Services or capabilities described in this page might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China Regions. Only “Region Availability” and “Feature Availability and Implementation Differences” sections for specific services (in each case exclusive of content referenced via hyperlink) in Getting Started with Amazon Web Services in China Regions form part of the Documentation under the agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China (Beijing) Region or Amazon Web Services China (Ningxia) Region (the “Agreement”). Any other content contained in the Getting Started pages does not form any part of the Agreement.

Amazon Relational Database Service Documentation

Amazon Relational Database Service (Amazon RDS) enables you to set up, operate, and scale a relational database in the cloud. It provides resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It helps free you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need. 

Amazon RDS is available on several database instance types - optimized for memory, performance or I/O - and provides you with six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. You can use the Amazon Database Migration Service to migrate or replicate your existing databases to Amazon RDS.

Amazon RDS Features

Amazon RDS is a managed relational database service that provides you six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL. This means that the code, applications, and tools you already use today with your existing databases can be used with Amazon RDS. Amazon RDS is designed to handle routine database tasks such as provisioning, patching, backup, recovery, failure detection, and repair.

Amazon RDS is designed to make it easier to use replication to enhance availability and reliability for production workloads. Using the Multi-AZ deployment option, you can run mission-critical workloads with high availability and built-in automated fail-over from your primary database to a synchronously replicated secondary database. Using Read Replicas, you can scale out beyond the capacity of a single database deployment for read-heavy database workloads.

Lower administrative burden

Usability

You can use the Amazon Management Console, the Amazon RDS Command Line Interface, or simple API calls to access the capabilities of a production-ready relational database in minutes.

Amazon RDS database instances are pre-configured with parameters and settings appropriate for the engine and class you have selected. You can launch a database instance and connect your application within minutes. DB Parameter Groups provide granular control and fine-tuning of your database.

Automatic software patching

Amazon RDS is designed to make sure that the relational database software powering your deployment stays up-to-date with the latest patches. You can exert optional control over when and if your database instance is patched.

Best practice recommendations

Amazon RDS is designed to provide best practice guidance by analyzing configuration and usage metrics from your database instances. Recommendations cover areas such as database engine versions, storage, instance types, and networking. You can browse the available recommendations and perform a recommended action immediately, schedule it for their next maintenance window, or dismiss it entirely.

Performance

General Purpose (SSD) Storage

Amazon RDS General Purpose Storage is an SSD-backed storage option is designed to deliver a consistent baseline of 3 IOPS per provisioned GB and provides the ability to burst up above the baseline. This storage type is suitable for a broad range of database workloads.

Provisioned IOPS (SSD) Storage

Amazon RDS Provisioned IOPS Storage is an SSD-backed storage option that is designed to deliver fast, predictable, and consistent I/O performance. You specify an IOPS rate when creating a database instance, and Amazon RDS provisions that IOPS rate for the lifetime of the database instance. This storage type is optimized for I/O-intensive transactional (OLTP) database workloads. You can provision the number of IOPS per database instance, although your actual realized IOPS may vary based on your database workload, instance type, and database engine choice.

Scalability

Push-button compute scaling

You can scale the compute and memory resources powering your deployment up or down, up to a maximum of 32 vCPUs and 244 GiB of RAM. 

Easy storage scaling

As your storage requirements grow, you can also provision additional storage. The Amazon Aurora engine will automatically grow the size of your database volume as your database storage needs grow, up to a maximum of 64 TB or a maximum you define. The MySQL, MariaDB, Oracle, and PostgreSQL engines allow you to scale up to 64 TB of storage and SQL Server supports up to 16 TB. Storage scaling is designed to be on-the-fly with zero downtime.

Read Replicas

Read Replicas is designed to make it easier to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas are available in Amazon RDS for MySQL, MariaDB, PostgreSQL, and Oracle as well as Amazon Aurora.

Availability and durability

Automated backups

The automated backup feature of Amazon RDS enables point-in-time recovery for your database instance. Amazon RDS will backup your database and transaction logs and store both for a user-specified retention period. This allows you to restore your database instance to any second during your retention period, up to the last five minutes. Your automatic backup retention period can be configured to up to thirty-five days.

Database snapshots

Database snapshots are user-initiated backups of your instance stored in Amazon S3 that are kept until you explicitly delete them. You can create a new instance from a database snapshots whenever you desire. 

