Rds
Chapter 21: Amazon RDS - Relational Database Service
Section titled “Chapter 21: Amazon RDS - Relational Database Service”Managed Relational Databases
Section titled “Managed Relational Databases”21.1 Overview
Section titled “21.1 Overview”Amazon RDS (Relational Database Service) is a managed service that makes it easier to set up, operate, and scale a relational database in the cloud.
RDS Overview+------------------------------------------------------------------+| || +------------------------+ || | Amazon RDS | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Managed | | Multiple | | High | || | Database | | Engines | | Availability || | | | | | | || | - Backup | | - MySQL | | - Multi-AZ || | - Patch | | - Postgre| | - Failover || | - Scale | | - Oracle | | - Replicas || +----------+ | - SQL | +----------+ || | - MariaDB| || | - Aurora | || +----------+ || |+------------------------------------------------------------------+21.2 Supported Database Engines
Section titled “21.2 Supported Database Engines” RDS Database Engines+------------------------------------------------------------------+| || Engine | Version Support | Use Case || ----------------|------------------------|---------------------|| MySQL | 5.7, 8.0 | Web apps, CMS || PostgreSQL | 12-16 | Enterprise apps || Oracle | 12c, 19c, 21c | Enterprise || SQL Server | 2016-2022 | Windows apps || MariaDB | 10.2-10.11 | MySQL compatible || Aurora | MySQL/PostgreSQL | Cloud-native || |+------------------------------------------------------------------+21.3 RDS Architecture
Section titled “21.3 RDS Architecture”Single-AZ Deployment
Section titled “Single-AZ Deployment” Single-AZ RDS Deployment+------------------------------------------------------------------+| || Availability Zone A || +----------------------------------------------------------+ || | | || | +------------------+ | || | | RDS Primary | | || | | Instance | | || | | +------------+ | | || | | | Database | | | || | | | Engine | | | || | | +------------+ | | || | | | | | || | | v | | || | | +------------+ | | || | | | EBS Volume | | | || | | | (Storage) | | | || | | +------------+ | | || | +------------------+ | || | | || +----------------------------------------------------------+ || || Use Case: Development, non-critical workloads || |+------------------------------------------------------------------+Multi-AZ Deployment
Section titled “Multi-AZ Deployment” Multi-AZ RDS Deployment+------------------------------------------------------------------+| || Availability Zone A Availability Zone B || +----------------------+ +----------------------+ || | | | | || | +----------------+ | | +----------------+ | || | | RDS Primary | | | | RDS Standby | | || | | Instance | | | | Instance | | || | | (Active) | | | | (Passive) | | || | +----------------+ | | +----------------+ | || | | | | ^ | || | v | | | | || | +----------------+ | | +----------------+ | || | | EBS Volume | | | | EBS Volume | | || | | (Primary) | | | | (Replica) | | || | +----------------+ | | +----------------+ | || | | | | ^ | || | | | | | | || | +-----Synchronous Replication-----+ | || | | | | || +----------------------+ +----------------------+ || || Features: || - Synchronous replication || - Automatic failover || - Single DNS endpoint || - 99.95% availability SLA || |+------------------------------------------------------------------+Multi-AZ DB Cluster
Section titled “Multi-AZ DB Cluster” Multi-AZ DB Cluster (One Writer, Two Readers)+------------------------------------------------------------------+| || Availability Zone A AZ B AZ C || +----------------+ +--------+ +--------+ || | | | | | | || | +----------+ | | +----+ | | +----+ | || | | Writer | | | |Reader| | | |Reader| | || | | Instance | | | | | | | | | | || | +----------+ | | +----+ | | +----+ | || | | | | ^ | | ^ | || | v | | | | | | | || | +----------+ | | | | | | | || | | Storage | | | | | | | | || | | Volume | | | | | | | | || | +----------+ | | | | | | | || | | | | | | | | | || | +--------+----+----+---+----+----+ | || | | | | | || | Shared Storage (Cluster Volume) | || | | || +--------------------------------------------+ || || Features: || - One writer, up to two readers || - Shared storage volume || - Faster failover (typically 35 seconds) || - Read scalability || |+------------------------------------------------------------------+21.4 Read Replicas
