In this blog , We will learn how to setup RDS proxies to manage DB connections to the applications.

You can check out RDS Related articles:

Create RDS Instance using AWS Console.

Promote Read Replica to Standalone DB Instance.

Create read replica from RDS DB Instance.

What is RDS Proxy?

  • Amazon RDS proxy is a fully managed , highly available database proxy for RDS Instances that makes application more secure , scalable and resilient to database failures.
  • Many applications can create more connections to the databases which will result in CPU and memory exhaustion.
  • With the help of RDS proxies , We can allow applications to pool and share the established database connections which will result in database efficiency and application Scalability.

Benefits of RDS Proxy

  • RDS proxy helps to reduce the failover times for Aurora and RDS DB instances by 66%.
  • Database access can be controlled through integration with AWS Secrets Manager and IAM Role.
  • Pool and Share DB connections for Improved application scaling
  • Increase Application availability

Supported Databases

Amazon RDS proxies is available for the following Databases.

  • Aurora MySQL.
  • RDS MySQL 5.6 and 5.7
  • Aurora DB Cluster
  • PostgreSQL DB instance

Services Involved

  • AWS Secrets Manager
  • IAM (Identify and Access Management)
  • RDS (Relational Database Services)

Create Database Credentials in AWS Secrets Manager

  • AWS Secrets Manager helps to protect access to applications and services, And also we can easily rotate , manage and retrieve DB credentials , API keys and other secrets.
  • First we need to create AWS secrets to store the DB credentials.
  • We should use the same username and password which we have provided while we launched an RDS Instance.
  • In Secrets Manager , We create secrets with username and password fields.By doing so , The RDS proxy will be able to connect with the respective user of the Database instance.

To create Secrets for the Database connection , Login to AWS Secrets Manager Console.

And then click Store a new secret

Here We are going to specify the Type of Secret we are going to use.We are going to store secrets for RDS , Choose Credentials for RDS database

And then provide the actual database username and password.

We are using Default AWS KMS key to encrypt the secrets stored in the AWS Secrets Manager.

And then choose the Database Instance from the list.Secrets Manager retrieves the connection strings about the Databases by querying the Chosen database.

and then click Next

Provide a Name for the Secret and add a short description.

Optionally , Add tags for the Secrets and then click Next

We can optionally configure automatic rotation of Secrets.

We can set rotation interval for each secrets we create.

and then click Next , Under the review page , Based on the secrets configuration , We will be provided a code for various runtime on how we can use those secrets in your applications.

And Click Store.

We have successfully added database and it credentials in Secrets.

Creating IAM Role

Next we need to create an IAM role with necessary permission for the RDS proxies to access secrets from AWS Secrets Manager.

For this we need ARN of the secret which we created earlier.

Go to AWS Secrets manager console , select the Secret , There you can find the Secret ARN , Make a note of it.

To create an IAM role , Login to IAM console , From the lest navigation pane , Choose Policies.

and click Create policy.

Click JSON , replace the existing content with the below contents.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "secretsmanager:GetRandomPassword",
                 "secretsmanager:CreateSecret",
                 "secretsmanager:ListSecrets"
             ],
             "Resource": "*" 
         },
         { 
             "Sid": "VisualEditor1",
             "Effect": "Allow",
             "Action": "secretsmanager:",
             "Resource": [
                   "your_secret_ARN"
             ]
         }
     ]
}

your_secret_ARN = replace with the actual Secrets ARN.

and click Review policy ,and provide a name for the policy and then click Create.

Now we have to create a Role and then attach the policy with it.

To create Role , from the Left pane , Choose Roles.

Click Create Role , Choose RDS as AWS Service and then click RDS – Add Role to Database.

and then search for the policy we have created and select it , provide a name for the role and click Create Role.

Creating RDS Proxy

We are ready with the Secrets and the required permissions for the RDS proxies.

To create RDS proxy , Login to RDS Console.

In the left navigation pane , Choose Proxies

And click Create proxy

Provide a name for the proxy and then choose the DB engine you’re running.

if you’re using MySQL RDS Instance choose MYSQL , In PostgreSQL RDS Instance , Choose POSTGRESQL.

Enable Require Transport Layer Security , If you want the proxy to enforce SSL/TLS connections for all the client connections.

Ideal client connection timeout , The time period that the client connection can be idle before the proxy closes the connection.

The default connection timeout is 30 minutes.

For Target group configuration ,

Choose one RDS instance or aurora cluster to access through this proxy.

So for this , We must create one RDS instance or Aurora cluster which has compatible DB engine , Engine version and other settings.For example , I have create Aurora-MySQL instance.

Connection pool maximum connections , The percentage of the max_connections value the RDS proxy can use for its connections.

If you are using only only proxy instance they set the percentage to 100.

Under Connectivity , Select the Secrets that we have created using AWS Secrets manager.

For IAM Authentication , Select the IAM role which has been created earlier.

Then for Subnets , minimum of 2 subnets required from different Availability zones.

If you wish to enable enhanched logging for the RDS proxies , Enable it , which will be published to Cloudwatch logs.

and then click Create proxy

Once the proxy is created , We can check the configurations of them.

Click the proxy name which you have created.You can find the proxy endpoint there.Make a note of it , We are going to use it in the next step.

Connecting to Databases Using RDS Proxy

You connect to an RDS DB instance or Aurora DB cluster through a proxy in generally the same way as you connect directly to the database.

The main difference is that you specify the proxy endpoint instead of the instance or cluster endpoint.

Once the proxy endpoint is ready , Check whether is endpoint is reachable.

nc -zv proxy-endoint 3306

It will respond as shown below.

Connecting to RDS instance using RDS proxy.

mysql -h proxy-end-point -u username -p

We have connected to RDS instance using RDS proxy.

Conclusion

We have learnt to manage database connections using RDS proxy.So any connections to target RDS instance will be proxied and managed by RDS proxies.

Hope you find it helpful.Please check out my other publications.

Leave a Reply