I'm curious about how to properly set up offsite backups for RDS. The classic 3-2-1 backup rule is still relevant, but with AWS, the term "offsite" can mean a lot of different things. For example, we can do cross-region snapshots, cross-account backups, or even export backups outside of AWS entirely, like to multi-cloud setups or external storage. If anyone's managing PostgreSQL on RDS, what methods are you actually using? Is cross-region replication enough for your needs, or do you prefer cross-account setups or going completely external? And if you are exporting backups, are you opting for snapshot exports to S3, pg_dump, or techniques like logical replication or Change Data Capture?
5 Answers
For most teams, cross-region and cross-account backups are generally sufficient. You definitely want to ensure that your accounts have different access levels to prevent potential ransomware issues from affecting your backups. It adds a robust layer of security to your setup.
I agree, as long as there's no stern compliance requirements, this approach is often more than enough.
We see cross-region backups as the baseline, but we don't stop there. It's crucial to have both cross-account and cross-region backups set up for a more secure strategy. This way, if one fails, you have the other as a fallback.
Absolutely, having both options is essential for us too. It seems to be the new standard.
I keep local snapshots for a few days, but I also export to SQL formats off AWS. It gives me peace of mind knowing I have backup options in different locations.
For me, I think of it this way: two copies in one region (cross region), one backup format in another. With AWS's native backup to S3, that's your three copies, but we also keep snapshots and replicate S3 backups to other regions for extra security.
We can't utilize cross-region backups, so we rely on third-party solutions for our offsite backups. It's been working well for us for now.
When working with cross-account setups, always consider how your AWS organization is structured. You wouldn't want the same permissions across accounts if something were to go wrong.