deep dive: amazon rds

©  2016,  Amazon  Web  Services,  Inc.  or  its  Affiliates.  All  rights  reserved.

Toby  Knight  – Manager,   Solutions  Architecture

April  2016

Deep  Dive:    Amazon  RDS

Agenda

RDS  overviewSecurityHigh  availabilityPerformanceData  migrationAuroraPricingQuestions

RDS  Overview

Amazon  RDSCost-­efficient  and  scalable

Managed  service

Six  database  engines

Amazon  RDSEasy  to  set  up,  operate,  and  scale  a  relational  database  

Automatically  patches  the  database  software  and  backs  up  your  database

Ability  to  scale  the  compute  resources  or  storage  capacity  associated  with  your  relational  database  instance  via  a  single  API  call

Choice  of  database  engines

MariaDB

AMAZONAURORA

Microsoft  SQL  Server

Oracle DB

Use  cases

Transactional  systemsSystems  of  recordeCommerce,  CRM,  Finance,  HR,  Assets,  etc,  Existing  SQL-­based  workloadsAlmost  any  relational   datasets

Airbnb chose  Amazon  RDS

AWS  is  the  easy  answer  for  any  Internet  business  that  wants  to  scale  to  the  next  

level.”

Nathan  BlecharczykCo-­founder  &  CTO  of  Airbnb

”

“Airbnb is  a  community  marketplace  that  allows  property  owners  and  travelers  to  connect  with  each  other  for  the  purpose  of  renting  unique  vacation  spaces  around  the  world

Airbnb chose  Amazon  RDS  because  it  simplifies  much  of  the  time-­consuming  administrative  tasks  typically  associated  with  databases.

Create  MySQL  DB  instance  via  CLI

aws rds create-db-instance

--db-name demo \

--db-instance-identifier tobyRDSdemo1 \

--db-instance-class db.t2.micro \

--engine MySQL --master-username admin \

--master-user-password myPassword123 \

--no-multi-az \

--storage-type gp2 \

--allocated-storage 10

Demo:Create  DB  Instance  via  Management  Console

Flipboard relies  on  Amazon  RDS

We  were  able  to  go  from  concept  to  delivered  product  in  about  six  months  with  just  a  handful  of  engineers.

Greg  ScallanChief  Architect,  Flipboard

”

“

Flipboard is  an  online  magazine  with  millions  of  users  and  billions  of  “flips”  per  month

Uses  Amazon  RDS  and  its  Multi-­AZ  capabilities  to  store  mission  critical  user  data  

Security

RDS  Security

VPCSecurity  groupsEncryption  of  data  at  restSSL  encrypted  client  connectionIdentity  and  Access  ManagementCloudTrail for  audit

RDS  and  VPC

Select  your  own  IP  address  rangeCreate  subnets  and  configure  routing  and  access  control  listsEssential  functionality  of  Amazon  RDS  the  same  in  a  VPC:    Amazon  RDS  manages  backups,  software  patching,  automatic  failure  detection  and  recoveryNo  additional   cost  to  run  your  DB  instance  in  a  VPC

RDS,  VPC  and  Security  Groups

Availability  Zone  1

Availability  Zone  2

security  groupsecurity  group

web appserver

RDS  Multi-­AZ  DB  Instance

web appserver

Route 53 hosted zone:

www.example.com Auto   Scaling  group

VPC  subnet

VPC  subnet

Elastic Load Balancer

Data  encryption

RDS  encrypted   instances  are  available  for  all  DB  enginesAES-­256  encryptionNo  need  to  modify  client  applicationAchieve  compliance  with  data  at  rest  encryptionManage  keys  using  Key  Management  System  (KMS)All  logs,  backups  and  snapshots  are  encrypted