Multi-AZ deployments

Amazon RDS Multi-AZ deployments are designed to provide enhanced availability and durability for database instances, making them a natural fit for production database workloads. When you provision a Multi-AZ database instance, Amazon RDS synchronously replicates your data to a standby instance in a different Availability Zone (AZ).

Automatic host replacement

Amazon RDS is designed to automatically replace the compute instance powering your deployment in the event of a hardware failure.

Security

Encryption at rest and in transit

Amazon RDS allows you to encrypt your databases using keys you manage through Amazon Key Management Service (KMS). On a database instance running with Amazon RDS encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots.

Amazon RDS supports Transparent Data Encryption in SQL Server and Oracle. Transparent Data Encryption in Oracle is integrated with Amazon CloudHSM, which is designed to allow you to securely generate, store, and manage your cryptographic keys in single-tenant Hardware Security Module (HSM) appliances within the Amazon Web Services cloud.

Amazon RDS supports the use of SSL to secure data in transit.

Network isolation

Amazon Web Services recommends that you run your database instances in Amazon VPC, which allows you isolate your database in your own virtual network and connect to your on-premises IT infrastructure using industry-standard encrypted IPsec VPNs. You can configure firewall settings and control network access to your database instances.

Resource-level permissions

Amazon RDS is integrated with Amazon Identity and Access Management (IAM) and is designed to provide you the ability to control the actions that your Amazon IAM users and groups can take on specific Amazon RDS resources, from database instances through snapshots, parameter groups, and option groups. You can also tag your Amazon RDS resources and control the actions that your IAM users and groups can take on groups of resources that have the same tag and associated value. For example, you can configure your IAM rules to ensure developers are able to modify "Development" database instances, but only Database Administrators can make changes to "Production" database instances.

Manageability

Monitoring and metrics

Amazon RDS provides Amazon CloudWatch metrics for your database instances. You can use the RDS Management Console to view key operational metrics, including compute/memory/storage capacity utilization, I/O activity, and instance connections. Amazon RDS also provides Enhanced Monitoring, which provides access to CPU, memory, file system, and disk I/O metrics, and Performance Insights, a tool that helps you detect performance problems.

Event notifications

Amazon RDS can notify you via email or SMS text message of database events through Amazon SNS. You can use the Amazon Management Console or the Amazon RDS APIs to subscribe to over different database events associated with your database instances.

Configuration governance

Amazon RDS integrates with Amazon Config and is designed to support compliance and enhance security by recording and auditing changes to the configuration of your DB instance including parameter groups, subnet groups, snapshots, security groups and event subscriptions.

Amazon RDS Security

Amazon RDS is a managed relational database service that provides you familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL.  

Amazon RDS and Amazon Aurora provide a set of features to ensure that your data is securely stored and accessed. Run your database in Amazon Virtual Private Cloud (VPC) for network-level isolation. Use security groups to control what IP addresses or Amazon EC2 instances can connect to your databases. This built-in firewall is designed to prevent any database access except through rules you specify.

Use Amazon Identity and Access Management (IAM) policies to assign permissions that determine who is allowed to manage RDS resources. Use the security features of your database engine to control who can log in to the databases, just as you do if the database was on your local network. You can also map database users to IAM roles for federated access.

Use Secure Socket Layer / Transport Layer Security (SSL/TLS) connections to encrypt data in transit. Encrypt your database storage and backups at rest using Amazon Key Management Service (KMS). Monitor database activity and integrate with partner database security applications with Database Activity Streams.

Encryption of Data at Rest

Amazon RDS is designed to encrypt your databases using keys you manage with the Amazon Key Management Service (KMS). On a database instance running with Amazon RDS encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots. RDS encryption uses the AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance.

Amazon RDS also supports Transparent Data Encryption (TDE) for SQL Server (SQL Server Enterprise Edition) and Oracle (Oracle Advanced Security option in Oracle Enterprise Edition). With TDE, the database server automatically encrypts data before it is written to storage and automatically decrypts data when it is read from storage. Transparent Data Encryption in Oracle is integrated with Amazon CloudHSM, which helps you to securely generate, store, and manage your cryptographic keys in single-tenant Hardware Security Module (HSM) appliances within the Amazon Web Services cloud.