Section titled “21.4 Read Replicas” RDS Read Replicas+------------------------------------------------------------------+| || Same-Region Read Replica || +----------------------------------------------------------+ || | | || | AZ A AZ B AZ C | || | +----------+ +----------+ +----------+ | || | | Primary | | Read | | Read | | || | | Instance |------>| Replica 1|------>| Replica 2| | || | +----------+ +----------+ +----------+ | || | | ^ ^ | || | | | | | || | +----Asynchronous Replication---------+ | || | | || +----------------------------------------------------------+ || || Cross-Region Read Replica || +----------------------------------------------------------+ || | | || | US-East-1 EU-West-1 | || | +----------+ +----------+ | || | | Primary | | Read | | || | | Instance |---------->| Replica | | || | +----------+ +----------+ | || | | ^ | || | | | | || | +--Cross-Region Replication | || | | || +----------------------------------------------------------+ || || Features: || - Asynchronous replication || - Read scaling || - Can be promoted to primary || - Up to 5 read replicas per primary || - Cross-region for DR || |+------------------------------------------------------------------+21.5 RDS Storage
Section titled “21.5 RDS Storage”Storage Types
Section titled “Storage Types” RDS Storage Types+------------------------------------------------------------------+| || General Purpose SSD (gp2/gp3) || +----------------------------------------------------------+ || | | || | Features: | || | - Cost-effective SSD | || | - 3 IOPS per GB (gp2) | || | - Up to 16,000 IOPS (gp3) | || | - Burst capability | || | | || | Use Case: | || | - Development | || | - Medium workloads | || | | || +----------------------------------------------------------+ || || Provisioned IOPS SSD (io1/io2) || +----------------------------------------------------------+ || | | || | Features: | || | - Highest performance | || | - Up to 80,000 IOPS | || | - Predictable latency | || | | || | Use Case: | || | - Production databases | || | - I/O-intensive workloads | || | | || +----------------------------------------------------------+ || || Magnetic (Standard) - Legacy || +----------------------------------------------------------+ || | | || | Features: | || | - Lowest cost | || | - Limited performance | || | | || | Use Case: | || | - Small databases | || | - Rarely accessed data | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Storage Autoscaling
Section titled “Storage Autoscaling” RDS Storage Autoscaling+------------------------------------------------------------------+| || How it works: || +----------------------------------------------------------+ || | | || | 1. Enable storage autoscaling | || | 2. Set maximum storage threshold | || | 3. RDS monitors storage usage | || | 4. Automatically increases when threshold reached | || | | || | Triggers: | || | - Free storage < 10% of allocated | || | - Or within 5 minutes of reaching threshold | || | | || | Scaling: | || | - Increases in 5 GB increments | || | - No downtime | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+21.6 RDS Security
Section titled “21.6 RDS Security”Network Security
Section titled “Network Security” RDS Network Security+------------------------------------------------------------------+| || VPC Configuration || +----------------------------------------------------------+ || | | || | DB Subnet Group: | || | +----------------------------------------------------+ | || | | | | || | | Subnet 1 (AZ-a) Subnet 2 (AZ-b) Subnet 3 (AZ-c)| | || | | +----------+ +----------+ +----------+ | | || | | | Private | | Private | | Private | | | || | | | Subnet | | Subnet | | Subnet | | | || | | +----------+ +----------+ +----------+ | | || | | | | || | +----------------------------------------------------+ | || | | || | Security Group: | || | +----------------------------------------------------+ | || | | Inbound: | | || | | - TCP 3306 (MySQL) from app SG | | || | | - TCP 5432 (PostgreSQL) from app SG | | || | | | | || | | Outbound: | | || | | - None required | | || | +----------------------------------------------------+ | || | | || +----------------------------------------------------------+ || || Public vs Private: || +----------------------------------------------------------+ || | Public Access: | || | - Not recommended for production | || | - Use for development only | || | | || | Private Only: | || | - Recommended for production | || | - Access via VPC, VPN, or Direct Connect | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Encryption
