Learning AWS - DVA - Day 11: Amazon Aurora - RDS Security - RDS Proxy

holehuy

Le Huy Ho

Posted on October 21, 2024

Learning AWS - DVA - Day 11: Amazon Aurora - RDS Security - RDS Proxy

Overview

  • Aurora is a proprietary technology from AWS (not open sourced)

  • Postgres and MySQL are both supported as Aurora DB (that mean your drives will work as if Aurora was a Postgres or MySQL database)

  • Aurora is "AWS cloud optimized" and claims 5x performance improvement over MySQL on RDS, over 3x performance of Postgres on RDS

  • Aurora storage automatically grows in increments of 10GB, up to 128TB

  • Aurora can have up to 15 read replicas and replication process is faster than MySQL (sub 10ms replica lag)

  • Failover in Aurora is instantaneous. It is HA native

  • Aurora costs more than RDS (20%) - but more efficient


Feature of Aurora

  • Automatic fail-over

  • Backup and Recovery

  • Automatic patching with Zero Downtime

  • Advanced Monitoring

  • Routine maintenance

  • Backtrack: restore data any point time without using backups


RDS & Aurora Security

  • At-rest encryption:

    • Database master and replicas encryption using AWS KMS - much be define at launch time.
    • If the master NOT encrypted, the replicas CAN NOT be encrypted
    • To encrypt an un-encrypted database, go through DB snapshot & restore as encrypted
  • In-flight encryption: TLS-ready by default, use AWS TLS root certificates client-side

  • IAM Authentication: IAM role to connection to your database (instead of username/password)

  • Security Group: Control network access to your RDS/Aurora DB

  • No SSH available except RDS custom

  • Audit Logs can be enabled and sent to CloudWatch Logs for long retention


Amazon RDS Proxy

  • Fully managed database proxy for RDS

  • Allow apps to pool and share DB connections established with the database

  • Improving database efficiency by reduce the stress on database resource (eg. CPU, RAM) and minimize open connections (and timeouts)

  • Serverless, auto scaling, highly availability (multi-AZ)

  • Reduce RDS and Aurora failover time by up 66%

  • Support RDS and Aurora

  • No code changes required for most apps

  • Enforce IAM Authentication for DB, and securely store credentials in AWS Secrets Manager

  • RDS Proxy never publicly accessible (must be access from VPC)

AWS RDS Proxy

πŸ’– πŸ’ͺ πŸ™… 🚩
holehuy
Le Huy Ho

Posted on October 21, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related