Best practice recommendations

Amazon RDS is designed to provide best practice guidance by analyzing configuration and usage metrics from your database instances. Recommendations cover areas such as security, encryption, IAM and VPC. You can browse the available recommendations and perform a recommended action immediately, schedule it for their next maintenance window, or dismiss it entirely.

Encryption of Data in Transit

Encrypt communications between your application and your DB Instance using SSL/TLS. Amazon RDS is designed to create an SSL certificate and installs the certificate on the DB instance when the instance is provisioned. For MySQL, you launch the mysql client using the --ssl_ca parameter to reference the public key in order to encrypt connections. For SQL Server, download the public key and import the certificate into your Windows operating system. RDS for Oracle uses Oracle native network encryption with a DB instance. You add the native network encryption option to an option group and associate that option group with the DB instance. Once an encrypted connection is established, the service is designed so that data transferred between the DB Instance and your application will be encrypted during transfer. You can also require your DB instance to only accept encrypted connections.

Access Control

Amazon RDS is integrated with Amazon Identity and Access Management (IAM) and provides you the ability to control the actions that your Amazon IAM users and groups can take on specific resources (e.g., DB Instances, DB Snapshots, DB Parameter Groups, DB Event Subscriptions, DB Options Groups). In addition, you can tag your resources, and control the actions that your IAM users and groups can take on groups of resources that have the same tag (and tag value).

You can also tag your Amazon RDS resources and control the actions that your IAM users and groups can take on groups of resources that have the same tag and associated value. For example, you can configure your IAM rules to ensure developers are able to modify "Development" database instances, but only Database Administrators can make changes to "Production" database instances.

When you first create a DB Instance within Amazon RDS, you will create a master user account, which is used only within the context of Amazon RDS to control access to your DB Instance(s). The master user account is a native database user account that allows you to log on to your DB Instance with all database privileges. You can specify the master user name and password you want associated with each DB Instance when you create the DB Instance. Once you have created your DB Instance, you can connect to the database using the master user credentials. Subsequently, you can create additional user accounts so that you can restrict who can access your DB Instance.

Network Isolation and Database Firewall

Using Amazon Virtual Private Cloud (VPC), you can isolate your DB Instances in your own virtual network, and connect to your existing IT infrastructure using encrypted IPSec VPN.

Amazon VPC is designed to enable you to isolate your DB Instances by specifying the IP range you wish to use, and connect to your existing IT infrastructure through industry-standard encrypted IPsec VPN. Running Amazon RDS in a VPC enables you to have a DB instance within a private subnet. You can also set up a virtual private gateway that extends your corporate network into your VPC, and allows access to the RDS DB instance in that VPC. DB Instances deployed within an Amazon VPC can be accessed from the Internet or from Amazon EC2 Instances outside the VPC via VPN or bastion hosts that you can launch in your public subnet. To use a bastion host, you will need to set up a public subnet with an EC2 instance that acts as a SSH Bastion.  This public subnet must have an Internet gateway and routing rules that allow traffic to be directed via the SSH host, which must then forward requests to the private IP address of your Amazon RDS DB instance. DB Security Groups can be used to help secure DB Instances within an Amazon VPC. In addition, network traffic entering and exiting each subnet can be allowed or denied via network ACLs. All network traffic entering or exiting your Amazon VPC via your IPsec VPN connection can be inspected by your on-premises security infrastructure, including network firewalls and intrusion detection systems.

Database Activity Streams

Beyond external security threats, managed databases need to provide protection against insider risks from database administrators (DBAs). Database Activity Streams, currently supported for Amazon Aurora and Amazon RDS for Oracle, is designed to provide a real-time data stream of the database activity in your relational database. When integrated with 3rd party database activity monitoring tools, you can monitor and audit database activity to  provide safeguards for your database and meet compliance and regulatory requirements.

Database Activity Streams is designed to protect your database from internal threats by implementing a protection model that controls DBA access to the database activity stream. Thus the collection, transmission, storage, and subsequent processing of the database activity stream is beyond the access of the DBAs that manage the database.

The stream is pushed to an Amazon Kinesis data stream that is created on behalf of your database. From Kinesis Data Firehose, the database activity stream can then be consumed by Amazon CloudWatch or by partner applications for compliance management. These partner applications can use the database activity stream information to generate alerts and provide auditing of all activity on your Amazon Aurora database.

