aws-rds-database
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS RDS Database
AWS RDS 数据库
Overview
概述
Amazon RDS simplifies relational database deployment and operations. Support multiple database engines with automated backups, replication, encryption, and high availability through Multi-AZ deployments.
Amazon RDS 简化了关系型数据库的部署与运维操作。它支持多种数据库引擎,通过Multi-AZ部署提供自动备份、复制、加密以及高可用性能力。
When to Use
适用场景
- PostgreSQL and MySQL applications
- Transactional databases and OLTP
- Oracle and Microsoft SQL Server workloads
- Read-heavy applications with replicas
- Development and staging environments
- Data requiring ACID compliance
- Applications needing automatic backups
- Disaster recovery scenarios
- PostgreSQL和MySQL应用程序
- 事务型数据库与OLTP
- Oracle和Microsoft SQL Server工作负载
- 适合使用副本的读密集型应用
- 开发与预发布环境
- 需要符合ACID特性的数据
- 需要自动备份的应用程序
- 灾难恢复场景
Implementation Examples
实施示例
1. RDS Instance Creation with AWS CLI
1. 使用AWS CLI创建RDS实例
bash
undefinedbash
undefinedCreate DB subnet group
Create DB subnet group
aws rds create-db-subnet-group
--db-subnet-group-name app-db-subnet
--db-subnet-group-description "App database subnet"
--subnet-ids subnet-12345 subnet-67890
--db-subnet-group-name app-db-subnet
--db-subnet-group-description "App database subnet"
--subnet-ids subnet-12345 subnet-67890
aws rds create-db-subnet-group
--db-subnet-group-name app-db-subnet
--db-subnet-group-description "App database subnet"
--subnet-ids subnet-12345 subnet-67890
--db-subnet-group-name app-db-subnet
--db-subnet-group-description "App database subnet"
--subnet-ids subnet-12345 subnet-67890
Create security group for RDS
Create security group for RDS
aws ec2 create-security-group
--group-name rds-sg
--description "RDS security group"
--vpc-id vpc-12345
--group-name rds-sg
--description "RDS security group"
--vpc-id vpc-12345
aws ec2 create-security-group
--group-name rds-sg
--description "RDS security group"
--vpc-id vpc-12345
--group-name rds-sg
--description "RDS security group"
--vpc-id vpc-12345
Allow inbound PostgreSQL
Allow inbound PostgreSQL
aws ec2 authorize-security-group-ingress
--group-id sg-rds123
--protocol tcp
--port 5432
--source-security-group-id sg-app123
--group-id sg-rds123
--protocol tcp
--port 5432
--source-security-group-id sg-app123
aws ec2 authorize-security-group-ingress
--group-id sg-rds123
--protocol tcp
--port 5432
--source-security-group-id sg-app123
--group-id sg-rds123
--protocol tcp
--port 5432
--source-security-group-id sg-app123
Create RDS instance
Create RDS instance
aws rds create-db-instance
--db-instance-identifier myapp-db
--db-instance-class db.t3.micro
--engine postgres
--engine-version 15.2
--master-username admin
--master-user-password MySecurePassword123!
--allocated-storage 100
--storage-type gp3
--db-subnet-group-name app-db-subnet
--vpc-security-group-ids sg-rds123
--multi-az
--storage-encrypted
--kms-key-id arn:aws:kms:region:account:key/id
--backup-retention-period 30
--preferred-backup-window "03:00-04:00"
--preferred-maintenance-window "mon:04:00-mon:05:00"
--enable-clouwatch-logs-exports postgresql
--enable-iam-database-authentication
--db-instance-identifier myapp-db
--db-instance-class db.t3.micro
--engine postgres
--engine-version 15.2
--master-username admin
--master-user-password MySecurePassword123!
--allocated-storage 100
--storage-type gp3
--db-subnet-group-name app-db-subnet
--vpc-security-group-ids sg-rds123
--multi-az
--storage-encrypted
--kms-key-id arn:aws:kms:region:account:key/id
--backup-retention-period 30
--preferred-backup-window "03:00-04:00"
--preferred-maintenance-window "mon:04:00-mon:05:00"
--enable-clouwatch-logs-exports postgresql
--enable-iam-database-authentication
aws rds create-db-instance
--db-instance-identifier myapp-db
--db-instance-class db.t3.micro
--engine postgres
--engine-version 15.2
--master-username admin
--master-user-password MySecurePassword123!
--allocated-storage 100
--storage-type gp3
--db-subnet-group-name app-db-subnet
--vpc-security-group-ids sg-rds123
--multi-az
--storage-encrypted
--kms-key-id arn:aws:kms:region:account:key/id
--backup-retention-period 30
--preferred-backup-window "03:00-04:00"
--preferred-maintenance-window "mon:04:00-mon:05:00"
--enable-clouwatch-logs-exports postgresql
--enable-iam-database-authentication
--db-instance-identifier myapp-db
--db-instance-class db.t3.micro
--engine postgres
--engine-version 15.2
--master-username admin
--master-user-password MySecurePassword123!
