AES and RSA solve different problems, even though both get lumped together under “encryption.” AES is a symmetric cipher — the same key encrypts and decrypts. RSA is asymmetric — a public key encrypts, and only the matching private key can decrypt. That one structural difference drives almost every practical decision about which to use.
AES is fast — fast enough to encrypt gigabytes of data with negligible overhead — because the math behind it (substitution and permutation over fixed-size blocks) is cheap. The catch is key distribution: both parties need the same secret key before they can communicate, and that key has to get from one side to the other through some channel that isn't itself compromised. AES is the right choice whenever you already have a shared secret — encrypting a file at rest, encrypting a database column, or encrypting the bulk of a TLS session once a key has been agreed on.
RSA solves the key-distribution problem by splitting the key into a public half anyone can use to encrypt, and a private half only the recipient holds. Nothing secret ever has to travel over the wire. The tradeoff is speed: RSA is orders of magnitude slower than AES and has practical limits on how much data it can encrypt directly, since the plaintext has to be smaller than the key itself. RSA is used for signing, key exchange, and certificates — not for encrypting bulk data.
TLS is the clearest example: the handshake uses asymmetric cryptography to agree on a shared secret without either side needing to know it in advance, then switches to a symmetric cipher like AES for the actual data transfer, because that's the part that needs to be fast. This pattern — asymmetric for key exchange, symmetric for bulk encryption — is called a hybrid cryptosystem, and it's how almost every secure communication protocol in production actually works.
Want to try AES yourself? The Encrypt / Decrypt tool on this site runs AES-256-CBC and AES-256-GCM entirely in your browser via the Web Crypto API.