMS (AES-256 Encryption)
  • If the primary is encrypted, all nodes (secondary, read replica, and backups) need to be encrypted.
  • Cannot unencrypt once you encrypt
  • Two Tier Encryption
    • Master key is created by you, but each instance uses its own data key. Data keys are encrypted with a master key. Each instance is encrypted with a data key.

SSL connectivity

  • Preventing traffic sniffing

RDS Encryption at Rest

All RDS engines support encryption at rest using the AWS Key Management Service (KMS).

When an instance is encrypted, the following items will be encrypted.

  • Data in the underlying storage
  • Automated backups
  • Manual Snapshots
  • Read Replicas

You can add encryption to an unencrypted DB instance:

  1. Create a DB snapshot
  2. Create a copy of that snapshot and specifying a KMS encryption key
  3. Restore an encrypted DB instance from the encrypted snapshot

Import Data into RDS instances

There are DB Engine specific tool.

  • MySQL: mysqldump or mysqlimport utilities
  • PostgreSQL: pg_dump
  • Oracle: Data Pump, import/export, or SQL Loader
  • SQL Server: Import/Export wizard, full backup files (.bak files) or Bulk Copy Program (BCP)

AWS Database Migration Service (DMS) is an integrated service, which is easy and secure.

Maintenance Window and Maintenance Events

The Amazon RDS maintenance window controls when DB instance modifications, database engine version upgrades, and software patching occurs.

  • Some maintenance events require DB instances offline:
    • Scale DB Instances
    • DB Engine upgrade and patching
  • You can specify a preferred weekly maintenance window. (30 mins by default)
  • Multi-AZ deployment can reduce the impact of a maintenance event.

Enhanced Monitoring for RDS

Enhanced Monitoring provides deeper visibility into the health of RDS instances.

  • CloudWatch gathers metrics about CPU utilization from the hypervisor for a DB instance, and Enhanced Monitoring gathers its metrics from an agent on the instance.
  • You need to enable the option, and you can see the graphic data in the console.
  • Metrics that can be monitored in Enhanced Monitoring:
    • OS metrics: OS processes, RDS processes, and RDS child processes/threads
    • For each process, you are getting RES (actual physical memory), CPU%, and MEM%.
  • The metrics can be delivered to CloudWatch Logs (for 30 days) can be analyzed.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s