This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Amazon RDS overview (super quick)• Security• Customer story• Migrating to RDS• Metrics and monitoring• Scaling on RDS• Backups and snapshots• High availability
No infrastructure management
Scale up/downCost-effective
Instant provisioning
Application compatibility
Amazon Relational Database Service (Amazon RDS)
Amazon RDS engines
Commercial Open source Amazon Aurora
Amazon Aurora vs. MySQLFeature RDS Aurora RDS MySQL
Number of replicas Up to 15 Up to 5
Replication type Asynchronous (milliseconds) Asynchronous (seconds)
Replication performance impact on primary
Low High
Replica can act as failover target Yes (no data loss) Yes (potentially minutes of loss)
Storage Up to 64 TB, auto growth Up to 6 TB, specify storage limit
Automated failover Yes, to replica Yes, to standby
User-‐defined replication delay No Yes
Replica support for different data or schema vs. primary
No Yes
Cross-‐region replication No Yes
Data cache survives Yes No
Trade-offs with a managed service
Fully managed host and OS• No access to the database host operating system• Limited ability to modify configuration that is managed on the host operating system
• No functions that rely on configuration from the host OSFully managed storage
Amazon Virtual Private Cloud (Amazon VPC)Securely control network configuration
Availability Zone
AWS Region
10.1.0.0/16
10.1.1.0/24Manage connectivity
AWS Direct Connect
VPN Connection
VPC Peering
Internet Gateway
Routing Rules
Security groupsDatabase IP firewall protection
Protocol Port Range SourceTCP 3306 172.31.0.0/16
TCP 3306 “Applicationsecurity group”
Corporate address admins
Application tier
Compliance
Singapore MTCS
27001/900127017/27018
MySQL and Oracle• SOC 1, 2, and 3• ISO 27001/9001• ISO 27017/27018• PCI DSS• FedRamp• HIPAA BAA• UK government programs• Singapore MTCS
Compliance
SQL Server and PostgreSQL• SOC 1, 2, and 3• ISO 27001/9001• ISO 27017/27018• PCI DSS• UK government programs• Singapore MTCS
SSL
Available for all six engines
Using SSL to encrypt a connection to a DB instance
mysql -h myinstance.c9akciq32.rds-eu-west-1.amazonaws \--ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert.com
At-rest encryption
• DB instance storage• Automated backups• Read Replicas• Snapshots
• Available for all six engines• No additional cost• Support compliance requirements
AWS KMS — RDS standard encryption
Two-tiered key hierarchy using envelope encryption• Unique data key encrypts customer data• AWS KMS master keys encrypt data keys
Benefits:• Limits risk of compromised data key• Better performance for encrypting large data• Easier to manage small number of master keys than millions of data keys
• Centralized access and audit of key activity
Data Key 1
Amazon S3 Object
Amazon EBS Volume
Amazon Redshift Cluster
Data Key 2 Data Key 3 Data Key 4
CustomApplication
Customer MasterKey(s)
Enabling encryptionAWS Command Line Interface (AWS CLI)
• You can only encrypt on new database creation• Encryption cannot be removed• Master and Read Replica must be encrypted• Unencrypted snapshots cannot be restored to encrypted DB• Cannot restore MySQL to Aurora or Aurora to MySQL• Cannot copy snapshots or replicate DB across regions
IAM governed accessYou can use AWS Identity and Access Management (IAM) to control who can perform actions on RDS
Users and DBAApplications DBA and Ops
Your database RDS
Controlled with IAMControlled with database grants
NOTE: Aon does not provide or express an opinion or recommendation regarding any matter mentioned in this presentation.The recipient understands that neither Aon nor its employees makes or shall make any representation or warranty as to the accuracy or completeness of any information contained in this presentation. Aon shall not have any liability to the recipient or any other party resulting from the use of such information by the recipient or any other party.The information contained in this presentation may not be reproduced in any way or disseminated to any other party without the prior written consent of Aon.
Aon has endeavoured to ensure that this presentation is free of any virus or any other thing that would affect the recipient’s computer system. However, Aon cannot guarantee the security status of this presentation when accessed by the reader and shall not have any liability to the reader, recipient or any other party resulting from access to or use of the information contained herein.
Disclaimer
Migrating onto RDS
Historically, Migration = Cost, Time
Commercial data migration and replication software
Complex to setup and manage
Legacy schema objects, PL/SQL or T-SQL code
Application downtime
Database Migration – 2 Steps
Step 1: Schema Conversion Overview
ü Move data to the same or different database engine
ü Keep your apps running during the migration
ü Start your first migration in 10 minutes or less
ü Replicate within, to, or from Amazon EC2 or RDS
AWS Database Migration Service
Customerpremises
Application Users
AWS
Internet
VPN
Start a replication instanceConnect to source and target databaseSelect tables, schemas, or databases
Let the AWS Database Migration Service create tables, load data, and keep them in syncSwitch applications over to the target at your convenience
• Get Notified when events occur on your database instances
• 17 different event categories (availability, backup, configuration change, and so on)
• Uses Amazon Simple Notification Service (Amazon SNS)
Scaling on RDS
Scale out with Read Replicas
Relieve pressure on your master node for supporting reads and writes.
Bring data close to your customer’s applications in different regions
Promote a Read Replica to a master for faster recovery in the event of disaster
Replicas within and cross-region• MySQL, MariaDB,
PostgreSQL• Aurora
Engines Needing Other Tools• Oracle • Microsoft SQL Server
Creating and Prompting Read Replicas Read Replica creation and promotion are accessed from the Instance Actions button in the RDS console
Creating and Promoting Read Replicas
Creating and Promoting Read Replicas With CLI
Creating and Promoting Read Replicas With CLI
Scaling Up and Down
• Handle higher load or lower usage
• Control costs
Scaling Up and DownConsole
Backups and snapshots
RDS Backups
MySQL, PostgreSQL, MariaDB, Oracle, SQL Server• Scheduled daily backup of entire instance• Archive database change logs• Up to 35 day retention for backups• I/O suspension as backup is initiated (but not with multi-AZ deployment)• Multiple copies in each AZ where you have instances for a deployment
Aurora• Automatic, continuous, incremental backups• Point-in-time restore• No impact on database performance• 35 day retention
RDS Restore
• Restoring creates an entire new database instance• You define all the instance configuration just like a new instance
Snapshots
• Full copies of your Amazon RDS database that are different from your scheduled backups
• Backed by Amazon S3• Typical use cases
• Resolve production issues• Nonproduction environments• Point-in-time restore• Final copy before terminating a database• Disaster recovery• Cross-region copy• Copy between accounts