AWS Startups Blog
Quickly deploy and skillfully manage your databases with the AWS Database Plug & Play Program
It’s fairly typical for startups not to have dedicated resources to manage databases – in fact, you may not even have a database yet! That’s totally fine. Databases are complex systems that require expertise in a range of disciplines, including hardware, networking, storage management techniques, capacity planning, etc. In an enterprise setting, you would likely have a dedicated person or team (database administrator) to create and maintain databases.
So, what do you do if you don’t have the resources, time, or funds to self-manage a database? Use Amazon Relational Database Service (RDS)! Amazon RDS allows you to set up, operate, and scale a relational database in the cloud with just a few clicks. It removes inefficient and time-consuming database administrative tasks without needing to provision infrastructure or maintain software. And, with the new AWS Database Plug & Play Program, you’ll get a packaged bundle of AWS advisory time, architecture and prototyping patterns, AWS usage credits, and pathways to go-to-market acceleration programs to help further ensure your teams can focus on value-generating work.
Validated CloudFormation templates for quick deployment
The program includes AWS CloudFormation templates, available on GitHub, that create the following open-source Amazon RDS database (Figure 1):
We’ll explain these templates and their benefits in detail in the next section, but for now, here’s a summary of the Cloud Formation templates and what they offer.
The CloudFormation templates provision the network infrastructure and all the components shown in Figure 1. The CloudFormation templates are split into three stacks.
- Template to set up Amazon Virtual Private Cloud (VPC), subnets, route tables, internet gateway, NAT gateway, Amazon Simple Storage Service (Amazon S3) gateway endpoint, AWS Secrets Manager interface endpoint, and other networking components.
- Template to set up a Linux Bastion Host in an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group to connect to the RDS DB cluster.
- Template to set up any of the following databases: Amazon Aurora Serverless v2, Amazon Aurora PostgreSQL-Compatible Edition, Amazon RDS for PostgreSQL, Aurora MySQL-Compatible Edition, Amazon RDS for MySQL, with master user password stored in Secrets Manager and bootstrap the database using AWS Lambda.
Using three different CloudFormation stacks instead of one nested stack gives you flexibility. For example, you can choose to deploy the VPC and bastion host CloudFormation stacks once and Aurora PostgreSQL DB cluster CloudFormation stack multiple times in an AWS Region.
The README of the GitHub repository has detailed template usage instructions. Currently, it contains instructions for the following engines: Amazon RDS for PostgreSQL, Amazon RDS for MySQL, Amazon Aurora PostgreSQL, Amazon Aurora MySQL, and Amazon Aurora Serverless v2 (PostgreSQL/MySQL). Future updates will include: Amazon DynamoDB, Amazon DocumentDB, and Amazon Neptune.
What benefits will I get from this program?
By enrolling in the program, you will receive the following benefits:
- Validated architecture and prototyping patterns. Take advantage of the pre-built CloudFormation templates for quick deployment and rapid prototyping.
- Curated self-service training. The training is available at https://skillbuilder.aws.
- AWS Solutions Architecture Advisory. Receive up to two hours of consulting time with an AWS Database Specialist Solutions Architect on a range of topics, including architecture, migration, and prototyping.
- AWS credits for prototyping. Receive up to $2,000 of AWS credits to run a proof-of-concept using AWS RDS.
- Pathways to go-to-market. Access to AWS Software Partner Path for co-market and co-sell program support.
Technical assets
The CloudFormation templates create Amazon RDS resources and have best practices included in each CloudFormation template to ensure you have an optimal architecture.
The VPC template takes care of the following:
- Sets up three Availability Zones for high availability and disaster recovery. Availability Zones are geographically distributed within a Region and spaced for best insulation and stability in the event of a natural disaster.
- Provisions one public subnet and one private subnet for each Availability Zone. We recommend using public subnets for external-facing resources and private subnets for internal resources to reduce the risk of exfiltration of data.
