Connecting to an Amazon RDS DB instance
Before you can connect to a DB instance, you must create the DB instance. For information, see Creating an Amazon RDS DB instance. After Amazon RDS provisions your DB instance, use any standard client application or utility for your DB engine to connect to the DB instance. In the connection string, specify the DNS address from the DB instance endpoint as the host parameter. Also, specify the port number from the DB instance endpoint as the port parameter.
For more information about finding connection information for an Amazon RDS DB instance or scenarios for accessing a DB instance in a VPC, see the following topics.
Connecting to DB instances with the Amazon drivers
The Amazon suite of drivers has been designed to provide support for faster switchover and failover times, and authentication with Amazon Secrets Manager, Amazon Identity and Access Management (IAM), and Federated Identity. The Amazon drivers rely on monitoring DB instance status and being aware of the instance topology to determine the new primary instance. This approach reduces switchover and failover times to single-digit seconds, compared to tens of seconds for open-source drivers.
The following table lists the features supported for each of the drivers. As new service features are introduced, the goal of the Amazon suite of drivers is to have built-in support for these service features.
Feature | Amazon JDBC Driver |
Amazon Python Driver |
Amazon ODBC Driver for MySQL |
---|---|---|---|
Failover support | Yes |
Yes |
Yes |
Enhanced failover monitoring | Yes |
Yes |
Yes |
Read/write splitting | Yes |
Yes |
No |
Driver metadata connection | Yes |
N/A | N/A |
Telemetry | Yes |
Yes |
No |
Secrets Manager | Yes |
Yes |
Yes |
IAM authentication | Yes |
Yes |
Yes |
Federated Identity (AD FS) | Yes |
Yes |
No |
Federated Identity (Okta) | Yes |
No | No |
Multi-AZ DB clusters | Yes |
Yes |
No |
For more information on the Amazon drivers, see the corresponding language driver for your RDS for MariaDB, RDS for MySQL, or RDS for PostgreSQL DB instance.
Note
The only features supported for RDS for MariaDB are authentication with Amazon Secrets Manager, Amazon Identity and Access Management (IAM), and Federated Identity.
Connecting to a DB instance that's running a specific DB engine
To learn how to connect to a DB instance that is running a specific DB engine, follow the instructions for your DB engine:
Managing connections with RDS Proxy
You can also use Amazon RDS Proxy to manage connections to RDS for MariaDB, RDS for Microsoft SQL Server, RDS for MySQL, and RDS for PostgreSQL DB instances. RDS Proxy allows applications to pool and share database connections to improve scalability. For more information, see Amazon RDS Proxy.
Database authentication options
Amazon RDS supports the following ways to authenticate database users:
-
Password authentication – Your DB instance performs all administration of user accounts. You create users and specify passwords with SQL statements. The SQL statements you can use depend on your DB engine.
-
Amazon Identity and Access Management (IAM) database authentication – You don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.
-
Kerberos authentication – You use external authentication of database users using Kerberos and Microsoft Active Directory. Kerberos is a network authentication protocol that uses tickets and symmetric-key cryptography to eliminate the need to transmit passwords over the network. Kerberos has been built into Active Directory and is designed to authenticate users to network resources, such as databases.
IAM database authentication and Kerberos authentication are available only for specific DB engines and versions.
For more information, see Database authentication with Amazon RDS.
Encrypted connections
You can use Secure Socket Layer (SSL) or Transport Layer Security (TLS) from your application to encrypt a connection to a DB instance. Each DB engine has its own process for implementing SSL/TLS. For more information, see Using SSL/TLS to encrypt a connection to a DB instance or cluster.