Amazon‌ ‌RDS‌ ‌Proxy:‌ ‌Taming‌ ‌DB‌ ‌Connections

By Juan Ignacio Giro

Most developers find databases difficult to scale. There are a lot of frameworks that can run on multiple pods⁠—or even multiple clusters⁠—to handle more load. Some frameworks even support advanced load balancing and caching.

Still, when a spike beyond what the framework can handle happens, the database is almost always the first process to fail. It’s a horror story that every developer has experienced at least once. And it always happens at the most important moment⁠—such as during an important flash sale.

Taming database load management isn’t an easy task, but Amazon Relational Database Service (RDS) has been doing a great job at it. Amazon RDS Proxy though extends the features you can use to manage database connections to a whole new level.

Getting to Know RDS Proxy

RDS Proxy works similarly to other proxy services. It basically organizes the network traffic coming to your RDS database instances and Amazon Aurora database clusters by acting as the middleware. However, RDS Proxy is far more advanced than your average proxy.

For starters, it is designed specifically for RDS databases, which means it has the ability to recognize database protocols, the requests and responses it handles, and the results pushed by the databases back to client applications.

It is an active proxy. Requests from client applications are pooled and managed in such a way that the number of connections reaching the database framework can be reduced significantly. This means your databases no longer have to allocate valuable CPU and memory for handling connections.

On top of that, RDS Proxy is smart enough to work seamlessly with existing databases. You don’t have to make changes to your RDS DB instances or create a custom code for managing network connections. You just have to configure RDS proxy once, and you are all set.

To make it even better, Amazon crafts RDS Proxy to be highly available. It is also available in multiple zones and can function as a multi-zone service. Since resources used by RDS Proxy are independent to the resources provisioned for RDS databases, the proxy doesn’t add any overhead.

If anything, it lowers your database overhead. It does it through advanced tactics like multiplexing and borrowing. It is even smart enough to know when a direct connection to the database endpoint is required, which means using the proxy doesn’t compromise security at all.

Security as a Priority

That brings us to the series of benefits offered by RDS Proxy, starting with the added security measures it employs to keep requests and responses secure. RDS Proxy uses all the RDS security features you are already familiar with, including TLS/SSL and AWS IAM.

The latter is a huge plus. You can configure all database requests to require a specific IAM role, and then assign that role to RDS Proxy. All requests coming from other sources will automatically be denied, creating a more secure environment for your data.

It also works with AWS Secrets Manager. You no longer have to expose database credentials or hard-code it in any way. You can now get RDS Proxy to work with Secrets Manager and enforce a stricter security policy overall.

All security measures are easy to deploy. To enable TLS, for instance, you just have to add a valid certificate to AWS Certificate Manager, and then configure RDS Proxy to use it. Enforcing the use of SSL for end-to-end communications is also easy because the configuration supports –ssl-mode.

Use aws secretsmanager create-secret to create a secret containing your database username and password. Set up an IAM role before configuring your RDS Proxy, and then configure everything in Connectivity when you set up the proxy.

When it comes to setting up the RDS Proxy, there are a few additional things you can do to make the proxy more secure. You can shorten the idle client connection timeout when the load is not high so that stale connections are removed faster.

You can also be specific with the subnets you use. Remove subnets that you don’t need for the proxy; by default, Amazon adds all subnets associated with your VPC, but that may not be the most secure way to go. You can use VPC security group for ingress and egress management.

RDS Proxy Limits

RDS Proxy is handy for handling spikes in connections and for lowering the overhead of your database instances. It is clear that the active proxy offers a wide range of tools that help you optimize your databases to a certain degree.

That said, there are some limitations to know about before you start relying on RDS Proxy to tame DB connections, starting with the fact that you can only have up to 20 proxies per account. 20 is plenty, and Amazon allows organizations to request more proxies if needed.

RDS Proxy also supports MySQL and PostgreSQL engine families. Most of the database frameworks used by applications today are associated with these engines, but you may be out of luck if you use proprietary database instances or a modified version of a framework.

There are version limitations too. RDS MySQL 5.6 or newer is required. On top of that, RDS Proxy uses the default 3306 port to listen for database requests, although it can still connect to your database on any port you specify.

The same is true with PostgreSQL. You need PostgreSQL 10.10 or higher in order to use the proxy, and you have to listen to port 5432 since it is the default port for Postgres. Some Postgres commands may not yield an accurate result; lastval() is a good example. All things considered, RDS Proxy is a great solution for taming your DB connections. It is highly available by nature, so you don’t have to worry about the proxy itself failing. You can immediately associate the proxy with databases that have been suffering from “too many connections” errors and fix the issue. The same proxy can also be used to reduce your overhead, so problems like not enough memory to process requests can also be solved. The fact that it is fully compatible with other Amazon services like IAM just makes it even better.

Caylent provides a critical DevOps-as-a-Service function to high growth companies looking for expert support with Kubernetes, cloud security, cloud infrastructure, and CI/CD pipelines. Our managed and consulting services are a more cost-effective option than hiring in-house, and we scale as your team and company grow. Check out some of the use cases, learn how we work with clients, and read more about our DevOps-as-a-Service offering.