Amazon RDS Proxy – Improved Application Security, Resilience and Scalability

Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that makes applications more scalable, more resilient to database failures, and more secure.

https://aws.amazon.com/rds/proxy/

In this article I will demonstrate how you can configure an Amazon RDS Proxy for an Amazon Aurora database. With the provided Terraform code, you can launch a sample database to test RDS Proxy.

This short video presentation by AWS explains the benefits of RDS Proxy and demonstrates how it can be configured with the AWS console.

Database

The Terraform code at aw5academy/terraform/rds-proxy will create the following resources:

• Aurora cluster + database instance;
• Secrets Manager secret;
• EC2 instance;
• IAM resources;
• Security groups;

We will use the EC2 instance as a mock for an application that needs to communicate with our Aurora database.

Note: at the time of writing this article, Terraform does not support RDS Proxy resources. So we will need to manually create this component from the AWS console.

Let’s first deploy our Terraform code with:

git clone https://gitlab.com/aw5academy/terraform/rds-proxy.git
cd rds-proxy
terraform init
terraform apply

Once Terraform has been applied, it is worth examining the security groups that were created.

We can see that the Aurora database only allows connections from the Proxy and the Proxy only allows connections from the EC2 instance.

Additionally, a Secrets Manager secret was created. Our RDS Proxy will use the values from this secret to connect to our database. Note how it is the proxy alone that uses these credentials. We will see later that our application (the EC2 instance) will use IAM authentication to establish a connection with the RDS proxy and so the application never needs to know the database credentials.

RDS Proxy

Now we can create our RDS proxy from the AWS RDS console. During the creation of the proxy, provide the following settings

1. Select PostgreSQL for Engine compatibility;
2. Tick Require Transport Layer Security;
3. Select rds-proxy-test for Database;
4. Select the secret with prefix rds-proxy-test for Secrets Manager secret(s);
5. Select rds-proxy-test-proxy-role for IAM role;
6. Select Required for IAM authentication;
7. Select rds-proxy-test-proxy for Existing VPC security groups;

Now wait for the proxy to be created. This can take some time. Once complete, obtain the RDS Proxy endpoint from the console which, we will use to connect to from our EC2 instance.

Application

Let’s test our setup. SSH into the EC2 instance with:

ssh -i rds-proxy-test.pem ec2-user@`terraform output ec2-public-ip`

From the terminal, set the RDSHOST environment variable. E.g.

export RDSHOST=rds-proxy-test.proxy-abcdefghijkl.us-east-1.rds.amazonaws.com

We can now test our connection to the database via the RDS proxy with:

./proxy.sh

Success! The proxy.sh script uses the psql tool and is obtaining the permissions to connect to the proxy via the aws rds generate-db-auth-token AWS CLI command. We can also use generate_db_auth_token from boto3 for Python:

python3.8 proxy.py

Wrap-Up

The RDS Proxy feature can improve application security as we have seen, with the proxy alone having access to the database credentials and the application using IAM authentication to connect to the proxy.

Application resilience is improved since RDS Proxy improves failover times by up to 66%.

Lastly, your applications will be able to scale more effectively since RDS Proxy will pool and share connections to the database.

To cleanup the resources we created, first delete the RDS Proxy from the console and then from your terminal, destroy the Terraform stack with:

terraform init
terraform destroy