deep dive: amazon rds

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Toby Knight – Manager, Solutions Architecture

April 2016

Deep Dive: Amazon RDS

Agenda

RDS overviewSecurityHigh availabilityPerformanceData migrationAuroraPricingQuestions

RDS Overview

Amazon RDSCost-efficient and scalable

Managed service

Six database engines

Amazon RDSEasy to set up, operate, and scale a relational database

Automatically patches the database software and backs up your database

Ability to scale the compute resources or storage capacity associated with your relational database instance via a single API call

Choice of database engines

MariaDB

AMAZONAURORA

Microsoft SQL Server

Oracle DB

Use cases

Transactional systemsSystems of recordeCommerce, CRM, Finance, HR, Assets, etc, Existing SQL-based workloadsAlmost any relational datasets

Airbnb chose Amazon RDS

AWS is the easy answer for any Internet business that wants to scale to the next

level.”

Nathan BlecharczykCo-founder & CTO of Airbnb

”

“Airbnb is a community marketplace that allows property owners and travelers to connect with each other for the purpose of renting unique vacation spaces around the world

Airbnb chose Amazon RDS because it simplifies much of the time-consuming administrative tasks typically associated with databases.

Create MySQL DB instance via CLI

aws rds create-db-instance

--db-name demo \

--db-instance-identifier tobyRDSdemo1 \

--db-instance-class db.t2.micro \

--engine MySQL --master-username admin \

--master-user-password myPassword123 \

--no-multi-az \

--storage-type gp2 \

--allocated-storage 10

Demo:Create DB Instance via Management Console

Flipboard relies on Amazon RDS

We were able to go from concept to delivered product in about six months with just a handful of engineers.

Greg ScallanChief Architect, Flipboard

”

“

Flipboard is an online magazine with millions of users and billions of “flips” per month

Uses Amazon RDS and its Multi-AZ capabilities to store mission critical user data

Security

RDS Security

VPCSecurity groupsEncryption of data at restSSL encrypted client connectionIdentity and Access ManagementCloudTrail for audit

RDS and VPC

Select your own IP address rangeCreate subnets and configure routing and access control listsEssential functionality of Amazon RDS the same in a VPC: Amazon RDS manages backups, software patching, automatic failure detection and recoveryNo additional cost to run your DB instance in a VPC

RDS, VPC and Security Groups

Availability Zone 1

Availability Zone 2

security groupsecurity group

web appserver

RDS Multi-AZ DB Instance

web appserver

Route 53 hosted zone:

www.example.com Auto Scaling group

VPC subnet

VPC subnet

Elastic Load Balancer

Data encryption

RDS encrypted instances are available for all DB enginesAES-256 encryptionNo need to modify client applicationAchieve compliance with data at rest encryptionManage keys using Key Management System (KMS)All logs, backups and snapshots are encrypted

Create RDS encrypted instance via console

Create RDS encrypted instance via CLI

aws rds create-db-instance

--db-name demo \

--db-instance-identifier tobykrdsdemo5 \

--db-instance-class db.m4.large \

--engine MySQL \

--master-username admin \

--master-user-password myPassword123 \

--multi-az \

--storage-type gp2 \

--allocated-storage 10 \

--storage-encrypted \

--kms-key-id e43f6d83-6497-47fd-9edc-ceeb89af0ac3

SSL encryption for client connections

All RDS DB engines support SSL encryptionRDS creates and installs SSL certificate when instance is provisionedSSL cert uses DB instance endpoint as Common Name to prevent spoof attacksYou can use the GRANT statement to require SSL connections for specific user accounts

SSL encryption for client connections

Public key is available at:http://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem

To encrypt connection using mysql client:mysql -h instance.cxyz123.rds-eu-west-1.amazonaws.com \

--ssl-ca=[full path]rds-combined-ca-bundle.pem \

--ssl-verify-server-cert

Identity and Access Management

RDS resources include:

DB instanceDB clusterDB snapshotDB cluster snapshot[…]

Types of policies:

Identity-based policies (IAM Policies)Resource-based policies

Identity and Access Management

Use IAM to create role based access control (RBAC)Separation of dutiesPrinciple of least privilegeConsider security within RDBMS

CloudTrail for audit

Turn on CloudTrail on your AWS AccountConfigure delivery to CloudWatch LogsConfigure SNS notifications for specific API activities

High availability

High availability

Backup and restoreMulti-AZ deploymentRead replicasCross region snapshot copyMonitoring

Scheduled backup via console

Scheduled backup via CLI

aws rds modify-db-instance \

--db-instance-identifier mysqldemo1 \

--backup-retention-period 30 \

--preferred-backup-window 02:00-03:00 \

--apply-immediately

Scheduled backup via CLI

aws rds modify-db-instance \

--db-instance-identifier mysqldemo1 \

--backup-retention-period 0 \

--apply-immediately

Manual backup via console

Manual RDS instance snapshot via CLI

aws rds create-db-snapshot \

--db-snapshot-identifier myDbSnap \

--db-instance-identifier mysqldemo1

Multi-AZ deployment

Availability Zone 1 Availability Zone 2

security group

mydb1.abc45345.eu-west-1.rds.amazonaws.com:3306

VPC subnetVPC subnet

Synchronous physical replication

Multi-AZ deployment


security group



Multi-AZ deployment


security group



Synchronous physical replication

RDS Read replicas

Provide enhanced performance and durabilityScale out beyond single DB instanceIdeal for read-heavy DB workloadsCreate up to 5 replicas per masterIncrease aggregate read throughputRead replicas can be promotedAvailable in MySQL, PostgresSQL, MariaDB and Aurora

Second-Tier Replicas

Availability Zone

Cross region snapshot copy

Monitoring RDS

Use CloudWatch to monitor health of DB instanceSubscribe to RDS events, e.g. change to DB instance or DB snapshotView, download, watch DB log files using the RDS consoleUse CloudTrail to monitor RDS actions on your AWS account

CloudWatch for RDS

RDS metrics are available with all DB enginesRDS sends metrics for each DB instance every minuteDetailed monitoring enabled by defaultFor DB specific metrics (e.g. MySQL – insert queries/second) you need to monitor the DB engine itself

CloudWatch for RDS

Monitoring RDS – Datadog

Performance

Performance

Use the right AWS service for the workload!DB fundamental resources: CPU, memory, disk, networkInstance type and sizeDisk type: P-IOPS, GP SSD, MagneticSQL Data types – VARCHAR(8000) anyone? Indexes and performance tuningRead replicas

Data migration

AWS Database Migration Service

Includes schema conversion toolConvert Oracle PL/SQL, SQL Server T-SQL to Amazon Aurora / MySQLSetup data replication task < 10 minutesOne-off or continuous replicationTarget RDS or EC2 based databaseSupported source/target include: Oracle, SQL Server, MySQL, Amazon Aurora and PostgreSQL

Database Migration Service

Aurora

Amazon Aurora

Fast and cost effectiveEnterprise performance and features5x throughput of MySQLCompatible with MySQL 5.6Multi-AZ deploymentsStorage Auto-scalingFault tolerant, self healing storageNo need to replay DB redo logs for crash recoveryIsolates DB cache from DB process

Create Aurora DB cluster

aws rds create-db-cluster \

--db-cluster-identifier tobykrdsdemo2 \

--engine aurora \

--master-username admin \

--master-user-password loft2016demo1 \

--vpc-security-group-ids sg-13bf4974

Pricing

RDS Pricing Example

Item Description Price ($/month)1 x Production DB instance (on Demand)

MySQL, db.m4.xlarge, Multi-AZ

565.11

Provisioned IOPS storage

200GB, 1000 Provisioned IOPS

275.20

Backups 200GB additional 19.00Data transfer out 2GB 0.09Free tier discount -1.99

Total $857.41

Pricing example uses eu-west-1 region. For latest pricing go to http://aws.amazon.com/rds/pricing/

Thank you!

Toby KnightManager, Solutions ArchitectureAmazon Web Services

deep dive: amazon rds

Technology