Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that makes applications more scalable, more resilient to database failures, and more secure.https://aws.amazon.com/rds/proxy/
This short video presentation by AWS explains the benefits of RDS Proxy and demonstrates how it can be configured with the AWS console.
The Terraform code at aw5academy/terraform/rds-proxy will create the following resources:
- Aurora cluster + database instance;
- Secrets Manager secret;
- EC2 instance;
- IAM resources;
- Security groups;
We will use the EC2 instance as a mock for an application that needs to communicate with our Aurora database.
Note: at the time of writing this article, Terraform does not support RDS Proxy resources. So we will need to manually create this component from the AWS console.
Let’s first deploy our Terraform code with:
git clone https://gitlab.com/aw5academy/terraform/rds-proxy.git cd rds-proxy terraform init terraform apply
Once Terraform has been applied, it is worth examining the security groups that were created.
We can see that the Aurora database only allows connections from the Proxy and the Proxy only allows connections from the EC2 instance.
Additionally, a Secrets Manager secret was created. Our RDS Proxy will use the values from this secret to connect to our database. Note how it is the proxy alone that uses these credentials. We will see later that our application (the EC2 instance) will use IAM authentication to establish a connection with the RDS proxy and so the application never needs to know the database credentials.
Now we can create our RDS proxy from the AWS RDS console. During the creation of the proxy, provide the following settings
PostgreSQLfor Engine compatibility;
Require Transport Layer Security;
- Select the secret with prefix
rds-proxy-testfor Secrets Manager secret(s);
rds-proxy-test-proxy-rolefor IAM role;
Requiredfor IAM authentication;
rds-proxy-test-proxyfor Existing VPC security groups;
Now wait for the proxy to be created. This can take some time. Once complete, obtain the RDS Proxy endpoint from the console which, we will use to connect to from our EC2 instance.
Let’s test our setup. SSH into the EC2 instance with:
ssh -i rds-proxy-test.pem ec2-user@`terraform output ec2-public-ip`
From the terminal, set the
RDSHOST environment variable. E.g.
We can now test our connection to the database via the RDS proxy with:
Success! The proxy.sh script uses the psql tool and is obtaining the permissions to connect to the proxy via the aws rds generate-db-auth-token AWS CLI command. We can also use generate_db_auth_token from boto3 for Python:
The RDS Proxy feature can improve application security as we have seen, with the proxy alone having access to the database credentials and the application using IAM authentication to connect to the proxy.
Application resilience is improved since RDS Proxy improves failover times by up to 66%.
Lastly, your applications will be able to scale more effectively since RDS Proxy will pool and share connections to the database.
To cleanup the resources we created, first delete the RDS Proxy from the console and then from your terminal, destroy the Terraform stack with:
terraform init terraform destroy