Create  RDS  encrypted  instance  via  console

Create  RDS  encrypted  instance  via  CLI

aws rds create-db-instance

--db-name demo \

--db-instance-identifier tobykrdsdemo5 \

--db-instance-class db.m4.large \

--engine MySQL \

--master-username admin \

--master-user-password myPassword123 \

--multi-az \

--storage-type gp2 \

--allocated-storage 10 \

--storage-encrypted \

--kms-key-id e43f6d83-6497-47fd-9edc-ceeb89af0ac3

SSL  encryption  for  client  connections

All  RDS  DB  engines  support  SSL  encryptionRDS  creates  and  installs  SSL  certificate  when  instance  is  provisionedSSL  cert  uses  DB  instance  endpoint  as  Common  Name  to  prevent  spoof  attacksYou  can  use  the  GRANT  statement  to  require  SSL  connections  for  specific  user  accounts

SSL  encryption  for  client  connections

Public  key  is  available   at:http://s3.amazonaws.com/rds-­downloads/rds-­combined-­ca-­bundle.pem

To  encrypt  connection  using  mysql client:mysql -h instance.cxyz123.rds-eu-west-1.amazonaws.com \

--ssl-ca=[full path]rds-combined-ca-bundle.pem \

--ssl-verify-server-cert

Identity  and  Access  Management

RDS  resources  include:

DB  instanceDB  clusterDB  snapshotDB  cluster  snapshot[…]

Types  of  policies:

Identity-­based  policies  (IAM  Policies)Resource-­based  policies

Identity  and  Access  Management

Use  IAM  to  create  role  based  access  control  (RBAC)Separation  of  dutiesPrinciple  of  least  privilegeConsider  security  within  RDBMS

CloudTrail for  audit

Turn  on  CloudTrail on  your  AWS  AccountConfigure  delivery  to  CloudWatch LogsConfigure  SNS  notifications  for  specific  API  activities

High  availability

High  availability

Backup  and  restoreMulti-­AZ  deploymentRead  replicasCross  region  snapshot  copyMonitoring