- Creates and associates network ACLs with default rules to the private and public subnets. We recommend using network ACLs as firewalls to control inbound and outbound traffic at the subnet level. These network ACLs provide individual controls that you can customize as a second layer of defense.
- Creates and associates independent routing tables for each private subnet, which you can configure as necessary to control the flow of traffic within and outside the Amazon VPC. The public subnets share a single routing table because they all use the same internet gateway as the sole route to communicate with the internet.
- Generates a NAT gateway in each of the three public subnets for high availability. NAT gateways offer major advantages over NAT instances in terms of deployment, availability, and maintenance. They allow instances in a private subnet to connect to the internet or other AWS services while they prevent the internet from initiating a connection with those instances.
- Produces an S3 VPC endpoint, which provides resources in private subnets. For example, it allows Lambda to communicate with Amazon S3 in a secure and reliable way.
- Creates Secrets Manager interface VPC endpoint, which provides Lambda resources in private subnets to communicate securely with Secrets Manager without requiring internet access.
The bastion host template takes care of the following:
- Creates an Amazon EC2 Auto Scaling group that’s spread across the three public subnets that were set up by the VPC CloudFormation template. The Amazon EC2 Auto Scaling group ensures that the bastion host is always available in one of the three Availability Zones.
- Sets up an Elastic IP address and associates it with the bastion host. The Elastic IP address makes it easier for on-premises firewalls to remember and allow these IP addresses. If an instance is terminated and the Amazon EC2 Auto Scaling group launches a new instance in its place, the existing Elastic IP address is re-associated with the new instance. This ensures that the same trusted Elastic IP address is used at all times.
- Sets up an Amazon EC2 security group and associates it with the bastion host. This allows you to lock down access to the bastion hosts to known Classless Inter-Domain Routing (CIDR) scopes and port for ingress.
- Creates a CloudWatch Logs log group to hold the bastion host’s shell history logs and sets up a CloudWatch metric to track SSH (Secure Shell) command counts. This helps in security audits because it allows you to check who is accessing the bastion host.
- Creates a CloudWatch alarm to monitor the CPU on the bastion host and send an Amazon Simple Notification Service (Amazon SNS) notification when the alarm is activated.
The Amazon RDS template takes care of the following:
- Creates a Multi-AZ RDS DB with a primary instance and an RDS DB replica in two separate Availability Zones for a production or pre-production type of environment. We recommend using this for high availability because the RDS DB automatically fails over to an RDS DB Read Replica if the primary DB instance becomes unavailable.
- Places the RDS DB in private subnets. To access the DB, use the bastion host, which is set up by the bastion host template.
- Sets up an Amazon EC2 security group and associates it with the RDS DB. This allows you to lock down access to the DB to known CIDR scopes and port for ingress.
- Generates a random admin user password using Secrets Manager and associates this password with the RDS DB. A Python-based Lambda function backed by CloudFormation custom resource configures automatic password rotation every 30 days using Secret Manager. We recommend rotating passwords regularly to prevent unauthorized access in case the password is compromised.
- Creates a DB parameter group with suggested settings and associates it with the RDS DB instances. The DB parameter group settings are provided as general guidance and should be reviewed and customized to suit your needs.
Ready to get started?
The Database Plug & Play Program is intended to be used with AWS database technologies to help manage, maintain, and ultimately unlock the value of your data. Get started today!
- Register at https://pages.awscloud.com/ContactFormforPlugnPlay.html to contact team to schedule a consulting session or check eligibility for AWS credits.
- Download the Program assets from GitHub (requires a GitHub account). Assets include the CloudFormation templates described in this post, recommended best practices, and training links.
- To learn more about the AWS Partner Network (APN) and go-to-market program support, self-register on APN. There is no cost to self-register.
- For more information, please reach out to your AWS Account Manager or send an email to dbplugandplay@amazon.com.