42. Create an RDS Instance

RDS runs on a virtual machine. We cannot log into these OS. Patching of RDS OS and DB is Amazons responsibility. RDS is not serverless. Aurora is serverless.

Read Replicas:
Read Replicas allow to have a read-only copy of production DB. This is achieved by using asynchronous replication from the primary RDS instance to the read replica. We use read replicas primarily for very heavy DB workloads.
We can improve performance of DB by using Read Replicas and Elasti Cache.
Read Replicas are available for following DBs:
i. MySQL Server
ii. Oracle
iii. PostgreSQL
iv. Maria DB
v. Aurora

Used for scaling not for DR (Disaster Recovery).
Must have automatic backups turned on in order to deploy a Read Replica.
We can have upto 5 read replica copies of any DB
We can have read replicas of read replicas (but watch out for latency)
Each read replica will have its own DNS end point.
We can have read replicas that have multi AZ
We can create read replicas of multi AZ source DBs
Read replicas can be promoted to be their own DBs. This breaks replication.
We can have read replica in second region
Read Replicas:
i. Can be multi-AZ
ii. Used to increase performance
iii. Must have backups turned on
iv. Can be in different regions
v. Can be promoted to master, this will break read replica

Question 1:
What two fault tolerant features does Amazon RDS support?
A. copy snapshot to a different region
B. create read replica to a different region
C. copy unencrypted read-replica only
D. copy read/write replica and snapshot
Answer (A,B)

Question 2:
What managed services are included with Amazon RDS? (select four)
A. assign network capacity to database instances
B. install database software
C. perform regular backups
D. data replication across multiple availability zones
E. data replication across single availability zone only
F. configure database
G. performance tuning
Answer (A,B,C,D)

Question 3:
What features are supported with Amazon RDS? (Select three)
A. horizontal scaling with multiple read replicas
B. elastic load balancing RDS read replicas
C. replicate read replicas cross-region
D. automatic failover to master database instance
E. application load balancer (ALB)
Answer (A,C,E)

Question 4:
What are three advantages of standby replica in a Multi-AZ RDS deployment?
A. fault tolerance
B. eliminate I/O freezes
C. horizontal scaling
D. vertical scaling
E. data redundancy
Answer (A,B,E)

Question 5:
What does RDS use for database and log storage?
A. EBS
B. S3
C. instance store
D. local store
E. SSD
Answer (A)

Question 6:
Select two features available with Amazon RDS for MySQL?
A. Auto-Scaling
B. read requests to standby replicas
C. real-time database replication
D. active read requests only
Answer (B,C)

Question 7:
What are two characteristics of Amazon RDS?
A. database managed service
B. NoSQL queries
C. native load balancer
D. database write replicas
E. automatic failover of read replica
Answer (A,C)

Question 8:
What is the maximum volume size of a MySQL RDS database?
A. 6 TB
B. 3 TB
C. 16 TB
D. unlimited
Answer (C)

Question 9:
Your company uses an Amazon RDS MySQL database. As a Solutions Architect, you have changed your settings to create a read-only read replica and it seems to handle the heavy read load of the database. However, there is an event where old data is being displayed in the report at a certain time.
What are the most likely root causes of this problem?
Options:
A. Since it is a multi-AZ configuration of RDS, the RDS data in another AZ is still old
B. Old data may be displayed due to replication lag
C. The read replica is not set up properly
D. The backup of the original DB has not been set up properly
Answer: B
Explanation
Because Read Replicas are separate database instances that are asynchronously replicated, you may not be able to see some of the latest transactions due to delays in replication data. This is called the replication lag. Therefore, option 2 is the correct answer.
Option 1 is incorrect. The RDS multi-AZ configuration does not utilize the secondary database unless a failover is performed, so the multi-AZ configuration does not affect data processing.
Option 3 is incorrect. Data becoming old due to the misconfiguration of the read replica does not occur.
Option 4 is incorrect. Even if the backup of the master DB instance is not successfully obtained, it does not affect normal data processing.

