[ RDS : Relational Database Service ]
AWS 에서 관리되는 SQL DB service
- It's a managed DB service for DB use SQL as a query language.
- It allows you to create databases in the cloud that are managed by AWS
MySQL, MariaDB, Aurora(AWS), Oracle...
# Advantage over using RDS versus deploying DB on EC2
DB를 EC2에서 직접 띄우지 않고 RDS를 사용했을 때의 이점
failover를 위한 replica 설정, 읽기 성능 향상을 위한 read replica 설정, 백업 및 특정 시점으로 복원 가능
RDS is a managed service
- Automated provisioning((대비)실시간으로 자원 할당하여 사용), OS patching
- Continuous backups and restore to specific timestamp (Point in Time Restore)
- Monitoring dashboards
- Read replicas for improved read performance
- Multi AZ setup for DR (Disaster Recovery)
- Maintenance windows for upgrades
- Scaling capability (vertical and horizontal)
- Storage backed by EBS (GP2 or IO1)
* But you can't SSH into your instances
# RDS Backups
자동 백업이 가능. Snapshot 사용 가능
1) Backups are automatically enabled in RDS
2) Automated backups :
- Daily full backup of the database (during the maintenance window)
- Transaction logs are backed-up by RDS every 5 minutes
=> ability to restore to any point in time (from oldest backup to 5 minutes ago)
- 7 days retention(보유) (can be increased to 35 days)
3) DB Snapshots :
- Manually triggered by the user
- Retention of backup for as long as you want
[ RDS - Read Replicas for read scalability ]
5개 까지 사용 가능, AZ/Region 상관없이 사용 가능, replica 가 master 가 될 수 있음
Async 비동기 방식
- Up to 5 Read Replicas
- Within AZ, Cross AZ or Cross Region
- Replication is Async, so reads are eventually consistent
- Replicas can be promoted to their own DB
- Applications must update the connection string to leverage(사용) read replicas
* Multi AZ keeps the same connection string regardless of which database is up. Read Replicas imply we need to reference them individually in our application as each read replica will have its own DNS name
Multi AZ 는 커넥션 스트링을 항상 같게 유지하지만 Read Replicas는 각각 자신만의 DNS 를 가지게 되므로 Read Replicas 에 대한 커넥션 스트링 앱에서 바꿔야함
# Read Replicas Use cases
분석 프로그램을 돌리기 위해 RDS read replica 를 생성하여 read replica 을 바라보게 설정.
원래의 app 엔 영향을 미치지 않음.
1) You have a production database that is taking on normal load
2) You want to run a reporting application to run some analytics
3) You create a Read Replica to run the new workload there
4) The production application is unaffected
5) Read replicas are used for SELECT only kind of state ments (NOT I/U/D)

# Read Replicas Network Cost
동일한 AZ내의 Replicas 에선 사용요금이 발생하지 않음.
In AWS there's a network cost when data goes from one AZ to another
To reduce the cost, you can have your Read Replicas in the same AZ (Free)
# RDS Multi AZ (Disaster Recovery)
싱크 복제
읽거나 쓰기 용도가 아닌 백업용도 (스케일링 용도 아님)
모든 데이터가 복제 slave 에도 쓰이게 됨.
마스터가 죽으면 slave가 마스터가 되어 failover.
복수개의 AZ 에서 세팅될 수 있음
- Sync replication
- One DNS name - automatic app failover to standby
- Increase availability
- Failover in case of loss of AZ, loss of network, instance or storage failure
- No manual intervention(끼어듬) in apps
- Not used for scaling
* The Read Replicas be setup as Multi AZ for Disaster Recovery(DR)***

[ RDS Security : 1. Encryption ]
RDS 보안 : 암호화
1. At rest encryption
KMS 를 사용하여 암호화 가능
런칭시 암호화 정의되어있어야함.
마스터가 암호화되어있지 않을 경우 Read Replica 또한 암호화 될 수 없음
- Possibility to encrypt the master & read replicas with AWS KMS - AES-256 encryption
- Encryption has to be defined at launch time
- If the master is not encrypted, the read replicas cannot be encrypted
- TDE(Transparent Data Encryption) available for Oracle and MS SQL Server
2. In flight encryption
- SSL certificates to encrypt data to RDS in flight
- Provide SSL options with trust certificate when connecting to database
- To enforce SSL:
-- PostgreSQL : rds.force_ssl=1 in the AWS RDS Console (Parameter Groups)
-- MySQL : GRANT USAGE ON *.* TO 'mysqluser'@'%' REQUIRE SSL; (Within the DB)
# RDS Encryption Operations
Encrypting RDS backups
- Snapshots of un-encrypted RDS databases are un-encrypted
- Snapshots of encrypted RDS databases are encrypted
- Can copy a snapshot into an encrypted one
To encrypt an un-encrypted RDS database :
1) Create a snapshot of the un-encrypted database
2) Copy the snapshot and enable encryption for the snapshot
3) Restore the database from the encrypted snapshot
4) Migrate applications to the new database, and delete the old database
: unencrypted DB => snapshot => copy snapshot as encrypted => create DB from snapshot
[ RDS Security : 2. Network & IAM ]
Network Security
- RDS databases are usually deployed within a private subnet, not in a public one
- RDS security works by leveraging security groups (the same concept as for EC2 instances) - it controls which IP/security group can communicate with RDS
Access Management
- IAM policies help control who can manage AWS RDS (through the RDS API)
- Traditional Username and Password can be used to login into the database
- IAM-based authentication can be used to login into RDS MySQL & PostgreSQL
# RDS - IAM Authentication
- IAM database authentication works with MySQL and PostgreSQL
- You don't need a password, just an authentication token obtained through IAM & RDS API calls
- Auth token has a lifetime of 15 minutes
* Benefits :
- Network in/out must be encrypted using SSL
- IAM to centrally manage users instead of DB
- Can leverage IAM Roles and EC2 Instance profiles for easy integration

참고:
'infra & cloud > AWS' 카테고리의 다른 글
| [AWS] 4-3. ElastiCache, Redis, MemCached (0) | 2021.03.23 | 
|---|---|
| [AWS] 4-2. Aurora (0) | 2021.03.23 | 
| [AWS] 3-2. EBS Snapshots, EFS, Instance Storage (0) | 2021.03.20 | 
| [AWS] 3-1. EBS (0) | 2021.03.19 | 
| [AWS] 2-3. ASG (0) | 2021.03.18 |