Section titled “Encryption” RDS Encryption+------------------------------------------------------------------+| || Encryption at Rest || +----------------------------------------------------------+ || | | || | Features: | || | - AES-256 encryption | || | - AWS KMS integration | || | - Encrypts storage, logs, backups | || | - Must enable at creation | || | | || | Limitations: | || | - Cannot encrypt existing unencrypted DB | || | - Must create new encrypted DB and migrate | || | | || +----------------------------------------------------------+ || || Encryption in Transit || +----------------------------------------------------------+ || | | || | Features: | || | - SSL/TLS connections | || | - Enforce via parameter group | || | - rds.force_ssl = 1 | || | | || | Connection: | || | mysql -h mydb.xxxx.rds.amazonaws.com \ | || | --ssl-ca=rds-ca-2019-root.pem \ | || | --ssl-mode=REQUIRED | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+21.7 RDS Backups
Section titled “21.7 RDS Backups”Automated Backups
Section titled “Automated Backups” RDS Automated Backups+------------------------------------------------------------------+| || Features: || +----------------------------------------------------------+ || | | || | - Enabled by default | || | - Retention: 1-35 days | || | - Point-in-time recovery (PITR) | || | - Transaction logs backed up every 5 minutes | || | | || | Backup Window: | || | - Default: Random 30-minute window | || | - Can customize | || | - Brief I/O suspension (Single-AZ) | || | | || +----------------------------------------------------------+ || || Point-in-Time Recovery || +----------------------------------------------------------+ || | | || | Timeline: | || | |----|----|----|----|----|----|----|----| | || | ^ ^ ^ ^ ^ ^ ^ ^ ^ | || | | | | | | | | | | | || | Full Log Log Log Log Log Log Log Now | || | Backup | || | | || | Recovery: | || | - Select any point in retention period | || | - Creates new DB instance | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Manual Snapshots
Section titled “Manual Snapshots” RDS Manual Snapshots+------------------------------------------------------------------+| || Features: || +----------------------------------------------------------+ || | | || | - Manually triggered | || | - Retained until explicitly deleted | || | - No expiration | || | - Can share with other accounts | || | - Can copy to other regions | || | | || | Use Cases: | || | - Pre-change backups | || | - Long-term retention | || | - Cross-region disaster recovery | || | | || +----------------------------------------------------------+ || || Snapshot Copy || +----------------------------------------------------------+ || | | || | Source Region Destination Region | || | +----------------+ +----------------+ | || | | Snapshot | | Snapshot Copy | | || | | (Manual) |---->| (Encrypted) | | || | +----------------+ +----------------+ | || | | || | Features: | || | - Cross-region copy | || | - Can re-encrypt with different key | || | - For disaster recovery | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+21.8 Practical Configuration
Section titled “21.8 Practical Configuration”RDS with Terraform
Section titled “RDS with Terraform”# ============================================================# DB Subnet Group# ============================================================
resource "aws_db_subnet_group" "main" { name = "main-subnet-group" subnet_ids = var.private_subnet_ids
tags = { Name = "main-db-subnet-group" }}
# ============================================================# RDS Parameter Group# ============================================================
resource "aws_db_parameter_group" "main" { name = "main-params" family = "mysql8.0"
parameter { name = "character_set_server" value = "utf8mb4" }
parameter { name = "character_set_client" value = "utf8mb4" }
parameter { name = "max_connections" value = "500" }
parameter { name = "slow_query_log" value = "1" }
tags = { Name = "main-parameter-group" }}
# ============================================================# RDS Instance (Multi-AZ)# ============================================================
resource "aws_db_instance" "main" { identifier = "main-db"
# Engine engine = "mysql" engine_version = "8.0" instance_class = "db.m6g.large"
# Storage allocated_storage = 100 max_allocated_storage = 500 # Autoscaling storage_type = "gp3" storage_encrypted = true kms_key_id = aws_kms_key.rds.arn
# Database db_name = "appdb" username = "admin" password = var.db_password
# Network db_subnet_group_name = aws_db_subnet_group.main.name vpc_security_group_ids = [aws_security_group.rds.id] publicly_accessible = false
# High Availability multi_az = true availability_zone = "us-east-1a" # Primary AZ
# Parameter Group parameter_group_name = aws_db_parameter_group.main.name
# Backup backup_retention_period = 30 backup_window = "03:00-04:00" skip_final_snapshot = false final_snapshot_identifier = "main-db-final"
# Maintenance maintenance_window = "Mon:04:00-Mon:05:00"
# Performance Insights performance_insights_enabled = true performance_insights_kms_key_id = aws_kms_key.rds.arn
# Deletion protection deletion_protection = true
# Monitoring enabled_cloudwatch_logs_exports = ["error", "general", "slow_query"] monitoring_interval = 60 monitoring_role_arn = aws_iam_role.rds_monitoring.arn
tags = { Name = "main-db" }}