Performance Insights
Amazon RDS Performance Insights is a database performance tuning and monitoring feature that helps you assess the load on your database, and determine when and where to take action. Performance Insights is designed to allow non-experts to detect performance problems with an easy-to-understand dashboard that visualizes database load.
 
Performance Insights is designed to use lightweight data collection methods that don’t impact the performance of your applications, and makes it easier to see which SQL statements are causing the load, and why. It requires no configuration or maintenance, and is currently available for Amazon Aurora (PostgreSQL- and MySQL-compatible editions), Amazon RDS for PostgreSQL, MySQL, MariaDB, SQL Server and Oracle.

The Amazon Web Services API and SDK help to integrate Performance Insights into on-premises and third-party monitoring tools.  If you need longer-term retention, you can choose to pay for up to two years of performance history retention.
 
To get started: just log into the Amazon RDS Management Console, and enable Performance Insights when creating or modifying an instance of a supported RDS engine. Then go to the Performance Insights dashboard to start monitoring performance.

Benefits

Usability

Performance Insights is designed for both IT generalists and database experts. Instead of displaying multiple graphs that require manual correlation, it provides a simple interface that aggregates all core performance information into one chart. 

When the load is high, you can identify the type of bottleneck such as high CPU consumption, lock waits or I/O latency, and see which SQL statements are creating the bottleneck.

Powerful

Performance Insights is designed to help you monitor multiple database performance metrics without having to analyze numerous complex graphs. All the metrics are aggregated into one dashboard.

Whether your database performance problem is due to database configuration or application design issues, you can quickly identify the bottleneck and see which SQL statements are contributing to it.

Automated

Performance Insights is designed to require no configuration or maintenance. You simply enable it on your RDS instance, and access it with one click in the RDS Management Console.

Performance Insights is designed to automatically collect all the necessary performance metrics and manages the resources needed to monitor your databases. Other than a lightweight data collection mechanism, all resources used for monitoring are separate from your database instance.

What Can You Monitor with Performance Insights?

Production Applications

Detect performance problems in production as soon as they happen. Performance Insights is designed to show what’s causing the load on the database, so you can take corrective action by tuning your SQL statements or  increasing your system resources.

Development and Test Databases

Discover the impact of your SQL queries before going into production. Use Performance Insights to monitor your CPU consumption, and then determine the right instance size for your database, and whether your SQL statements should be tuned for better performance.

Database Migrations

Migrating your database to the cloud, or to a new Amazon instance type? Performance Insights is designed to monitor your CPU consumption, and then you can determine the right instance size for your database, and whether your SQL statements should be tuned for better performance.

Amazon RDS Proxy

Amazon RDS Proxy is a managed, highly available database proxy for Amazon Relational Database Service (RDS) that is designed to make applications more scalable, more resilient to database failures, and more secure.

Many applications, including those built on modern serverless architectures, can have a large number of open connections to the database server, and may open and close database connections at a high rate, exhausting database memory and compute resources. Amazon RDS Proxy allows applications to pool and share connections established with the database, improving database efficiency and application scalability. With RDS Proxy, failover times for Aurora and RDS databases are reduced and database credentials, authentication, and access can be managed through integration with Amazon Secrets Manager and Amazon Identity and Access Management (IAM).

Benefits

Improved application performance

Your Amazon RDS Proxy instance maintains a pool of established connections to your RDS database instances, reducing the stress on database compute and memory resources that typically occurs when new connections are established. RDS Proxy also shares infrequently used database connections, so that fewer connections access the RDS database. This connection pooling enables your database to efficiently support a large number and frequency of application connections so that your application can scale without compromising performance.

Increase application availability

RDS Proxy helps minimize application disruption from outages affecting the availability of your database, by automatically connecting to a new database instance while preserving application connections. When failovers occur, RDS Proxy is designed to route requests directly to the new database instance.

Manage application security

Amazon RDS Proxy is designed to give you additional control over data security by giving you the choice to enforce IAM authentication for database access and avoid hard coding database credentials into application code. RDS Proxy also enables you to centrally manage database credentials using Amazon Secrets Manager.

Managed

A database proxy server helps handle additional load on your database. While traditional proxy servers allow applications to scale more effectively, they are difficult to deploy, patch, and manage – consuming time and energy that could be better spent on developing great products. Amazon RDS Proxy is designed to give you the benefits of a database proxy without requiring additional burden of patching and managing your own proxy server. RDS Proxy is completely serverless and scales automatically to accommodate your workload.

