RDS

Question 1

RDS allows you to

Answer 1

create databases in the cloud that are managed by AWS

1. Postgres
2. MySQL
3. MariaDB
4. Oracle
5. Microsoft SQL Server
6. Aurora (AWS proprietary)

Question 2

Advantages over using RDS versus deploying DB on EC2

Answer 2

1. automated provisioning
2. OS patches
3. coninuous backups and restore to specific timestamp (Point in time restore)
4. monitoring dashboards
5. read replicas for improved read performance
6. multi AZ setup for disaster recovery
7. maintenance windows for upgrades
8. scaling capability (vertical and horizontal)
9. storage backed by EBS (GP2 or IO1)

Question 3

what you can’t do with RDS as opposed to deploying DB on EC2

Answer 3

you can’t SSH into your instances

Question 4

RDS Backups

Answer 4

1. are automatically enabled in RDS

2. Automated backups and / or DB Snapshots

Question 5

RDS Automated backups

Answer 5

1. daily full backup for the database - during the maintenance window configured by user
2. transaction logs are backed up by RDS every 5 minutes
3. therefore you can restore to any point in time (from oldest backup to 5 mins ago)
4. 7 days retention (can be increased to 35)

Question 6

DB shapshots

Answer 6

1. are manually triggered by user

2. retention of backup for as long as you want

Question 7

if you want to speed up reads from your RDS DB instance

Answer 7

You can reduce the load on your primary DB instance by routing read queries from your applications to the read replica.

You can elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.

Question 8

RDS Read Replicas how many

Answer 8

up to 5 read replicas

Question 9

RDS Read Replicas and AZ

Answer 9

can be

1. within AZ
2. cross AZ
3. cross Region

Question 10

Replication is

Answer 10

ASYNC, so reads are eventually consistent

Question 11

Replica Lag

Answer 11

Each Read Replica publishes a Replica Lag metric in Amazon CloudWatch to allow you to see how far it has fallen behind the source DB Instance.

Question 12

how to deal with eventual consistency

Answer 12

DO NOT send SELECT queries to a read slave if the data needs to be immediately available.

You should structure your application such that all real-time requests hit your master, and all other requests hit one of your read slaves.

For things where you don’t need real-time results, you can fool the user quite well using something like AJAX requests or websockets (websockets is going to make your application a lot more resource friendly as you won’t be hammering your backend servers with multiple AJAX requests).

Question 13

why would you promote a replica to stand-alone DB?

Answer 13

You can use read replica promotion as a data recovery scheme if the primary DB instance fails.

But be aware of the ramifications and limitations of asynchronous replication.

Question 14

To promote a replica for data recovery

Answer 14

1. create a read replica and then monitor the primary DB instance for failures.

In the event of a failure, do the following:

1. Promote the read replica.
2. Direct database traffic to the promoted DB instance.
3. Create a replacement read replica with the promoted DB instance as its source.

Question 15

Replica traffic

Answer 15

The primary DB instance is the only copy of the database that can accept both read/write traffic; the read replica can only accept read-only traffic.

Question 16

use case for RDS read replica

Answer 16

you have a production database taking on a normal load

you want to a reporting application to run some analytics

In order to avoid extra load on the main database, you create a read replica and run this new workload on it

Question 17

Network costs

Answer 17

if your main database is in one AZ and your replica - in another one - there will be a network cost for ASYNC replication of the data. Because when the data is transfered between AZs - there is always a price to pay

So to reduce the costs we can place both the main DB and the replica in one AZ, then we are not charged for the transfer

Question 18

RDS Mutli AZ purpose

Answer 18

disaster recovery in cases of

1. loss of AZ
2. loss of network
3. instance or storage failure

increase availability

but NOT for scalability

Question 19

RDS Mutli AZ one DNS name

Answer 19

we have a synchronous replica in another AZ. Automatic failover: App is automatically recovered from failure by redirecting traffic to the standby replica.

no manual intervention necessary

Question 20

RDS Multi AZ and replicas

Answer 20

read replicas can be set up as Multi AZ for Disaster Recovery

Question 21

2 types of RDS encryption

Answer 21

1. at rest encryption

2. in-flight encryption

Question 22

at rest encryption

Answer 22

you can use AWS KMS customer master key (CMK) which is AES-256 encryption (symmetric block)

has to be configured at launch time

You don’t need to modify your database client applications to use encryption. Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.

Question 23

at rest encryption - if master not encrypted

Answer 23

read replicas cannot be encrypted

Question 24

TDE

Answer 24

Transparent Data Encryption is avaialble for Oracle and SQL Server

using TDE and encryption at rest simultaneously might slightly affect the performance of your database. You must manage different keys for each encryption method.

Question 25

in-flight encryption

Answer 25

SSL certificates to encrypt data to RDS in flight

provide SSL options with trust certificate when connecting to database

Question 26

in-flight encryption - to enforce SSL for Postgres SQL

Answer 26

in AWS RDS console set

rds.force_ssl = I

Question 27

in-flight encryption - to enforce SSL for MySQL

Answer 27

within DB

GRANT USAGE ON . TO ‘user’@’%’ REQUIRE SSL

Question 28

KMS (Key management service)

Answer 28

To manage the customer master keys (CMKs) used for encrypting and decrypting your Amazon RDS resources

AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Using AWS KMS, you can create CMKs and define the policies that control how these CMKs can be used. AWS KMS supports CloudTrail, so you can audit CMK usage to verify that CMKs are being used appropriately. You can use your CMKs with Amazon RDS and supported AWS services such as Amazon S3, Amazon EBS, and Amazon Redshift.

