After this lesson, you will be able to: Use RDS managed databases: Multi-AZ, read replicas, automated backups, and connecting from an application securely.
RDS is the boring-but-essential managed DB service. Most production AWS apps end up with one. This lesson covers the must-know features.
AWS handles: provisioning, OS patching, DB engine patching, automated backups, point-in-time recovery (PITR), Multi-AZ failover, read replicas. You handle: schema design, queries, connection pooling, application logic. Trade-off: less control (can't tune kernel; can't install custom extensions). Cost ~30-50% more than self-hosted on equivalent hardware. Worth it almost always for small/mid teams.
Multi-AZ: a synchronous standby in a different availability zone. Failover in 60-120 seconds on primary failure. NOT readable; pure HA. Read replica: an asynchronous copy. Application reads from replica, writes to primary. Replication lag in seconds. For HA: Multi-AZ. For read scale: read replicas. For both: combine. Multi-AZ doubles cost; replicas add per-replica cost. Decide based on actual needs.
Networking: put RDS in PRIVATE subnets (no public IP). Allow security group to accept connections only from app SG. Credentials: use AWS Secrets Manager to store DB password; app fetches at boot. Auto-rotate via Secrets Manager + RDS integration. Alternative: IAM database authentication, connect with short-lived tokens from IAM, no password. Best practice for modern apps.
Without pooling, serverless / spiky apps exhaust DB connections.
# Problem: Lambda spawns N concurrent invocations.# Each invocation opens a new Postgres connection.# Postgres hits max_connections; new invocations fail.# Solution: RDS Proxy# - Sits between your app and RDS# - Maintains a pool of warm connections# - App connects to the proxy; proxy multiplexes onto few DB connections# Cost: ~$0.015/hr per vCPU. Cheaper than a bigger DB.# Alternative: PgBouncer on EC2 (free; you operate). Or Supabase's pooler.
Putting RDS in a public subnet with public IP. Direct internet exposure of your DB. Don't. Hardcoding DB password in source code. Use Secrets Manager or IAM database auth. Skipping Multi-AZ for production. Single-AZ = single point of failure. No connection pooler with Lambda. Connection exhaustion at scale. Retention = 7 days for compliance-relevant data. Set to 30+ days where required.
Pick the canonical solution.
Sign in and purchase access to unlock this lesson.