How to Deploy & Monitor MySQL on AWS (EC2 + RDS Guide)

Welcome to this production-grade guide on deploying a scalable web application. We will not just launch a database; we will configure a secure 2-Tier Architecture (EC2 + RDS) and set up Route 53 Health Checks to monitor uptime.

Architect's Note: Beginners often install MySQL on the EC2 instance. We use Amazon RDS here because it handles backups, patching, and scaling automatically, allowing you to focus on your PHP code.

Step 1: Security Groups (The Firewall)

Security is paramount. Instead of opening ports to the world, we use "Security Group Chaining."

a. Security Group for EC2 (Web Server)

This group allows the public Internet to see your website.

Type	Protocol	Port	Source
SSH	TCP	22	Your Personal IP (Not 0.0.0.0/0!)
HTTP	TCP	80	0.0.0.0/0 (Anywhere)
HTTPS	TCP	443	0.0.0.0/0 (Anywhere)

b. Security Group for RDS (Database)

Critical Step: This group should NOT be open to the public. It should only accept traffic from the EC2 security group.

Type	Port	Source
MYSQL/AURORA	3306	`sg-xxxxxxxx` (Select the EC2 SG you created above)

Why do this? If someone hacks your web server, they still don't have direct access to your database unless they are inside your network.

Step 2: Creating the RDS Instance

We'll set up a managed MySQL database using AWS RDS.

Engine: MySQL (8.0 recommended)
Template: Free Tier (select this to avoid bills)
Instance Class: db.t3.micro
Public Access: No (This keeps your DB secure inside the VPC)
VPC Security Group: Select the RDS group created in Step 1b.

Step 3: Launching & Configuring the Web Server

Launch an Amazon Linux 2023 or AL2 instance. Once running, connect via SSH to install the LAMP stack (Linux, Apache, MySQL, PHP).

# Update and install LAMP stack
sudo yum update -y
sudo dnf install -y httpd php php-mysqli mariadb105

# Start Apache and ensure it runs on boot
sudo systemctl start httpd
sudo systemctl enable httpd

# Set file permissions
sudo usermod -a -G apache ec2-user
sudo chown -R ec2-user:apache /var/www
sudo chmod 2775 /var/www

Connecting PHP to RDS

Never hardcode passwords in your public html folder. Create a secure configuration file outside the web root:

mkdir /var/www/inc
nano /var/www/inc/dbinfo.inc

Paste your credentials (get the Endpoint URL from the RDS Console):

<?php
define('DB_SERVER', 'your-rds-endpoint.us-east-1.rds.amazonaws.com');
define('DB_USERNAME', 'admin');
define('DB_PASSWORD', 'your_secure_password');
define('DB_DATABASE', 'webdb');
?>

Step 4: Monitoring with Route 53 (Missing Step)

To ensure our application is actually available to users, we configure a Route 53 Health Check.

Go to the Route 53 Console > Health Checks.
Click Create health check.
Name: web-server-monitor
Endpoint: Enter the Public IP or Domain Name of your EC2 instance.
Request Interval: Standard (30 seconds).
Failure Threshold: 3 (Alerts if site is down for 90 seconds).

Pro Tip: You can connect this Health Check to an SNS Topic to receive an email alert immediately if your web server crashes.

Troubleshooting & Cost Analysis

Common Connection Errors

Error: "Connection Timed Out" (2002)
This almost always means your Security Groups are wrong. Go back to Step 1b and ensure the RDS Security Group allows traffic on Port 3306 specifically from the Security Group ID of your EC2 instance, not an IP address.

Cost Warning

While RDS has a Free Tier (750 hours/month), this only applies to Single-AZ deployments. If you accidentally select "Multi-AZ" (High Availability), you will be charged immediately. Always check the "Estimated Monthly Cost" at the bottom of the RDS creation screen.

Conclusion

You have successfully connected a public-facing web server to a private backend database and set up monitoring. This 3-tier logic (Web, App, Data) is the foundation of all AWS certifications.