Welcome to the Fifth Tutorial of this AWS Course/Series.
In this tutorial we are going to cover extremely important AWS Concepts which are as follows:-
- EBS Volume
- AWS RDS
- RDS Security
- An EBS (Elastic Block Store) Volume is a network drive which you can attach to your instances while they run. What it does is that it allows your instances to have it's data persist.
- It is important because, an EC2 machine loses its root volume (main drive) when it is manually terminated or when there is an unexpected termination(which may happen from time to time). Thus EBS Volume allows you to store your Instance data somewhere.
- Features of EBS Volume:-
- It’s a network drive and not a physical drive i.e. that it uses the network to communicate the instance, which means there might be a bit of latency.
- It can be detached from an EC2 instance and attached to another one quickly.
- It’s locked to an Availability Zone (AZ), An EBS Volume in us-east-1a cannot be attached to us-east-1b. To move a volume across, you first need to snapshot it.
- It has a fixed/provisioned capacity (size in GBs, and I/O per sec). You get billed for all the provisioned capacity. You can increase the capacity of the drive over time.
- There are 4 types of EBS Volume:-
- GP2 (SSD): General purpose SSD volume that balances price and performance for a wide variety of workloads.
- IO1 (SSD): Highest-performance SSD volume for mission-critical low-latency or high throughput workloads.
- ST1 (HDD): Low cost HDD volume designed for frequently accessed, throughput intensive workloads.
- SC1 (HDD): Lowest cost HDD volume designed for less frequently accessed workloads.
- EC2 Instance Store is attached to your physical server and hence has faster I/O as compared to EBS Volume. But Instance Store looses data on termination and it cannot be resized.
- EFS stands for Elastic File System. It is basically ha managed Network File System, that can be mounted on top of many EC2 Instances.
- It can work with EC2 Instances across multiple AZ, and is highly scalable with high availability but is expensive as well.
- RDS stands for Relational Database Service. It's a managed Database Service and use SQL as a query language.
- It allows you to create databases in the cloud that are managed by AWS. You can create Postgres, MySQL, Oracle, MS SQL Server, MariaDB, Aurora(AWS Proprietary DB) databases.
- There are many Advantages of using RDS versus deploying custom DB on EC2 such as:-
- Automated provisioning.
- Continuous backups and restore to specific timestamp.
- Monitoring dashboards.
- Read replicas for improved read performance.
- Multi AZ setup for DR (Disaster Recovery).
- Maintenance windows for upgrades.
- Scaling capability (vertical and horizontal).
- Storage backed by EBS.
- Backups are automatically enabled in RDS, which include Daily full backup of the database, Transaction logs are backed-up by RDS every 5 minutes which provides ability to restore to any point in time(at 5 mins granularity) and 7 days retention of backup which can be extended upto 365 days. User can even manually trigger DB Snapshots.
- To ensure Data Security, RDS comes with the option to encrypt the master as well as read replicas with AWS KMS - AES-256 encryption. Encryption has to be defined at launch time. Note:- If master(original data) is not encrypted, the read replicas cannot be encrypted. Transparent Data Encryption (TDE) is also available for Oracle and SQL Server DBs.
- There is also facility for In-flight Encryption which uses, SSL certificates to encrypt data to RDS in flight. For this one needs to provide SSL options with the trust certificate while connecting to the Database.
- Snapshots of un-encrypted RDS databases are un-encrypted, while those of encrypted RDS Databases are encrypted.
- To encrypt an un-encrypted RDS Database on needs to do the following:-
- Create a snapshot of the un-encrypted database.
- Copy the snapshot and enable encryption for the snapshot.
- Restore the database from the encrypted snapshot.
- Migrate applications to the new database, and delete the old database.
- RDS Security is also ensured over the Network because, RDS databases are usually deployed within a private subnet, not in a public one. Also RDS security works by leveraging security groups (the same concept as for EC2 instances) – it controls which IP / security group can communicate with RDS.
- IAM policies help control who can manage AWS RDS (through the RDS API). Traditional Username and Password can be used to login into the database. IAM-based authentication can be used to login into 2 RDS Database i.e. MySQL & PostgreSQL. No need for SSH to enter RDS Database.