Question 29

For an Amazon RDS encrypted DB instance, all

Answer 29

logs, backups, and snapshots are encrypted.

Question 30

Once you have created an encrypted DB instance,

Answer 30

you can’t change the CMK used by that DB instance.

Question 31

If Amazon RDS loses access to the CMK for a DB instance

Answer 31

then the encrypted DB instance goes into a terminal state. In this case, you can only restore the DB instance from a backup. We strongly recommend that you always enable backups for encrypted DB instances to guard against the loss of encrypted data in your databases.

Question 32

Snapshots of un-encrypted RDS databases

Answer 32

are un-encrypted

Question 33

snapshots of encrypeted RDS databases

Answer 33

are encrypted

Question 34

to encrypte an un-encrypted RDS database

Answer 34

1. create a snapshot of the un-encrypted database
2. copy the snapshot and enable encryption for the snapshot
3. restore the database from the encrypted snapshot
4. migrate applications to the new database
5. delete the old database

Question 35

RDS Security

Answer 35

1. Network Security

2. Access Management

Question 36

RDS Network Security

Answer 36

1. RDS databases are usually deployed within a private subnet, not in a public one
2. Security groups (same concept as EC2) leverage which IPs can communicate with RDS - so it’s our responsibility to check the inbound rules in DB’S security group (ports, IP, SG)

Question 37

RDS Access Management

Answer 37

1. IAM policies help control who can manage AWS RDS through RDS API
2. Username and Pwd can be used to login into the DB
3. IAM-based authentication can be used to login into RDS MySQL and PostgreSQL

Question 38

IAM database athentication works with

Answer 38

MySQL and PostgreSQL

you don’t need a PWD, just an authentication token with a lifetime of 15 minutes

Question 39

IAM database athentication - how does it work

Answer 39

1. We have our EC2 security group and EC2 instance. The instance has an IAM role and thanks to it the instance is able to issue an API call to the RDS service to get back an authentication token
2. on the other end - we have MySQL RDS database in RDS Security Group
3. The EC2 instance is going to pass the token while connecting to the database and make sure the connection is encrypted

Question 40

IAM database athentication benefits

Answer 40

1. Network in/out must be encrypted using SSL
2. IAM manages centrally users instead of managing users from within the database (central authorization)
3. you can leverage IAM roles and EC2 instance profiles for easy integration

Question 41

AWS responsibility regarding your RDS instance

Answer 41

1. no SSH access
2. no manual DB patching necessary
3. no manual OS patching
4. no way to audit the underlying instance

Question 42

My company would like to have a MySQL database internally that is going to be available even in case of a disaster in the AWS Cloud. I should setup

Answer 42

Multi AZ

Question 43

Our RDS database struggles to keep up with the demand of the users from our website. Our million users mostly read news, and we don’t post news very often. Which solution is NOT adapted to this problem?

Answer 43

RDS Multi AZ

ElastiCache and RDS Read Replicas do indeed help with scaling reads.

Question 44

We have setup read replicas on our RDS database, but our users are complaining that upon updating their social media posts, they do not see the update right away

Answer 44

Read Replicas have asynchronous replication and therefore it is likely our users will only observe eventual consistency

Question 45

Which RDS Classic (not Aurora) feature does not require us to change our SQL connection string?

Answer 45

Multi AZ keeps the same connection string regardless of which database is up. Read Replicas imply we need to reference them individually in our application as each read replica will have its own DNS name

Question 46

You want to ensure your Redis cluster will always be available

Answer 46

enable multi AZ

Question 47

Your application functions on an ASG behind an ALB. Users have to constantly log back in and you’d rather not enable stickiness on your ALB as you fear it will overload some servers. What should you do?

Answer 47

Storing Session Data in ElastiCache is a common pattern to ensuring different instances can retrieve your user’s state if needed.

Question 48

One analytics application is currently performing its queries against your main production database. These queries slow down the database which impacts the main user experience. What should you do to improve the situation?

Answer 48

Read Replicas will help as our analytics application can now perform queries against it, and these queries won’t impact the main production database.

Question 49

You would like to ensure you have a database available in another region if a disaster happens to your main region. Which database do you recommend?

Answer 49

Aurora Global Databases allow you to have cross region replication

Question 50

Your company has a production Node.js application that is using RDS MySQL 5.6 as its data backend. A new application programmed in Java will perform some heavy analytics workload to create a dashboard, on a regular hourly basis. You want to the final solution to minimize costs and have minimal disruption on the production application, what should you do?

Answer 50

this will minimize cost because the data won’t have to move across AZ

Question 51

You would like to create a disaster recovery strategy for your RDS PostgreSQL database so that in case of a regional outage, a database can be quickly made available for Read and Write workload in another region. The DR database must be highly available. What do you recommend?

Answer 51

create a Read Replica in a different region and enable multi-AZ on the main database

Question 52

You are managing a PostgreSQL database and for security reasons, you would like to ensure users are authenticated using short-lived credentials. What do you suggest doing?

Answer 52

Use PostgreSQL for RDS and authenticate using a token obtained through the RDS service

In this case, IAM is leveraged to obtain the RDS service token, so this is the IAM authentication use case.

Question 53

An application is running in production, using an Aurora database as its backend. Your development team would like to run a version of the application in a scaled-down application, but still, be able to perform some heavy workload on a need-basis. Most of the time, the application will be unused. Your CIO has tasked you with helping the team while minimizing costs. What do you suggest?

Answer 53

Aurora Serverless