What’s the Best Way to Connect to AWS Resources Like RDS or ElastiCache?

I think direct endpoints are fine for development and testing, but in production, you should definitely create custom DNS records like db-primary.internal.company.com pointing to your RDS endpoint. If you ever need to switch RDS instances or promote a replica, you simply update the CNAME without any code changes. It's much easier to failover by updating DNS rather than searching through hardcoded endpoints in your configs. Plus, it keeps your hostnames consistent across environments—much clearer than AWS's default names.

I suggest using parameters to store the actual endpoint instead of relying on DNS records for database failovers. This helps avoid TLS handshake failures. If you do use DNS, be prepared for extra operational overhead like handling TTL timeouts, and consider that each new DB connection will require a lookup, which adds latency. Plus, if a failover happens and you can't update the DNS record, you'd end up having to change your code or configuration, and that's the last thing you want to deal with during a crisis!

In many cases, you don't have a choice but to use the direct endpoints. The SSL certificate provided by AWS only covers the official AWS endpoint names. If you try to use a custom CNAME, the client application will likely refuse the SSL connection unless you make specific changes, which might not always be feasible. It's surprising that services like RDS don't allow the use of your own certificates for secure connections!

For accessing data stores, I use a bastion host protected by a security group that restricts IP access. In general, it's not common to set up Route 53 records for data stores since their endpoints are meant for direct access. However, ideally, you shouldn't be accessing the database directly from your local machine—doing so means it's exposed to the public internet, which is risky.