In this blog , We will learn how to setup RDS proxies to manage DB connections to the applications.

You can check out RDS Related articles:

Create RDS Instance using AWS Console.

Promote Read Replica to Standalone DB Instance.

Create read replica from RDS DB Instance.

What is RDS Proxy?

  • Amazon RDS proxy is a fully managed , highly available database proxy for RDS Instances that makes application more secure , scalable and resilient to database failures.
  • Many applications can create more connections to the databases which will result in CPU and memory exhaustion.
  • With the help of RDS proxies , We can allow applications to pool and share the established database connections which will result in database efficiency and application Scalability.

Benefits of RDS Proxy

  • RDS proxy helps to reduce the failover times for Aurora and RDS DB instances by 66%.
  • Database access can be controlled through integration with AWS Secrets Manager and IAM Role.
  • Pool and Share DB connections for Improved application scaling
  • Increase Application availability

Supported Databases

Amazon RDS proxies is available for the following Databases.

  • Aurora MySQL.
  • RDS MySQL 5.6 and 5.7
  • Aurora DB Cluster
  • PostgreSQL DB instance

Services Involved

  • AWS Secrets Manager
  • IAM (Identify and Access Management)
  • RDS (Relational Database Services)

Create Database Credentials in AWS Secrets Manager

  • AWS Secrets Manager helps to protect access to applications and services, And also we can easily rotate , manage and retrieve DB credentials , API keys and other secrets.
  • First we need to create AWS secrets to store the DB credentials.
  • We should use the same username and password which we have provided while we launched an RDS Instance.
  • In Secrets Manager , We create secrets with username and password fields.By doing so , The RDS proxy will be able to connect with the respective user of the Database instance.

To create Secrets for the Database connection , Login to AWS Secrets Manager Console.

And then click Store a new secret

RDS proxy

Here We are going to specify the Type of Secret we are going to use.We are going to store secrets for RDS , Choose Credentials for RDS database

RDS proxy

And then provide the actual database username and password.

RDS proxy

We are using Default AWS KMS key to encrypt the secrets stored in the AWS Secrets Manager.

RDS proxy

And then choose the Database Instance from the list.Secrets Manager retrieves the connection strings about the Databases by querying the Chosen database.

RDS proxy

and then click Next

Provide a Name for the Secret and add a short description.

RDS proxy

Optionally , Add tags for the Secrets and then click Next

We can optionally configure automatic rotation of Secrets.

We can set rotation interval for each secrets we create.

RDS proxy

and then click Next , Under the review page , Based on the secrets configuration , We will be provided a code for various runtime on how we can use those secrets in your applications.

And Click Store.

We have successfully added database and it credentials in Secrets.

Creating IAM Role

Next we need to create an IAM role with necessary permission for the RDS proxies to access secrets from AWS Secrets Manager.

For this we need ARN of the secret which we created earlier.

Go to AWS Secrets manager console , select the Secret , There you can find the Secret ARN , Make a note of it.

To create an IAM role , Login to IAM console , From the lest navigation pane , Choose Policies.

RDS proxy

and click Create policy.

Click JSON , replace the existing content with the below contents.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "secretsmanager:GetRandomPassword",
                 "secretsmanager:CreateSecret",
                 "secretsmanager:ListSecrets"
             ],
             "Resource": "*" 
         },
         { 
             "Sid": "VisualEditor1",
             "Effect": "Allow",
             "Action": "secretsmanager:",
             "Resource": [
                   "your_secret_ARN"
             ]
         }
     ]
}

your_secret_ARN = replace with the actual Secrets ARN.

and click Review policy ,and provide a name for the policy and then click Create.

Now we have to create a Role and then attach the policy with it.

To create Role , from the Left pane , Choose Roles.

Click Create Role , Choose RDS as AWS Service and then click RDS – Add Role to Database.

RDS proxy

and then search for the policy we have created and select it , provide a name for the role and click Create Role.

Creating RDS Proxy

We are ready with the Secrets and the required permissions for the RDS proxies.

To create RDS proxy , Login to RDS Console.

In the left navigation pane , Choose Proxies

RDS proxy

And click Create proxy

Provide a name for the proxy and then choose the DB engine you’re running.

if you’re using MySQL RDS Instance choose MYSQL , In PostgreSQL RDS Instance , Choose POSTGRESQL.

RDS proxy

Enable Require Transport Layer Security , If you want the proxy to enforce SSL/TLS connections for all the client connections.

RDS proxy

Ideal client connection timeout , The time period that the client connection can be idle before the proxy closes the connection.

The default connection timeout is 30 minutes.

RDS proxy

For Target group configuration ,

Choose one RDS instance or aurora cluster to access through this proxy.

So for this , We must create one RDS instance or Aurora cluster which has compatible DB engine , Engine version and other settings.For example , I have create Aurora-MySQL instance.

RDS proxy

Connection pool maximum connections , The percentage of the max_connections value the RDS proxy can use for its connections.

If you are using only only proxy instance they set the percentage to 100.

RDS proxy

Under Connectivity , Select the Secrets that we have created using AWS Secrets manager.

RDS proxy

For IAM Authentication , Select the IAM role which has been created earlier.

RDS proxy

Then for Subnets , minimum of 2 subnets required from different Availability zones.

If you wish to enable enhanched logging for the RDS proxies , Enable it , which will be published to Cloudwatch logs.

RDS proxy

and then click Create proxy

Once the proxy is created , We can check the configurations of them.

Click the proxy name which you have created.You can find the proxy endpoint there.Make a note of it , We are going to use it in the next step.

Connecting to Databases Using RDS Proxy

You connect to an RDS DB instance or Aurora DB cluster through a proxy in generally the same way as you connect directly to the database.

The main difference is that you specify the proxy endpoint instead of the instance or cluster endpoint.

Once the proxy endpoint is ready , Check whether is endpoint is reachable.

nc -zv proxy-endoint 3306

It will respond as shown below.

RDS proxy

Connecting to RDS instance using RDS proxy.

mysql -h proxy-end-point -u username -p
RDS proxy

We have connected to RDS instance using RDS proxy.

Conclusion

We have learnt to manage database connections using RDS proxy.So any connections to target RDS instance will be proxied and managed by RDS proxies.

Hope you find it helpful.Please check out my other publications.