--allocated-storage 100
--storage-type gp3
--db-subnet-group-name app-db-subnet
--vpc-security-group-ids sg-rds123
--multi-az
--storage-encrypted
--kms-key-id arn:aws:kms:region:account:key/id
--backup-retention-period 30
--preferred-backup-window "03:00-04:00"
--preferred-maintenance-window "mon:04:00-mon:05:00"
--enable-clouwatch-logs-exports postgresql
--enable-iam-database-authentication
Create read replica
Create read replica
aws rds create-db-instance-read-replica
--db-instance-identifier myapp-db-read
--source-db-instance-identifier myapp-db
--db-instance-identifier myapp-db-read
--source-db-instance-identifier myapp-db
aws rds create-db-instance-read-replica
--db-instance-identifier myapp-db-read
--source-db-instance-identifier myapp-db
--db-instance-identifier myapp-db-read
--source-db-instance-identifier myapp-db
Take manual snapshot
Take manual snapshot
aws rds create-db-snapshot
--db-snapshot-identifier myapp-db-backup-2024
--db-instance-identifier myapp-db
--db-snapshot-identifier myapp-db-backup-2024
--db-instance-identifier myapp-db
aws rds create-db-snapshot
--db-snapshot-identifier myapp-db-backup-2024
--db-instance-identifier myapp-db
--db-snapshot-identifier myapp-db-backup-2024
--db-instance-identifier myapp-db
Describe RDS instance
Describe RDS instance
aws rds describe-db-instances
--db-instance-identifier myapp-db
--query 'DBInstances[0].[DBInstanceIdentifier,DBInstanceStatus,Endpoint.Address]'
--db-instance-identifier myapp-db
--query 'DBInstances[0].[DBInstanceIdentifier,DBInstanceStatus,Endpoint.Address]'
undefinedaws rds describe-db-instances
--db-instance-identifier myapp-db
--query 'DBInstances[0].[DBInstanceIdentifier,DBInstanceStatus,Endpoint.Address]'
--db-instance-identifier myapp-db
--query 'DBInstances[0].[DBInstanceIdentifier,DBInstanceStatus,Endpoint.Address]'
undefined2. Terraform RDS Configuration
2. Terraform RDS配置
hcl
undefinedhcl
undefinedrds.tf
rds.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
DB subnet group
DB subnet group
resource "aws_db_subnet_group" "app" {
name = "app-db-subnet"
subnet_ids = [aws_subnet.private1.id, aws_subnet.private2.id]
tags = { Name = "app-db-subnet" }
}
resource "aws_db_subnet_group" "app" {
name = "app-db-subnet"
subnet_ids = [aws_subnet.private1.id, aws_subnet.private2.id]
tags = { Name = "app-db-subnet" }
}
Security group
Security group
resource "aws_security_group" "rds" {
name_prefix = "rds-"
vpc_id = aws_vpc.main.id
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [aws_security_group.app.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "rds" {
name_prefix = "rds-"
vpc_id = aws_vpc.main.id
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [aws_security_group.app.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
KMS key for encryption
KMS key for encryption
resource "aws_kms_key" "rds" {
description = "RDS encryption key"
deletion_window_in_days = 10
enable_key_rotation = true
}
resource "aws_kms_alias" "rds" {
name = "alias/rds-key"
target_key_id = aws_kms_key.rds.key_id
}
resource "aws_kms_key" "rds" {
description = "RDS encryption key"
deletion_window_in_days = 10
enable_key_rotation = true
}
resource "aws_kms_alias" "rds" {
name = "alias/rds-key"
target_key_id = aws_kms_key.rds.key_id
}
RDS instance
RDS instance
resource "aws_db_instance" "app" {
identifier = "myapp-db"
engine = "postgres"
engine_version = "15.2"
instance_class = "db.t3.micro"
allocated_storage = 100
storage_type = "gp3"
storage_encrypted = true
kms_key_id = aws_kms_key.rds.arn
db_name = "appdb"
username = "admin"
password = random_password.db_password.result
db_subnet_group_name = aws_db_subnet_group.app.name
vpc_security_group_ids = [aws_security_group.rds.id]
multi_az = true
publicly_accessible = false
backup_retention_period = 30
backup_window = "03:00-04:00"
maintenance_window = "mon:04:00-mon:05:00"
copy_tags_to_snapshot = true
enabled_cloudwatch_logs_exports = ["postgresql"]
enable_iam_database_authentication = true
deletion_protection = true
skip_final_snapshot = false
final_snapshot_identifier = "myapp-db-final-snapshot-${formatdate("YYYY-MM-DD-hhmm", timestamp())}"
tags = {
Name = "myapp-db"
}
}
