🔧 Learning AWS - DVA - Day 11: Amazon Aurora - RDS Security - RDS Proxy

Overview

• Aurora is a proprietary technology from AWS (not open sourced)

• Postgres and MySQL are both supported as Aurora DB (that mean your drives will work as if Aurora was a Postgres or MySQL database)

• Aurora is "AWS cloud optimized" and claims 5x performance improvement over MySQL on RDS, over 3x performance of Postgres on RDS

• Aurora storage automatically grows in increments of 10GB, up to 128TB

• Aurora can have up to 15 read replicas and replication process is faster than MySQL (sub 10ms replica lag)

• Failover in Aurora is instantaneous. It is HA native

• Aurora costs more than RDS (20%) - but more efficient

Feature of Aurora

• Automatic fail-over

• Backup and Recovery

• Automatic patching with Zero Downtime

• Advanced Monitoring

• Routine maintenance

• Backtrack: restore data any point time without using backups

RDS & Aurora Security

• At-rest encryption:

  • Database master and replicas encryption using AWS KMS - much be define at launch time.
  • If the master NOT encrypted, the replicas CAN NOT be encrypted
  • To encrypt an un-encrypted database, go through DB snapshot & restore as encrypted

• In-flight encryption: TLS-ready by default, use AWS TLS root certificates client-side

• IAM Authentication: IAM role to connection to your database (instead of username/password)

• Security Group: Control network access to your RDS/Aurora DB

• No SSH available except RDS custom

• Audit Logs can be enabled and sent to CloudWatch Logs for long retention

Amazon RDS Proxy

• Fully managed database proxy for RDS

• Allow apps to pool and share DB connections established with the database

• Improving database efficiency by reduce the stress on database resource (eg. CPU, RAM) and minimize open connections (and timeouts)

• Serverless, auto scaling, highly availability (multi-AZ)

• Reduce RDS and Aurora failover time by up 66%

• Support RDS and Aurora

• No code changes required for most apps

• Enforce IAM Authentication for DB, and securely store credentials in AWS Secrets Manager

• RDS Proxy never publicly accessible (must be access from VPC)