Question 10:
As a Solutions Architect, you plan to use your RDS instance as a database for your applications. To meet your security requirements, you need to ensure that the data stored in your database is encrypted.
What should I do to achieve this requirement?
Options:
A. Enable server-side encryption when configuring RDS
B. Choose a volume that is automatically encrypted when you are to select an EBS volume
C. Enable encryption by choosing an appropriate cluster configuration
D. Enable encryption by setting the security group
Answer: A
Explanation
Database encryption can be done during the database creation. To encrypt your Amazon RDS DB instance and snapshot, enable the encryption option in the Amazon RDS DB Instance Settings menu. Data to be encrypted includes DB instances, automatic backups, read replicas, and snapshots. Therefore, option 1 is the correct answer.
Option 2 is incorrect. EBS volumes are independent of RDS and are not used to encrypt RDS data.
Option 3 is incorrect. Cluster configuration have nothing to do with encryption. The cluster configuration are a setting for making read processing highly available.
Option 4 is incorrect. Security groups are used for traffic control and are not related to encryption.

Question 11:
A company uses an Amazon RDS MySQL database instance to store customer order data. The security team have requested that SSL/TLS encryption in transit must be used for encrypting connections to the database from application servers. The data in the database is currently encrypted at rest using an AWS KMS key.
How can a Solutions Architect enable encryption in transit?
Options:
A. Take a snapshot of the RDS instance. Restore the snapshot to a new instance with encryption in transit enabled
B. Download the AWS-provided root certificates. Use the certificates when connecting to the RDS DB instance
C. Add a self-signed certificate to the RDS DB instance. Use the certificates in all connections to the RDS DB instance
D. Enable encryption in transit using the RDS Management console and obtain a key using AWS KMS
Answer: B
Explanation
Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks.
You can download a root certificate from AWS that works for all Regions or you can download Region-specific intermediate certificates.
CORRECT: “Download the AWS-provided root certificates. Use the certificates when connecting to the RDS DB instance” is the correct answer.
INCORRECT: “Take a snapshot of the RDS instance. Restore the snapshot to a new instance with encryption in transit enabled” is incorrect. There is no need to do this as a certificate is created when the DB instances is launched.
INCORRECT: “Enable encryption in transit using the RDS Management console and obtain a key using AWS KMS” is incorrect. You cannot enable/disable encryption in transit using the RDS management console or use a KMS key.
INCORRECT: “Add a self-signed certificate to the RDS DB instance. Use the certificates in all connections to the RDS DB instance” is incorrect. You cannot use self-signed certificates with RDS.

Question 12:
A company runs an application that uses an Amazon RDS PostgreSQL database. The database is currently not encrypted. A Solutions Architect has been instructed that due to new compliance requirements all existing and new data in the database must be encrypted. The database experiences high volumes of changes and no data can be lost.
How can the Solutions Architect enable encryption for the database without incurring any data loss?
Options:
A. Create an RDS read replica and specify an encryption key. Promote the encrypted read replica to primary. Update the application to point to the new RDS DB endpoint
B. Create a snapshot of the existing RDS DB instance. Create an encrypted copy of the snapshot. Create a new RDS DB instance from the encrypted snapshot and update the application. Use AWS DMS to synchronize data between the source and destination RDS DBs
C. Update the RDS DB to Multi-AZ mode and enable encryption for the standby replica. Perform a failover to the standby instance and then delete the unencrypted RDS DB instance
D. Create a snapshot of the existing RDS DB instance. Create an encrypted copy of the snapshot. Create a new RDS DB instance from the encrypted snapshot. Configure the application to use the new DB endpoint
Answer: B
Explanation
You cannot change the encryption status of an existing RDS DB instance. Encryption must be specified when creating the RDS DB instance. The best way to encrypt an existing database is to take a snapshot, encrypt a copy of the snapshot and restore the snapshot to a new RDS DB instance. This results in an encrypted database that is a new instance. Applications must be updated to use the new RDS DB endpoint.
In this scenario as there is a high rate of change, the databases will be out of sync by the time the new copy is created and is functional. The best way to capture the changes between the source (unencrypted) and destination (encrypted) DB is to use AWS Database Migration Service (DMS) to synchronize the data.
CORRECT: “Create a snapshot of the existing RDS DB instance. Create an encrypted copy of the snapshot. Create a new RDS DB instance from the encrypted snapshot and update the application. Use AWS DMS to synchronize data between the source and destination RDS DBs” is the correct answer.
INCORRECT: “Create a snapshot of the existing RDS DB instance. Create an encrypted copy of the snapshot. Create a new RDS DB instance from the encrypted snapshot. Configure the application to use the new DB endpoint” is incorrect. This answer creates an encrypted DB instance but does not synchronize the data.
INCORRECT: “Create an RDS read replica and specify an encryption key. Promote the encrypted read replica to primary. Update the application to point to the new RDS DB endpoint” is incorrect. You cannot create an encrypted read replica of an unencrypted RDS DB. The read replica will always have the same encryption status as the RDS DB it is created from.
INCORRECT: “Update the RDS DB to Multi-AZ mode and enable encryption for the standby replica. Perform a failover to the standby instance and then delete the unencrypted RDS DB instance” is incorrect. You also cannot have an encrypted Multi-AZ standby instance of an unencrypted RDS DB.