resource "aws_db_instance" "app" {
identifier = "myapp-db"
engine = "postgres"
engine_version = "15.2"
instance_class = "db.t3.micro"
allocated_storage = 100
storage_type = "gp3"
storage_encrypted = true
kms_key_id = aws_kms_key.rds.arn
db_name = "appdb"
username = "admin"
password = random_password.db_password.result
db_subnet_group_name = aws_db_subnet_group.app.name
vpc_security_group_ids = [aws_security_group.rds.id]
multi_az = true
publicly_accessible = false
backup_retention_period = 30
backup_window = "03:00-04:00"
maintenance_window = "mon:04:00-mon:05:00"
copy_tags_to_snapshot = true
enabled_cloudwatch_logs_exports = ["postgresql"]
enable_iam_database_authentication = true
deletion_protection = true
skip_final_snapshot = false
final_snapshot_identifier = "myapp-db-final-snapshot-${formatdate("YYYY-MM-DD-hhmm", timestamp())}"
tags = {
Name = "myapp-db"
}
}
Generate random password
Generate random password
resource "random_password" "db_password" {
length = 16
special = true
}
resource "random_password" "db_password" {
length = 16
special = true
}
Store password in Secrets Manager
Store password in Secrets Manager
resource "aws_secretsmanager_secret" "db_password" {
name_prefix = "rds/myapp/"
recovery_window_in_days = 7
}
resource "aws_secretsmanager_secret_version" "db_password" {
secret_id = aws_secretsmanager_secret.db_password.id
secret_string = jsonencode({
username = aws_db_instance.app.username
password = random_password.db_password.result
engine = "postgres"
host = aws_db_instance.app.address
port = aws_db_instance.app.port
dbname = aws_db_instance.app.db_name
})
}
resource "aws_secretsmanager_secret" "db_password" {
name_prefix = "rds/myapp/"
recovery_window_in_days = 7
}
resource "aws_secretsmanager_secret_version" "db_password" {
secret_id = aws_secretsmanager_secret.db_password.id
secret_string = jsonencode({
username = aws_db_instance.app.username
password = random_password.db_password.result
engine = "postgres"
host = aws_db_instance.app.address
port = aws_db_instance.app.port
dbname = aws_db_instance.app.db_name
})
}
Read replica
Read replica
resource "aws_db_instance" "read_replica" {
identifier = "myapp-db-read"
replicate_source_db = aws_db_instance.app.identifier
instance_class = "db.t3.micro"
publicly_accessible = false
tags = {
Name = "myapp-db-read"
}
}
resource "aws_db_instance" "read_replica" {
identifier = "myapp-db-read"
replicate_source_db = aws_db_instance.app.identifier
instance_class = "db.t3.micro"
publicly_accessible = false
tags = {
Name = "myapp-db-read"
}
}
Enhanced monitoring role
Enhanced monitoring role
resource "aws_iam_role" "rds_monitoring" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "monitoring.rds.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy_attachment" "rds_monitoring" {
role = aws_iam_role.rds_monitoring.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
}
resource "aws_iam_role" "rds_monitoring" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "monitoring.rds.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy_attachment" "rds_monitoring" {
role = aws_iam_role.rds_monitoring.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
}
CloudWatch alarms
CloudWatch alarms
resource "aws_cloudwatch_metric_alarm" "db_cpu" {
alarm_name = "rds-high-cpu"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 2
metric_name = "CPUUtilization"
namespace = "AWS/RDS"
period = 300
statistic = "Average"
threshold = 80
alarm_description = "Alert when RDS CPU exceeds 80%"
dimensions = {
DBInstanceIdentifier = aws_db_instance.app.id
}
}
resource "aws_cloudwatch_metric_alarm" "db_connections" {
alarm_name = "rds-high-connections"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 1
metric_name = "DatabaseConnections"
namespace = "AWS/RDS"
period = 300
statistic = "Average"
threshold = 80
alarm_description = "Alert when database connections exceed 80"
dimensions = {
DBInstanceIdentifier = aws_db_instance.app.id
}
}
resource "aws_cloudwatch_metric_alarm" "db_cpu" {
alarm_name = "rds-high-cpu"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 2
metric_name = "CPUUtilization"
namespace = "AWS/RDS"
period = 300
statistic = "Average"
