[ Databases in AWS : RDS(Relational Database Service) ]

1. Managed PostgreSQL / MySQL / Oracle / SQL Server

2. Must provision an EC2 instance & EBS Volume type and size

3. Support for Read Replicas and Multi AZ

4. Security through IAM, Security Groups, KMS, SSL in transit

5. Backup / Snapshop / Point in time restore feature

6. Managed and Scheduled maintenance

7. Monitoring through CloudWatch

8. Use case : Store relational datasets (RDBMS/OLTP), perform SQL queries, transactional I/U/D

※ OLTP : On-line Transactional Processing

 

[ RDS for Solutions Architect ]

1. Operations : small downtime when failover happens, when maintenance happens, scaling in read replicas/ec2 instance/restore EBS implies manual intervention, application changes

2. Security : AWS responsible for OS security, we are responsible for setting up KMS, security groups, IAM policies, authorizing users in DB, using SSL

3. Reliability : Multi AZ feature, failover in case of failures

4. Performance : depends on EC2 instance type, EBS volume type, ability to add Read Replicas. Storage auto-scaling & manual scaling of instances

5. Cost : Pay per hour based on provisioned EC2 and EBS

 

 

반응형

[ RDS : Relational Database Service ]

AWS 에서 관리되는 SQL DB service

- It's a managed DB service for DB use SQL as a query language.

- It allows you to create databases in the cloud that are managed by AWS  

  MySQL, MariaDB, Aurora(AWS), Oracle...

 

# Advantage over using RDS versus deploying DB on EC2

DB를 EC2에서 직접 띄우지 않고 RDS를 사용했을 때의 이점

failover를 위한 replica 설정, 읽기 성능 향상을 위한 read replica 설정, 백업 및 특정 시점으로 복원 가능

RDS is a managed service

- Automated provisioning((대비)실시간으로 자원 할당하여 사용), OS patching

- Continuous backups and restore to specific timestamp (Point in Time Restore)

- Monitoring dashboards

- Read replicas for improved read performance

- Multi AZ setup for DR (Disaster Recovery)

- Maintenance windows for upgrades

- Scaling capability (vertical and horizontal)

- Storage backed by EBS (GP2 or IO1)

* But you can't SSH into your instances

 

# RDS Backups

자동 백업이 가능. Snapshot 사용 가능

1) Backups are automatically enabled in RDS

2) Automated backups :

  - Daily full backup of the database (during the maintenance window)

  - Transaction logs are backed-up by RDS every 5 minutes

     => ability to restore to any point in time (from oldest backup to 5 minutes ago) 

  - 7 days retention(보유) (can be increased to 35 days)

3) DB Snapshots :

- Manually triggered by the user

- Retention of backup for as long as you want

 

 

[ RDS - Read Replicas for read scalability ]

5개 까지 사용 가능, AZ/Region 상관없이 사용 가능, replica 가 master 가 될 수 있음

Async 비동기 방식

- Up to 5 Read Replicas

- Within AZ, Cross AZ or Cross Region

- Replication is Async, so reads are eventually consistent

- Replicas can be promoted to their own DB

- Applications must update the connection string to leverage(사용) read replicas

* Multi AZ keeps the same connection string regardless of which database is up. Read Replicas imply we need to reference them individually in our application as each read replica will have its own DNS name

Multi AZ 는 커넥션 스트링을 항상 같게 유지하지만 Read Replicas는 각각 자신만의 DNS 를 가지게 되므로 Read Replicas 에 대한 커넥션 스트링 앱에서 바꿔야함

 

# Read Replicas Use cases

분석 프로그램을 돌리기 위해 RDS read replica 를 생성하여 read replica 을 바라보게 설정.

원래의 app 엔 영향을 미치지 않음.