Question 13:
A retail company wants to share sensitive accounting data that is stored in an Amazon RDS DB instance with an external auditor. The auditor has its own AWS account and needs its own copy of the database.
Which of the following would you recommend to securely share the database with the auditor?
A• Create a snapshot of the database in Amazon S3 and assign an IAM role to the auditor to grant access to the object in that bucket
B• Export the database contents to text files, store the files in Amazon S3, and create a new IAM user for the auditor with access to that bucket
C• Set up a read replica of the database and configure IAM standard database authentication to grant the auditor access
D• Create an encrypted snapshot of the database, share the snapshot, and allow access to the AWS Key Management Service (AWS KMS) encryption key
Answer: D
Explanation
Correct option:
Create an encrypted snapshot of the database, share the snapshot, and allow access to the AWS Key Management Service (AWS KMS) encryption key
You can share the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to encrypt the snapshot with any accounts that you want to be able to access the snapshot. You can share AWS KMS CMKs with another AWS account by adding the other account to the AWS KMS key policy.
Making an encrypted snapshot of the database will give the auditor a copy of the database, as required for the given use case.
Incorrect options:
Create a snapshot of the database in Amazon S3 and assign an IAM role to the auditor to grant access to the object in that bucket – RDS stores the DB snapshots in the Amazon S3 bucket belonging to the same AWS region where the RDS instance is located. RDS stores these on your behalf and you do not have direct access to these snapshots in S3, so it’s not possible to grant access to the snapshot objects in S3.
Export the database contents to text files, store the files in Amazon S3, and create a new IAM user for the auditor with access to that bucket – This solution is feasible though not optimal. It requires a lot of unnecessary work and is difficult to audit when such bulk data is exported into text files.
Set up a read replica of the database and configure IAM standard database authentication to grant the auditor access – Read Replicas make it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. Creating Read Replicas for audit purposes is overkill. Also, the question mentions that the auditor needs to have their own copy of the database, which is not possible with replicas.

Question 14:
An IT company is working on a client project to build a Supply Chain Management application. The web-tier of the application runs on an EC2 instance and the database tier is on Amazon RDS MySQL. For beta testing, all the resources are currently deployed in a single Availability Zone. The development team wants to improve application availability before the go-live.
Given that all end users of the web application would be located in the US, which of the following would be the MOST resource-efficient solution?
A• Deploy the web-tier EC2 instances in two Availability Zones, behind an Elastic Load Balancer. Deploy the Amazon RDS MySQL database in read replica configuration
B• Deploy the web-tier EC2 instances in two Availability Zones, behind an Elastic Load Balancer. Deploy the Amazon RDS MySQL database in Multi-AZ configuration
C• Deploy the web-tier EC2 instances in two regions, behind an Elastic Load Balancer. Deploy the Amazon RDS MySQL database in read replica configuration
D• Deploy the web-tier EC2 instances in two regions, behind an Elastic Load Balancer. Deploy the Amazon RDS MySQL database in Multi-AZ configuration
Answer: B
Explanation
Correct option:
Deploy the web-tier EC2 instances in two Availability Zones, behind an Elastic Load Balancer. Deploy the Amazon RDS MySQL database in Multi-AZ configuration
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Therefore, deploying the web-tier EC2 instances in two Availability Zones, behind an Elastic Load Balancer would improve the availability of the application.
Amazon RDS Multi-AZ deployments provide enhanced availability and durability for RDS database (DB) instances, making them a natural fit for production database workloads. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Deploying the Amazon RDS MySQL database in Multi-AZ configuration would improve availability and hence this is the correct option.
Incorrect options:
Deploy the web-tier EC2 instances in two Availability Zones, behind an Elastic Load Balancer. Deploy the Amazon RDS MySQL database in read replica configuration
Deploy the web-tier EC2 instances in two regions, behind an Elastic Load Balancer. Deploy the Amazon RDS MySQL database in read replica configuration
Amazon RDS Read Replicas provide enhanced performance and durability for RDS database (DB) instances. They make it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. Read replicas are meant to address scalability issues. You cannot use read replicas for improving availability, so both these options are incorrect.
Deploy the web-tier EC2 instances in two regions, behind an Elastic Load Balancer. Deploy the Amazon RDS MySQL database in Multi-AZ configuration – As Elastic Load Balancing does not work across regions, so this option is incorrect.

