Amazon RDS Proxy Monitoring
Amazon RDS Proxy - Overview
Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that sits between your application and the database. It pools and shares database connections to improve application scalability, resilience, and security by reducing the strain on database resources and managing connections efficiently.
Applications Manager’s Amazon RDS Proxy monitoring tool provides comprehensive visibility into proxy health, connection pooling efficiency, query latency, and TLS security posture. With real-time tracking of client and database connection metrics, failure rates, and pool utilization, administrators can proactively detect bottlenecks, optimize connection reuse, and ensure secure, high-performance database access.
Creating a new Amazon RDS Proxy monitor
To learn how to create a new Amazon RDS Proxy monitor, refer here.
Monitored parameters
Go to the Monitors Category View by clicking the Monitors tab. Click on the RDS Proxy instance available under Amazon in the Cloud Apps section. Displayed is the Amazon RDS Proxy bulk configuration view distributed into three tabs:
- Availability tab gives the availability history for the past 24 hours or 30 days.
- Performance tab gives the health status and events for the past 24 hours or 30 days.
- List view tab enables you to perform bulk admin configurations.
By clicking a monitor from the list, you’ll be taken to the Amazon RDS Proxy dashboard which includes the following tabs:
Performance Overview
| Parameter | Description |
|---|
| PROXY INFORMATION |
| Status | The current operational state of the proxy. |
| Proxy Endpoint | The DNS address used by applications to connect to the proxy. |
| PROXY HEALTH RATIOS |
| Client Auth Failure Rate | The percentage of client connection attempts that failed due to credential or permission issues between the poll interval (in %). |
| Database Connection Failure Rate | The percentage of failed attempts by the Proxy to establish a connection with the RDS instance between the poll interval (in %). |
| Pool Pinning Rate | The percentage of established database connections that are locked to specific client sessions and cannot be shared between the poll interval (in %). |
| Non-TLS Query Ratio | The percentage of total query volume processed over unencrypted connections between the poll interval (in %). |
| CLIENT AUTH: FAILED VS SUCCEEDED (Pie Chart) |
| Failed Client Connections | The total number of login failures due to credential or permission issues between the poll interval. |
| Succeeded Client Connections | The total number of client connections that successfully authenticated between the poll interval. |
| DB SETUP: FAILED VS SUCCEEDED (Pie Chart) |
| Failed Database Connections | The total number of failed attempts by the Proxy to connect to the DB between the poll interval. |
| Succeeded Database Connections | The total number of successful handshakes between the Proxy and the RDS database between the poll interval. |
| CLIENT CONNECTIONS: TLS VS NO TLS (Pie Chart) |
| Secured Client Connections (TLS) | The total number of encrypted client sessions detected between the poll interval. |
| Unsecured Client Connections (NO TLS) | The total number of unencrypted client sessions detected between the poll interval. |
| QUERY REQUESTS: TLS VS NO TLS (Pie Chart) |
| Secured Query Requests (TLS) | The total number of SQL queries processed over encrypted (TLS) connections between the poll interval. |
| Unsecured Query Requests (NO TLS) | The total number of SQL queries processed over unencrypted connections between the poll interval. |
Client Connections
| Parameter | Description |
|---|
| CLIENT CONNECTIVITY LIFECYCLE |
| Received Client Connections | The total number of new connection attempts initiated by the application between the poll interval. |
| Failed Client Connections | The total number of login failures due to credential or permission issues between the poll interval. |
| Succeeded Client Connections | The total number of client connections that successfully authenticated between the poll interval. |
| Closed Client Connections | The total number of connections terminated by the client or proxy between the poll interval. |
| CLIENT CONNECTIONS: TLS VS NO TLS (Pie Chart) |
| Secured Client Connections (TLS) | The total number of encrypted client sessions detected between the poll interval. |
| Unsecured Client Connections (NO TLS) | The total number of unencrypted client sessions detected between the poll interval. |
| CLIENT CONNECTIONS |
| Client Connections | The average number of active client connections to the proxy between the poll interval. |
| CLIENT CONNECTIONS IN SETUP |
| Client Connections in Setup | The average number of connections in the handshake or authentication phase between the poll interval. |
Database Connections
| Parameter | Description |
|---|
| DATABASE CONNECTION ACTIVITY |
| Database Connection Requests | The total number of requests made to the database connection pool between the poll interval. |
| Failed Database Connections | The total number of failed attempts by the Proxy to connect to the DB between the poll interval. |
| Succeeded Database Connections | The total number of successful handshakes between the Proxy and the RDS database between the poll interval. |
| Allowed Max Database Connections | The number of maximum allowable connections the Proxy can open to the database between the poll interval. |
| DATABASE CONNECTION POOL ACTIVITY |
| Borrowed Database Connections | The total number of database connections currently in use by clients between the poll interval. |
| In-Transaction Database Connections | The total number of database connections involved in uncommitted transactions between the poll interval. |
| Session-Pinned Database Connections | The total number of connections locked to a client, preventing multiplexing, between the poll interval. |
| DATABASE CONNECTIONS |
| Database Connections | The average number of connections established between the Proxy and the RDS instance between the poll interval. |
| BORROW LATENCY FOR DB CONNECTIONS |
| Borrow Latency for DB Connections | The average time an application waited to acquire a connection from the pool between the poll interval (in ms). |
| DATABASE CONNECTION SECURITY |
| Secured Database Connections (TLS) | The total number of encrypted connections established between the Proxy and the DB between the poll interval. |
| Secured DB Connection Requests (TLS) | The total number of connection requests made using encryption between the poll interval. |
Query
| Parameter | Description |
|---|
| QUERY LATENCY |
| End-to-End Query Latency | The average time for a query to complete, including Proxy and DB time, between the poll interval (in ms). |
| Database Query Response Latency | The average time the Database spent executing queries (excluding Proxy lag) between the poll interval (in ms). |
| QUERY REQUESTS: TLS VS NO TLS (Pie Chart) |
| Secured Query Requests (TLS) | The total number of SQL queries processed over encrypted (TLS) connections between the poll interval. |
| Unsecured Query Requests (NO TLS) | The total number of SQL queries processed over unencrypted connections between the poll interval. |
| QUERY REQUEST TRAFFIC |
| Total Query Requests | The total number of SQL statements processed by the Proxy between the poll interval. |
Configuration
| Parameter | Description |
|---|
| CONFIGURATION |
| Engine Family | The database engine type the proxy is managing. |
| Creation Time | The timestamp when the DB proxy was created. |
| VPC ID | The ID of the VPC where the proxy resides. |
| Endpoint Network Type | The network protocol used for the proxy endpoint. Possible values: IPV4, IPV6, DUAL. |
| Target Connection Network Type | The network protocol used to connect to the database. Possible values: IPV4, IPV6. |
| Idle Client Connection Timeout | The maximum duration a client can stay connected without activity (in s). |
| Transport Layer Security (TLS) | Indicates if Transport Layer Security is enforced for client connections. |
| Default Authentication Scheme | The method used to authenticate proxy users (Secrets Manager or IAM). |
| Debug Logging | Indicates if detailed logs are sent to CloudWatch. |
