AWS to host PostgreSQL

Wed Jan 2 07:42:17 EST 2019

Hi Alan,

I'm not using Omnis since about 4-5 years ago, and I'm using AWS a lot
since 2 years ago. Here are several comments regarding your setup:

1. Did you take a look at AWS managed Postgres (RDS), or are you already
using it? See https://aws.amazon.com/rds/postgresql/. For a higher cost you
get rid of server administration, and gain improved reliability and usage.
For a decent comparison see
https://medium.com/aubergine-solutions/comparing-rds-vs-ec2-for-postgresql-db-b2ca45c14b55.
If you're using EC2 instance(s), what type do you use, and how many? Where
do you store data, on EBS or on instance store? Be aware that AWS instances
can have hardware issues, and can be rebooted/stopped/terminated. AWS will
email you when they are doing planned maintenance, or when they detect
hardware issues, and it's only a matter of time before you receive such an
email. It might not happen at all for a long time, it's a matter of
probabilities. I just had today 2 servers with hardware failures not
detected by AWS, and one notification that another is running on degraded
hardware and it will be stopped in 2 weeks (but that's 3 servers out of a
few thousands).

2. As Bastiaan wrote, you should use SSL. In both of the above situations
you can filter by IP, if they are fixed. VPCs are not really for this, but
you should (probably) use them anyway. They are for creating your "internal
network" of servers inside of AWS, and for controlling access. But if you
have a single server, you can control access without VPC (AFAIK, I only
used VPCs).

3. For dynamic IPs it's a bit mode difficult. A VPN is a solution, but it
will come with some administrative overhead on the client side. How
"dynamic" are the IPs? Can your customers ISPs provide a range of IPs where
that IP is (a CIDR). You could filter based on that, allowing access from
all IPs in that range, assuming that you're using SSL and have strong
passwords. Anyway, as Bastiaan wrote filtering by IP is not enough.

Best regards,
Serban Teodorescu

În mar., 1 ian. 2019 la 22:49, Alan Grinberg <omnis at alangrinberg.com> a
scris:

> Happy New Year to Everyone!
>
> We have converted our program to SQL using Omnis Studio 8.
>
> We have been considering different distribution scenarios, and have been
> playing around with Amazon Web Services (AWS) hosting a Postgres database,
> and installing the Omnis/Library application on the user's computer. This
> gives the user a full desktop experience and it is easy for us to maintain
> the back end. It looks like this will work work well for us and many of our
> customers.
>
> I have 2 questions/requests for comments.
>
> 1. Is anyone else doing this? Are there pitfalls for going down this path?
> Are there better ways of distribution?
>
> 2. To provide security, we have been controlling access to the db using IP
> addresses. If the user has a fixed IP, this works nicely. Are there serious
> security issues with relying on this method? I suppose the data is passing
> over the internet unencrypted, including access credentials. A problem?
>
> One problem we have run into is that if a customer has a dynamic IP, they
> cannot connect.
>
> That has led us into looking into using a VPN (as AWS says - VPC - Virtual
> Private Cloud). There are AWS tools for this, as well as 3rd party tools (
> https://openvpn.net/, etc). These look quite complicated to set up. Any
> opinions on this solution? Is anyone here using the VPC tools on AWS (or
> other) to control cloud DB access?
>
> Thanks for any input!
>
> Regards,
> Alan
>
> ----------------------------------------------------
> Alan Grinberg
> AG Systems/ZOO-INK
> San Francisco, CA
>
> www.zoo-ink.com <applewebdata://523DA1BE-88B4-41B4-B277-552FEF26C4A7>
> www.perfectfit.net
> alan at perfectfit.net
> ----------------------------------------------------
>
> _____________________________________________________________
> Manage your list subscriptions at http://lists.omnis-dev.com
> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com
>