Question 15:
A company has recently launched a new mobile gaming application that the users are adopting rapidly. The company uses RDS MySQL as the database. The engineering team wants an urgent solution to this issue where the rapidly increasing workload might exceed the available database storage.
As a solutions architect, which of the following solutions would you recommend so that it requires minimum development and systems administration effort to address this requirement?
A• Migrate RDS MySQL database to DynamoDB which automatically allocates storage space when required
B• Migrate RDS MySQL database to Aurora which offers storage auto-scaling
C• Enable storage auto-scaling for RDS MySQL
D• Create read replica for RDS MySQL
Answer: C
Explanation
Correct option:
Enable storage auto-scaling for RDS MySQL
If your workload is unpredictable, you can enable storage autoscaling for an Amazon RDS DB instance. With storage autoscaling enabled, when Amazon RDS detects that you are running out of free database space it automatically scales up your storage. Amazon RDS starts a storage modification for an autoscaling-enabled DB instance when these factors apply:
Free available space is less than 10 percent of the allocated storage.
The low-storage condition lasts at least five minutes.
At least six hours have passed since the last storage modification.
The maximum storage threshold is the limit that you set for autoscaling the DB instance. You can’t set the maximum storage threshold for autoscaling-enabled instances to a value greater than the maximum allocated storage.
Incorrect options:
Migrate RDS MySQL to Aurora which offers storage auto-scaling – Although Aurora offers automatic storage scaling, this option is ruled out since it involves significant systems administration effort to migrate from RDS MySQL to Aurora. It is much easier to just enable storage auto-scaling for RDS MySQL.
Migrate RDS MySQL database to DynamoDB which automatically allocates storage space when required – This option is ruled out since DynamoDB is a NoSQL database which implies significant development effort to change the application logic to connect and query data from the underlying database. It is much easier to just enable storage auto-scaling for RDS MySQL.
Create read replica for RDS MySQL – Read replicas make it easy to take advantage of supported engines’ built-in replication functionality to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create multiple read replicas for a given source DB Instance and distribute your application’s read traffic amongst them. This option acts as a distractor as read replicas cannot help to automatically scale storage for the primary database.

Question 16:
Upon a security review of your AWS account, an AWS consultant has found that a few RDS databases are un-encrypted. As a Solutions Architect, what steps must be taken to encrypt the RDS databases?
A• Create a Read Replica of the database, and encrypt the read replica. Promote the read replica as a standalone database, and terminate the previous database
B• Enable encryption on the RDS database using the AWS Console
C• Take a snapshot of the database, copy it as an encrypted snapshot, and restore a database from the encrypted snapshot. Terminate the previous database
D• Enable Multi-AZ for the database, and make sure the standby instance is encrypted. Stop the main database to that the standby database kicks in, then disable Multi-AZ
Answer: C
Explanation
Correct option:
Take a snapshot of the database, copy it as an encrypted snapshot, and restore a database from the encrypted snapshot. Terminate the previous database
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups.
You can encrypt your Amazon RDS DB instances and snapshots at rest by enabling the encryption option for your Amazon RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.
You can only enable encryption for an Amazon RDS DB instance when you create it, not after the DB instance is created. However, because you can encrypt a copy of an unencrypted DB snapshot, you can effectively add encryption to an unencrypted DB instance. That is, you can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. So this is the correct option.
Incorrect options:
Create a Read Replica of the database, and encrypt the read replica. Promote the read replica as a standalone database, and terminate the previous database – If the master is not encrypted, the read replicas cannot be encrypted. So this option is incorrect.
Enable Multi-AZ for the database, and make sure the standby instance is encrypted. Stop the main database to that the standby database kicks in, then disable Multi-AZ – Multi-AZ is to help with High Availability, not encryption. So this option is incorrect.
Enable encryption on the RDS database using the AWS Console – There is no direct option to encrypt an RDS database using the AWS Console.
Steps to encrypt an un-encrypted RDS database: Create a snapshot of the un-encrypted database Copy the snapshot and enable encryption for the snapshot Restore the database from the encrypted snapshot Migrate applications to the new database, and delete the old database