Scheduled  backup  via  console

Scheduled  backup  via  CLI

aws rds modify-db-instance \

--db-instance-identifier mysqldemo1 \

--backup-retention-period 30 \

--preferred-backup-window 02:00-03:00 \

--apply-immediately

Scheduled  backup  via  CLI

aws rds modify-db-instance \

--db-instance-identifier mysqldemo1 \

--backup-retention-period 0 \

--apply-immediately

Manual  backup  via  console

Manual  RDS  instance  snapshot  via  CLI

aws rds create-db-snapshot \

--db-snapshot-identifier myDbSnap \

--db-instance-identifier mysqldemo1

Multi-­AZ  deployment

Availability  Zone  1 Availability  Zone  2

security  group

mydb1.abc45345.eu-­west-­1.rds.amazonaws.com:3306

VPC  subnetVPC  subnet

Synchronous  physical  replication

Multi-­AZ  deployment

Availability  Zone  1 Availability  Zone  2

security  group

mydb1.abc45345.eu-­west-­1.rds.amazonaws.com:3306

VPC  subnetVPC  subnet

Synchronous  physical  replication

Multi-­AZ  deployment

Availability  Zone  1 Availability  Zone  2

security  group

mydb1.abc45345.eu-­west-­1.rds.amazonaws.com:3306

VPC  subnetVPC  subnet

Multi-­AZ  deployment

Availability  Zone  1 Availability  Zone  2

security  group

mydb1.abc45345.eu-­west-­1.rds.amazonaws.com:3306

VPC  subnetVPC  subnet

Multi-­AZ  deployment

Availability  Zone  1 Availability  Zone  2

security  group

mydb1.abc45345.eu-­west-­1.rds.amazonaws.com:3306

VPC  subnetVPC  subnet

Multi-­AZ  deployment

Availability  Zone  1 Availability  Zone  2

security  group

mydb1.abc45345.eu-­west-­1.rds.amazonaws.com:3306

VPC  subnetVPC  subnet

Multi-­AZ  deployment

Availability  Zone  1 Availability  Zone  2

security  group

mydb1.abc45345.eu-­west-­1.rds.amazonaws.com:3306

VPC  subnetVPC  subnet

Multi-­AZ  deployment

Availability  Zone  1 Availability  Zone  2

security  group

mydb1.abc45345.eu-­west-­1.rds.amazonaws.com:3306

VPC  subnetVPC  subnet

Multi-­AZ  deployment

Availability  Zone  1 Availability  Zone  2

security  group

mydb1.abc45345.eu-­west-­1.rds.amazonaws.com:3306

VPC  subnetVPC  subnet

Synchronous  physical  replication

RDS  Read  replicas

Provide  enhanced  performance  and  durabilityScale  out  beyond  single  DB  instanceIdeal  for  read-­heavy  DB  workloadsCreate  up  to  5  replicas  per  masterIncrease  aggregate  read  throughputRead  replicas  can  be  promotedAvailable   in  MySQL,  PostgresSQL,  MariaDB and  Aurora

Second-­Tier  Replicas

Availability  Zone

Second-­Tier  Replicas

Availability  Zone

Cross  region  snapshot  copy

Monitoring RDS

Use  CloudWatch to  monitor  health  of  DB  instanceSubscribe  to  RDS  events,  e.g.  change  to  DB  instance  or  DB  snapshotView,  download,  watch  DB  log  files  using  the  RDS  consoleUse  CloudTrail to  monitor  RDS  actions  on  your  AWS  account

CloudWatch for  RDS

RDS  metrics  are  available  with  all  DB  enginesRDS  sends  metrics  for  each  DB  instance  every  minuteDetailed  monitoring  enabled  by  defaultFor  DB  specific  metrics  (e.g.  MySQL  – insert  queries/second)  you  need  to  monitor  the  DB  engine  itself

CloudWatch for  RDS

Monitoring RDS  – Datadog

Performance

Performance

Use  the  right  AWS  service  for  the  workload!DB  fundamental  resources:    CPU,  memory,  disk,  networkInstance  type  and  sizeDisk  type:    P-­IOPS,  GP  SSD,  MagneticSQL  Data  types  – VARCHAR(8000)   anyone?  Indexes  and  performance  tuningRead  replicas

Data  migration

AWS  Database  Migration  Service

Includes  schema  conversion  toolConvert  Oracle  PL/SQL,  SQL  Server  T-­SQL  to  Amazon  Aurora  /  MySQLSetup  data  replication  task  <  10  minutesOne-­off  or  continuous  replicationTarget  RDS  or  EC2  based  databaseSupported  source/target  include:  Oracle,  SQL  Server,  MySQL,  Amazon  Aurora  and  PostgreSQL

Database  Migration  Service

Aurora

Amazon  Aurora

Fast  and  cost  effectiveEnterprise  performance  and  features5x  throughput  of  MySQLCompatible  with  MySQL  5.6Multi-­AZ  deploymentsStorage  Auto-­scalingFault  tolerant,  self  healing   storageNo  need  to  replay  DB  redo  logs  for  crash  recoveryIsolates  DB  cache  from  DB  process

Create  Aurora  DB  cluster

aws rds create-db-cluster \

--db-cluster-identifier tobykrdsdemo2 \

--engine aurora \

--master-username admin \

--master-user-password loft2016demo1 \

--vpc-security-group-ids sg-13bf4974

Pricing

RDS  Pricing  Example

Item Description Price ($/month)1  x  Production DB  instance  (on  Demand)

MySQL,  db.m4.xlarge,  Multi-­AZ

565.11

Provisioned IOPS  storage

200GB, 1000  Provisioned  IOPS

275.20

Backups 200GB additional 19.00Data  transfer out 2GB 0.09Free  tier  discount -­1.99

Total $857.41

Pricing  example  uses  eu-­west-­1  region.    For  latest  pricing  go  to  http://aws.amazon.com/rds/pricing/  

Thank  you!

Toby  KnightManager,  Solutions  ArchitectureAmazon  Web  Services