AWS RDS: How to Set Up a Managed Database in the Cloud

Running a database on a self-managed EC2 instance means you are responsible for OS patching, database engine upgrades, backups, failover, and monitoring. AWS RDS (Relational Database Service) takes all of that operational overhead off your plate. RDS is a managed database service that supports MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and the AWS-native Amazon Aurora. This guide walks you through setting up your first RDS instance the right way.

Why Use RDS Instead of a Database on EC2?

• Automated backups — Daily snapshots and transaction logs, point-in-time recovery up to 35 days
• Multi-AZ deployments — Automatic synchronous replication to a standby in another AZ, with automatic failover
• Read replicas — Asynchronous replication for read scaling (MySQL, PostgreSQL, MariaDB, Aurora)
• Automatic patching — Minor version upgrades applied automatically during maintenance windows
• Monitoring — Built-in CloudWatch metrics and Enhanced Monitoring (per-process OS metrics)
• Encryption at rest and in transit — With AWS KMS integration

Choosing a Database Engine

• Amazon Aurora (MySQL/PostgreSQL compatible) — AWS's proprietary engine, up to 5x faster than MySQL. Best for high-performance production workloads. Not free-tier eligible.
• PostgreSQL — Open source, feature-rich, excellent for complex queries and JSON data.
• MySQL — Most popular open-source RDBMS, widely supported by frameworks.
• MariaDB — MySQL fork, community-driven.
• Oracle / SQL Server — Commercial engines for enterprise legacy applications. License costs apply.

Setting Up RDS in the Console

Navigate to RDS > Create database. Key choices to make:

1. Creation method: Standard create (full control) vs. Easy create (sensible defaults)
2. Engine: Select MySQL 8.0 for this guide
3. Template: Free tier (enables db.t3.micro, single AZ, no Multi-AZ)
4. DB Instance Identifier: A unique name like myapp-db
5. Credentials: Set a master username and strong password (or let AWS generate and store it in Secrets Manager)
6. Instance class: db.t3.micro for free tier
7. Storage: 20 GB gp2, enable storage autoscaling with a max of 100 GB
8. VPC and subnet group: Place in a private subnet group — never put your database in a public subnet
9. Public access: No — connect via a bastion host or from within your VPC

Create an RDS Instance via CLI

# Create a MySQL RDS instance
aws rds create-db-instance 
  --db-instance-identifier myapp-db 
  --db-instance-class db.t3.micro 
  --engine mysql 
  --engine-version 8.0 
  --master-username admin 
  --master-user-password MySecurePass123! 
  --allocated-storage 20 
  --storage-type gp2 
  --no-publicly-accessible 
  --vpc-security-group-ids sg-0abc12345def67890 
  --db-subnet-group-name my-db-subnet-group 
  --backup-retention-period 7 
  --deletion-protection

# Check status
aws rds describe-db-instances 
  --db-instance-identifier myapp-db 
  --query "DBInstances[0].DBInstanceStatus"

Connecting to Your RDS Instance

RDS does not have a public IP by default. Connect from an EC2 instance in the same VPC, or use an SSH tunnel through a bastion host:

# SSH tunnel through a bastion host to reach RDS
ssh -L 3306:myapp-db.cluster-xyz.us-east-1.rds.amazonaws.com:3306 
  ec2-user@BASTION_IP -i ~/my-key.pem -N -f

# Now connect locally via the tunnel
mysql -h 127.0.0.1 -P 3306 -u admin -p

Security Group Configuration

Create a dedicated security group for your RDS instance. Allow inbound traffic on port 3306 (MySQL) only from the security group of your application servers — not from 0.0.0.0/0:

# Allow MySQL access from the web server security group only
aws ec2 authorize-security-group-ingress 
  --group-id sg-RDS-SECURITY-GROUP 
  --protocol tcp 
  --port 3306 
  --source-group sg-APP-SERVER-SECURITY-GROUP

Automated Backups and Snapshots

RDS takes automated daily backups during the backup window you configure (e.g. 3:00–4:00 AM UTC). Set retention from 0 to 35 days. You can also take manual snapshots at any time:

# Create a manual snapshot
aws rds create-db-snapshot 
  --db-instance-identifier myapp-db 
  --db-snapshot-identifier myapp-db-pre-migration-snapshot

Multi-AZ for Production High Availability

For production workloads, enable Multi-AZ. RDS maintains a synchronous standby replica in a different AZ. If the primary fails (hardware failure, AZ outage), RDS automatically promotes the standby, typically within 60–120 seconds. Your application connects via the same DNS endpoint — no code changes needed.

Read Replicas for Read Scaling

Read replicas offload read traffic from your primary database. Create up to 15 read replicas for MySQL and PostgreSQL. Each has its own endpoint — your application must explicitly direct read queries to the replica endpoint:

# Create a read replica
aws rds create-db-instance-read-replica 
  --db-instance-identifier myapp-db-read-replica 
  --source-db-instance-identifier myapp-db 
  --db-instance-class db.t3.micro

Summary

AWS RDS dramatically reduces the operational burden of running a relational database. For development and learning, the free-tier db.t3.micro MySQL or PostgreSQL instance is excellent. For production, Multi-AZ, automated backups, and encryption at rest are non-negotiable. RDS is one of the most reliable and widely-used managed database services available on any cloud platform.