1) You have a production database that is taking on normal load

2) You want to run a reporting application to run some analytics

3) You create a Read Replica to run the new workload there

4) The production application is unaffected

5) Read replicas are used for SELECT only kind of state ments (NOT I/U/D)

 

# Read Replicas Network Cost

동일한 AZ내의 Replicas 에선 사용요금이 발생하지 않음.

In AWS there's a network cost when data goes from one AZ to another

To reduce the cost, you can have your Read Replicas in the same AZ (Free)

 

 

# RDS Multi AZ (Disaster Recovery)

싱크 복제

읽거나 쓰기 용도가 아닌 백업용도 (스케일링 용도 아님)

모든 데이터가 복제 slave 에도 쓰이게 됨.

마스터가 죽으면 slave가 마스터가 되어 failover.

복수개의 AZ 에서 세팅될 수 있음

- Sync replication

- One DNS name - automatic app failover to standby

- Increase availability

- Failover in case of loss of AZ, loss of network, instance or storage failure

- No manual intervention(끼어듬) in apps

- Not used for scaling

* The Read Replicas be setup as Multi AZ for Disaster Recovery(DR)***

 

[ RDS Security : 1. Encryption ]

RDS 보안 : 암호화

1. At rest encryption

KMS 를 사용하여 암호화 가능

런칭시 암호화 정의되어있어야함.

마스터가 암호화되어있지 않을 경우 Read Replica 또한 암호화 될 수 없음

- Possibility to encrypt the master & read replicas with AWS KMS - AES-256 encryption

- Encryption has to be defined at launch time

- If the master is not encrypted, the read replicas cannot be encrypted

- TDE(Transparent Data Encryption) available for Oracle and MS SQL Server

 

2. In flight encryption

- SSL certificates to encrypt data to RDS in flight

- Provide SSL options with trust certificate when connecting to database

- To enforce SSL:

  -- PostgreSQL : rds.force_ssl=1 in the AWS RDS Console (Parameter Groups)

  -- MySQL : GRANT USAGE ON *.* TO 'mysqluser'@'%' REQUIRE SSL; (Within the DB)

 

# RDS Encryption Operations

Encrypting RDS backups

- Snapshots of un-encrypted RDS databases are un-encrypted

- Snapshots of encrypted RDS databases are encrypted

- Can copy a snapshot into an encrypted one

 

To encrypt an un-encrypted RDS database :

1) Create a snapshot of the un-encrypted database

2) Copy the snapshot and enable encryption for the snapshot

3) Restore the database from the encrypted snapshot

4) Migrate applications to the new database, and delete the old database

: unencrypted DB => snapshot => copy snapshot as encrypted => create DB from snapshot

 

[ RDS Security : 2. Network & IAM ]

Network Security

- RDS databases are usually deployed within a private subnet, not in a public one

- RDS security works by leveraging security groups (the same concept as for EC2 instances) - it controls which IP/security group can communicate with RDS

 

Access Management

- IAM policies help control who can manage AWS RDS (through the RDS API)

- Traditional Username and Password can be used to login into the database

- IAM-based authentication can be used to login into RDS MySQL & PostgreSQL

 

# RDS - IAM Authentication

- IAM database authentication works with MySQL and PostgreSQL

- You don't need a password, just an authentication token obtained through IAM & RDS API calls

- Auth token has a lifetime of 15 minutes

* Benefits :

  - Network in/out must be encrypted using SSL

  - IAM to centrally manage users instead of DB

  - Can leverage IAM Roles and EC2 Instance profiles for easy integration

 

참고:

https://wbluke.tistory.com/58

 

반응형

'infra & cloud > AWS' 카테고리의 다른 글

[AWS] 4-3. ElastiCache, Redis, MemCached  (0) 2021.03.23
[AWS] 4-2. Aurora  (0) 2021.03.23
[AWS] 3-2. EBS Snapshots, EFS, Instance Storage  (0) 2021.03.20
[AWS] 3-1. EBS  (0) 2021.03.19
[AWS] 2-3. ASG  (0) 2021.03.18

+ Recent posts