Rds Proxy Connection

Amazon RDS Proxy Connection Management

Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon RDS that provides improved scalability, resilience, and security.

Overview

RDS Proxy is available for Aurora with MySQL compatibility, Aurora with PostgreSQL compatibility, RDS for MariaDB, RDS for MySQL, RDS for PostgreSQL, and RDS for SQL Server. You don’t need to provision or manage any additional infrastructure to start using RDS Proxy.

Key Benefits

More Scalable

Connection Pooling: Pools and shares database connections for improved application scaling. Allows applications to open many client connections while proxy manages smaller number of long-lived connections to database.

More Resilient

Reduced Failover Times: Reduces database failover times for Aurora and Amazon RDS databases by up to 66 percent for Amazon RDS Multi-AZ databases.

More Secure

Enhanced Authentication: Enforces IAM authentication and stores credentials in AWS Secrets Manager, eliminating passwords embedded in code.

Connection Pooling: Improved Scalability

Modern serverless architectures can have thousands of open connections from application to database server. Not all connections are always carrying out transactions.

How Connection Pooling Works

RDS Proxy Location: RDS Proxy sits between the application and database
Connection Detection: RDS Proxy detects gaps in operations and reuses connections to serve other application connections
Efficient Database Operations: Database receives fewer connections so it can work efficiently without exhausting memory and compute resources

When to Consider RDS Proxy

Seamless and Fast Failover: Improved Availability

RDS Proxy makes applications more resilient and transparent to database failures by bypassing DNS caches and automatically routing traffic to new database instances.

Failover Process

Failover Detection: RDS Proxy immediately detects failover events and preserves connections not actively carrying out transactions
Transaction Queuing: RDS Proxy queues transactions during failovers and accepts new connections
Automatic Routing: As soon as new instance is available, RDS Proxy passes any pending queued transactions

This process makes failovers more transparent for applications and reduces failover times significantly.

Streamlined Authentication: Improved Security

RDS Proxy enforces IAM authentication and integrates with AWS Secrets Manager to eliminate passwords embedded in code.

Authentication Flow

IAM Token Request: Application requests authentication token from IAM
Token Response: IAM returns authentication token to application container (e.g., Amazon ECS)
Database Request: Application sends database request to RDS Proxy with validated IAM token
Secret Retrieval: RDS Proxy calls Secrets Manager for mapped identity credentials
Database Connection: RDS Proxy connects to database instance using retrieved credentials

Benefits

Can delegate authentication to proxy while leaving existing authentication methods in place
Takes advantage of IAM authentication for AWS Lambda functions without managing database credentials in Lambda application code
Improves security by streamlining authentication processes

Backing Up Data in Amazon RDS

Amazon RDS provides two different options for backing up and restoring database instances.

Use Case: Restore database instance to specific point in time

Backup Frequency: Daily during backup window (transaction logs captured every 5 minutes)

Retention Period:

Default: 7 days
Configurable: Up to 35 days
Automatically deleted after retention period

Sharing: Cannot be shared (needs to be copied to manual snapshot first)

Process: Full daily snapshot + transaction logs applied for point-in-time recovery

Backup Storage

Automated backups and manual snapshots stored in S3 buckets owned and managed by Amazon RDS service
Can copy database snapshots and database cluster snapshots
After copying snapshot, copy becomes manual snapshot
Can copy within same AWS Region, across AWS Regions, and across AWS accounts

Cross-Region Backups

For added disaster recovery capability, you can configure Amazon RDS database instance to replicate snapshots and transaction logs to destination AWS Region.

Cross-Region Backup Process

Primary Storage: Snapshots and transaction logs from primary RDS database stored in S3 bucket controlled by Amazon RDS
Cross-Region Copy: When backup replication configured, RDS initiates cross-Region copy of all snapshots and transaction logs

Cross-Region Read Replicas

You can create read replica in different AWS Region from source DB instance for:

Disaster Recovery: Improve disaster recovery capabilities
Regional Scaling: Scale read operations into AWS Region closer to users
Migration: Easier migration from data center in one AWS Region to another

Encryption for Amazon RDS

Amazon RDS can encrypt RDS DB instances to provide additional layer of data protection.

Encryption Options

Data at Rest:

Uses AWS KMS keys for encryption
Encrypted data stored in underlying storage
All logs, backups, and snapshots encrypted
Authentication and decryption handled transparently with minimal performance impact

Data in Transit:

SSL certificate created and installed on DB instance when provisioned
Once encrypted connection established, data transferred between DB instance and application encrypted during transfer
Can require DB instance to accept only encrypted connections

Encrypting Unencrypted Database

Take snapshot of existing unencrypted database instance
Create copy of snapshot and enable encryption option
Restore encrypted snapshot to new database instance

After encryption, Amazon RDS handles authentication of access and decryption of data transparently with minimal impact on performance.