Compatible with your database

Amazon RDS Proxy is designed to be compatible with the protocols of supported database engines, so you can deploy RDS Proxy for your application without making changes to your application code. You simply point your application connections to the proxy instead of the RDS database, and the rest is managed seamlessly.

Available and durable

Amazon RDS Proxy is designed to be highly available and deployed over multiple Availability Zones (AZs) to protect you from infrastructure failure. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In the event of an infrastructure failure, the RDS Proxy is designed so that endpoint remains online and consistent allowing your application to continue to run database operations.

How it works

Amazon RDS Proxy sits between your application and your relational database to efficiently manage connections to the database and improve scalability of the application.

Use cases
Serverless application development

Amazon RDS Proxy helps you build serverless applications that are more scalable and more available because they use your relational databases more efficiently. Modern serverless applications support highly variable workloads and may attempt to open a burst of new database connections or keep many connections open but idle. A surge of connections or a large number of open connections could strain your database server, leading to slower queries and limited application scalability. By pooling and sharing already established database connections, RDS Proxy allows you to efficiently scale to many more connections from your serverless application. RDS Proxy also enables you to maintain predictable database performance by controlling the total number of database connections that are opened. Finally, RDS Proxy preserves the availability of your serverless application by denying unserviceable application connections that may degrade the performance of your database.

Software-as-a-Service (SaaS) and eCommerce applications

SaaS or eCommerce applications often keep a large number of database connections open to ensure quick user response times, although only a fraction of these open connections may get actively used at a given moment. These open but idle connections still consume database memory and compute resources. Instead of over-provisioning your database to support mostly idling connections, you can use RDS Proxy to hold idling connections from your application while only establishing database connections as required to optimally serve active requests.

Amazon RDS Read Replicas

Amazon RDS Read Replicas are designed to provide enhanced performance and durability for RDS database (DB) instances. They make it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server as well as Amazon Aurora.

For the MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server database engines, Amazon RDS creates a second DB instance using a snapshot of the source DB instance. It then uses the engines' native asynchronous replication to update the read replica whenever there is a change to the source DB instance. The read replica operates as a DB instance that allows only read-only connections; applications can connect to a read replica just as they would to any DB instance. Amazon RDS replicates all databases in the source DB instance.

Amazon Aurora is designed to further extend the benefits of read replicas by employing an SSD-backed virtualized storage layer purpose-built for database workloads. Amazon Aurora replicas share the same underlying storage as the source instance, lowering costs and avoiding the need to copy data to the replica nodes. 

Benefits

Enhanced performance

You can reduce the load on your source DB instance by routing read queries from your applications to the read replica. Read replicas are designed to allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. Because read replicas can be promoted to master status, they are useful as part of a sharding implementation.

To further maximize read performance, Amazon RDS for MySQL allows you to add table indexes directly to Read Replicas, without those indexes being present on the master.

Increased availability

Read replicas in Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server provide a complementary availability mechanism to Amazon RDS Multi-AZ Deployments. You can promote a read replica if the source DB instance fails, and you can set up a read replica with its own standby instance in different AZ. This functionality complements the synchronous replication, automatic failure detection, and failover provided with Multi-AZ deployments.

Designed for security

When you create a read replica for Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server, Amazon RDS is designed to set up a secure communications channel using public key encryption between the source DB instance and the read replica, even when replicating across regions. Amazon RDS establishes any Amazon security configurations, such as adding security group entries, needed to enable the secure channel.

You can also create read replicas for your Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server database instances encrypted at rest with Amazon Key Management Service (KMS).

Setup

Using the Amazon Management Console, you can add read replicas to existing DB Instances. Use the "Create Read Replica" option corresponding to your DB Instance in the Amazon Management Console. Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server is designed to allow you to add up to 5 read replicas to each DB Instance.

Amazon RDS for MySQL, MariaDB, PostgreSQL, and Oracle offer you two SSD-based choices for database storage: General Purpose and Provisioned IOPS. Read replicas for these engines need not use the same type of storage as their master DB Instances. You may be able to optimize your performance or your spending by selecting an alternate storage type for read replicas.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.amazonaws.cn/en_us. This additional information does not form part of the Documentation for purposes of the Sinnet Customer Agreement for Amazon Web Services (Beijing Region), Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region) or other agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China Regions.