RDS/Aurora/ElastiCache Flashcards
What is AWS RDS? What does it support?
Relational Database Service that uses SQL.
Runs on EC2 instances so you must choose instance type
Usually for OLTP (Online Transaction Processing)
Supports: "MO' SPAM" MySQL PostgreSQL Maria Oracle SQL Server Aurora
Why would I use RDS instead of EBS?
RDS is managed:
• provisions/patches
• backups, restore
• monitoring dashboards
• read replicas
• Multi-AZ for DR
• maintenance windows for upgrades
• scaling vertical & horizontal
• storage backed by EBS (gp or io)
Can NOT SSH into instances.
Describe an RDS backup
- Automatically enabled.
- Daily full backup during maintenance window (you choose when)
- Transaction logs backed up every 5 minutes
- you can restore to any point in time from oldest to 5 min ago.
- 7 days retention (up to 35 days)
Describe an RDS snapshot
- manually triggered by user
- retention as long as you want
- backs up the entire instance
- will interrupt I/O if only 1 instance or if SQL-Server
What is RDS Auto Scaling?
RDS will automatically increase storage when you are running out of space. Limitations:
• free storage < 10% allocated storage (90% full)
• low-storage for at least 5 mins
• 6 hours since last modification
You have to set a Maximum Storage Threshold.
Great for unpredictable workloads
What is an RDS Read Replica? What are the characteristics?
A copy of your database for read-only.
- Up to 5 replicas
- within AZ, across AZ, cross-region
- Async (eventually consistent)
- applications have to update the connection string to use read replicas.
What is the cost to move RDS data from one AZ to another?
Usually, there is a cost to move data across AZs, often waived for MANAGED services.
For RDS if it’s in the same region, then it’s free.
Cross-REGION has cost.
What is RDS Multi-AZ?
- RDS in AZ1 is replicated SYNChronously to a standby DB in AZ2 (any change happens in both to be accepted).
- Only 1 DNS name so if #1 fails there is automatic failover to #2. No need to change the connection string in your app.
For Disaster Recovery (DR).
Can you set up an RDS Read Replica as Multi-AZ for DR?
Yes.
How do you go from single AZ to Multi-AZ RDS?
Click “modify” on the db.
There is NO downtime.
Behind the scenes, it creates a snapshot of #1, copies to #2, then synchronizes between them.
My RDS database is not encrypted. How do I encrypt its replicas?
You cannot. Encryption has to be defined at launch. If the master is not encrypted, the replicas cannot be either. The read replica will always have the same encryption as the primary.
You can’t disable encryption for your db either.
How is at-rest encryption handled in RDS?
AWS KMS (AES-256). No performance impact.
For Oracle, SQLServer you can use Transparent Data Encryption (TDE) - may have performance impact.
How is in-flight encryption handled in RDS?
SSL
To enforce SSL:
• PostgreSQL: rds.force_ssl=1 in the RDS Console parameter group.
• MySQL use command: GRANT USAGE ON . TO……REQUIRE SSL.
I have an unencrypted RDS database. How do I encrypt it?
Create a snapshot. Copy the snapshot and enable encryption. Restore the db from the copy. Migrate applications to the new db Delete the old db.
The new one will have a NEW ENDPOINT.
Describe RDS network security. Where do DBs live? How do you control access?
DBs are deployed in a PRIVATE subnet.
Security is controlled by security groups, i.e. security groups control which IP or security group can communicate with RDS.
How do you handle Access Management in RDS?
- IAM policies control who can MANAGE the DB (through RDS API, i.e. RDS Service)
- To log in to the DB, traditional username/password that is managed in the DB.
- For MySQL/PostgreSQL you can use IAM-based Databse Authentication to log in. (no password, just auth token that you get from RDS Service - lasts 15 mins)
- this is good for managing users centrally instead of in the db
- network in/out encrypted using SSL
- you can leverage IAM roles and EC2 instance profiles
When you create a read replica for RDS, what KMS key will it use?
If in the same region as the primary then SAME key.
If not, then new key.
Can you restore an unencrypted backup/snapshot to an encrypted DB instance?
No
What flavors does Amazon Aurora support?
PostgreSQL and MySQL
Why would you choose Aurora over RDS?
- Cloud-optimized, 3-5x performance improvement
- Storage grows automatically up to 125TB per db instance
- up to 15 replicas (except MySQL), faster replication (only 1 master)
- Instantaneous failover, super high availability
- costs 20% more but is more efficient
- Support cross-region replication
- “Backtrack” without using backups
How does Aurora maintain high availability?
- 6 replicas across 3 AZs
- self-healing with peer-to-peer replication
- storage striped across 100s of volumes
- continuous backup to S3
• you can have cross-REGION cluster with scaling and failover with MySQL
How does Aurora work?
• master and replicas have shared storage volume that auto-expands
- Has write endpoint always pointing to master.
- endpoint auto directs to new master in DR.
• reader endpoint connects to all replicas. With autoscaling no need to update endpoints in applications. Handles load balancing.
How does Aurora security compare to RDS security?
It’s the same. Same engines.
What is an Aurora custom endpoint?
You can assign a custom endpoint to run on specific replicas (e.g. ones that are larger and more powerful).
If you do this then you would not use the reader endpoint anymore. You’d set up a bunch of custom endpoints.