Question 17:
A company has its application servers in the public subnet that connect to the RDS instances in the private subnet. For regular maintenance, the RDS instances need patch fixes that need to be downloaded from the internet.
Considering the company uses only IPv4 addressing and is looking for a fully managed service, which of the following would you suggest as an optimal solution?
• Configure a NAT instance in the public subnet of the VPC
• Configure the Internet Gateway of the VPC to be accessible to the private subnet resources by changing the route tables
• Configure an Egress-only internet gateway for the resources in the private subnet of the VPC
• Configure a NAT Gateway in the public subnet of the VPC
Answer: A
Explanation
Correct option:
Configure a NAT Gateway in the public subnet of the VPC – You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside.
You must also specify an Elastic IP address to associate with the NAT gateway when you create it. The Elastic IP address cannot be changed after you associate it with the NAT Gateway. After you’ve created a NAT gateway, you must update the route table associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet. If you no longer need a NAT gateway, you can delete it. Deleting a NAT gateway disassociates its Elastic IP address, but does not release the address from your account.
Incorrect options:
Configure an Egress-only internet gateway for the resources in the private subnet of the VPC – An Egress-only internet gateway is an Internet Gateway that supports IPv6 traffic, so this option is not correct for the given use-case.
Configure a NAT instance in the public subnet of the VPC – You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the internet. NAT instances are not a managed service, it has to be managed and maintained by the customer.
Configure the Internet Gateway of the VPC to be accessible to the private subnet resources, by changing the route tables – Internet Gateway cannot be used directly with a private subnet. It is not possible to set up this configuration, without a NAT instance or a NAT gateway in the public subnet.

Question 18:
A company recently experienced a database outage in its on-premises data center. The company now wants to migrate to a reliable database solution on AWS that minimizes data loss and stores every transaction on at least two nodes.
Which of the following solutions meets these requirements?
• Set up an EC2 instance with a MySQL DB engine installed that triggers an AWS Lambda function to synchronously replicate the data to an RDS MySQL DB instance
• Set up an RDS MySQL DB instance and then create a read replica in a separate AWS Region that synchronously replicates the data
• Set up an RDS MySQL DB instance and then create a read replica in another Availability Zone that synchronously replicates the data
• Set up an RDS MySQL DB instance with Multi-AZ functionality enabled to synchronously replicate the data(Correct)
Explanation
Correct option:
Set up an RDS MySQL DB instance with Multi-AZ functionality enabled to synchronously replicate the data
When you provision an RDS Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Running a DB instance with high availability can enhance availability during planned system maintenance, and help protect your databases against DB instance failure and Availability Zone disruption. In the event of a planned or unplanned outage of your DB instance, Amazon RDS automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ. The time it takes for the failover to complete depends on the database activity and other conditions at the time the primary DB instance became unavailable. Failover times are typically 60–120 seconds.
Incorrect options:
Set up an RDS MySQL DB instance and then create a read replica in another Availability Zone that synchronously replicates the data
Set up an RDS MySQL DB instance and then create a read replica in a separate AWS Region that synchronously replicates the data
Amazon RDS uses the MariaDB, Microsoft SQL Server, MySQL, Oracle, and PostgreSQL DB engines’ built-in replication functionality to create a special type of DB instance called a read replica from a source DB instance. The source DB instance becomes the primary DB instance. Updates made to the primary DB instance are asynchronously copied to the read replica. You can reduce the load on your primary DB instance by routing read queries from your applications to the read replica. Using read replicas, you can elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.
Both these options talk about creating a read replica that synchronously replicates the data, but in reality, any updates made to the primary DB instance are asynchronously copied to the read replica. So both these options are incorrect.
Set up an EC2 instance with a MySQL DB engine installed that triggers an AWS Lambda function to synchronously replicate the data to an RDS MySQL DB instance – Setting up a database on an EC2 instance would not be reliable as you would have to monitor and manage the underlying EC2 instance for any issues or outages. In addition, using AWS Lambda to replicate the data from EC2 based MySQL DB to an RDS MySQL DB would make the solution really complex since the same functionality can be achieved out-of-the-box using RDS Multi-AZ configuration.