# ============================================================# Read Replica# ============================================================
resource "aws_db_instance" "read_replica" { identifier = "main-db-replica"
# Source replicate_source_db = aws_db_instance.main.arn
# Instance class (can differ from primary) instance_class = "db.m6g.large"
# Network vpc_security_group_ids = [aws_security_group.rds.id]
# Storage (inherited from source) storage_encrypted = true kms_key_id = aws_kms_key.rds.arn
# Performance Insights performance_insights_enabled = true
tags = { Name = "main-db-replica" }}
# Cross-Region Read Replicaresource "aws_db_instance" "cross_region_replica" { provider = aws.dr_region
identifier = "main-db-dr-replica"
# Source (from snapshot or replication) replicate_source_db = aws_db_instance.main.arn
instance_class = "db.m6g.large"
vpc_security_group_ids = [aws_security_group.rds_dr.id]
tags = { Name = "main-db-dr-replica" }}
# ============================================================# Security Group# ============================================================
resource "aws_security_group" "rds" { name = "rds-sg" description = "Security group for RDS" vpc_id = var.vpc_id
ingress { description = "MySQL from application" from_port = 3306 to_port = 3306 protocol = "tcp" security_groups = [aws_security_group.app.id] }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "rds-sg" }}
# ============================================================# IAM Role for Enhanced Monitoring# ============================================================
resource "aws_iam_role" "rds_monitoring" { name = "rds-monitoring-role"
assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "monitoring.rds.amazonaws.com" } } ] })}
resource "aws_iam_role_policy_attachment" "rds_monitoring" { role = aws_iam_role.rds_monitoring.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"}
# ============================================================# Multi-AZ DB Cluster (MySQL)# ============================================================
resource "aws_rds_cluster" "main" { cluster_identifier = "main-cluster"
engine = "aurora-mysql" engine_version = "8.0.mysql_aurora.3.02.0"
database_name = "appdb" master_username = "admin" master_password = var.db_password
# Network db_subnet_group_name = aws_db_subnet_group.main.name vpc_security_group_ids = [aws_security_group.rds.id]
# Encryption storage_encrypted = true kms_key_id = aws_kms_key.rds.arn
# Backup backup_retention_period = 30 preferred_backup_window = "03:00-04:00"
# Cluster settings deletion_protection = true skip_final_snapshot = false final_snapshot_identifier = "main-cluster-final"
tags = { Name = "main-cluster" }}
# Cluster Instancesresource "aws_rds_cluster_instance" "writer" { identifier = "main-cluster-writer" cluster_identifier = aws_rds_cluster.main.id instance_class = "db.r6g.large" engine = aws_rds_cluster.main.engine engine_version = aws_rds_cluster.main.engine_version
performance_insights_enabled = true
tags = { Name = "main-cluster-writer" }}
resource "aws_rds_cluster_instance" "reader" { count = 2
identifier = "main-cluster-reader-${count.index + 1}" cluster_identifier = aws_rds_cluster.main.id instance_class = "db.r6g.large" engine = aws_rds_cluster.main.engine engine_version = aws_rds_cluster.main.engine_version
performance_insights_enabled = true
tags = { Name = "main-cluster-reader-${count.index + 1}" }}21.9 Exam Tips
Section titled “21.9 Exam Tips”
- Multi-AZ: Synchronous replication, automatic failover, single endpoint
- Read Replicas: Asynchronous, up to 5 per DB, read scaling
- Cross-Region: Read replica for DR, can be promoted
- Storage Types: gp3 (general), io1/io2 (high IOPS)
- Storage Autoscaling: Automatic increase, no downtime
- Encryption: At rest (KMS), in transit (SSL), must enable at creation
- Backups: Automated (1-35 days), Manual (no expiration)
- PITR: Point-in-time recovery, 5-minute granularity
- Parameter Groups: Engine configuration, custom settings
- Maintenance Window: Patching, minor version upgrades
Next Chapter
Section titled “Next Chapter”Chapter 22: Amazon Aurora - Cloud-Native Database
Last Updated: February 2026