threshold = 80
alarm_description = "Alert when RDS CPU exceeds 80%"
dimensions = {
DBInstanceIdentifier = aws_db_instance.app.id
}
}
resource "aws_cloudwatch_metric_alarm" "db_connections" {
alarm_name = "rds-high-connections"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 1
metric_name = "DatabaseConnections"
namespace = "AWS/RDS"
period = 300
statistic = "Average"
threshold = 80
alarm_description = "Alert when database connections exceed 80"
dimensions = {
DBInstanceIdentifier = aws_db_instance.app.id
}
}
Outputs
Outputs
output "db_endpoint" {
value = aws_db_instance.app.endpoint
description = "RDS endpoint address"
}
output "db_password_secret" {
value = aws_secretsmanager_secret.db_password.arn
description = "Secret Manager ARN for database credentials"
}
undefinedoutput "db_endpoint" {
value = aws_db_instance.app.endpoint
description = "RDS endpoint address"
}
output "db_password_secret" {
value = aws_secretsmanager_secret.db_password.arn
description = "Secret Manager ARN for database credentials"
}
undefined3. Database Connection and Configuration
3. 数据库连接与配置
bash
undefinedbash
undefinedConnect to RDS instance
Connect to RDS instance
psql -h myapp-db.xxxx.us-east-1.rds.amazonaws.com
-U admin
-d appdb
-p 5432
-U admin
-d appdb
-p 5432
psql -h myapp-db.xxxx.us-east-1.rds.amazonaws.com
-U admin
-d appdb
-p 5432
-U admin
-d appdb
-p 5432
Create database user with IAM authentication
Create database user with IAM authentication
psql -h myapp-db.xxxx.us-east-1.rds.amazonaws.com
-U admin
-d appdb << EOF CREATE USER app_user; GRANT CONNECT ON DATABASE appdb TO app_user; GRANT USAGE ON SCHEMA public TO app_user; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO app_user; ALTER ROLE app_user WITH PASSWORD 'MySecurePassword123!'; EOF
-U admin
-d appdb << EOF CREATE USER app_user; GRANT CONNECT ON DATABASE appdb TO app_user; GRANT USAGE ON SCHEMA public TO app_user; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO app_user; ALTER ROLE app_user WITH PASSWORD 'MySecurePassword123!'; EOF
psql -h myapp-db.xxxx.us-east-1.rds.amazonaws.com
-U admin
-d appdb << EOF CREATE USER app_user; GRANT CONNECT ON DATABASE appdb TO app_user; GRANT USAGE ON SCHEMA public TO app_user; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO app_user; ALTER ROLE app_user WITH PASSWORD 'MySecurePassword123!'; EOF
-U admin
-d appdb << EOF CREATE USER app_user; GRANT CONNECT ON DATABASE appdb TO app_user; GRANT USAGE ON SCHEMA public TO app_user; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO app_user; ALTER ROLE app_user WITH PASSWORD 'MySecurePassword123!'; EOF
Export database
Export database
pg_dump -h myapp-db.xxxx.us-east-1.rds.amazonaws.com
-U admin
appdb > backup.sql
-U admin
appdb > backup.sql
pg_dump -h myapp-db.xxxx.us-east-1.rds.amazonaws.com
-U admin
appdb > backup.sql
-U admin
appdb > backup.sql
Import database
Import database
psql -h myapp-db.xxxx.us-east-1.rds.amazonaws.com
-U admin
appdb < backup.sql
-U admin
appdb < backup.sql
undefinedpsql -h myapp-db.xxxx.us-east-1.rds.amazonaws.com
-U admin
appdb < backup.sql
-U admin
appdb < backup.sql
undefinedBest Practices
最佳实践
✅ DO
✅ 建议
- Use Multi-AZ for production
- Enable automated backups
- Use encryption at rest and in transit
- Implement IAM database authentication
- Create read replicas for scaling
- Monitor performance metrics
- Set up CloudWatch alarms
- Store credentials in Secrets Manager
- Use parameter groups for configuration
- 生产环境使用Multi-AZ
- 启用自动备份
- 使用静态与传输加密
- 实施IAM数据库认证
- 创建只读副本以实现扩容
- 监控性能指标
- 配置CloudWatch告警
- 在Secrets Manager中存储凭证
- 使用参数组进行配置
❌ DON'T
❌ 不建议
- Store passwords in code
- Disable encryption
- Use public accessibility in production
- Ignore backup retention
- Skip automated backups
- Create databases without Multi-AZ
- 在代码中存储密码
- 禁用加密
- 生产环境启用公网访问
- 忽略备份保留策略
- 跳过自动备份
- 创建不使用Multi-AZ的数据库
Monitoring
监控
- CloudWatch metrics (CPU, connections, storage)
- Enhanced Monitoring with OS metrics
- RDS Performance Insights
- AWS CloudTrail for API logging
- Custom CloudWatch Logs from applications
- CloudWatch指标(CPU、连接数、存储)
- 包含操作系统指标的增强监控
- RDS性能洞察
- 用于API日志记录的AWS CloudTrail
- 来自应用程序的自定义CloudWatch日志