The proper way to secure your databases

Great job babe! Proud of you 👏 😊

Personally, I like using a 3 tier architecture. You have an API Gateway or ALB in a public subnet (network out and in), your backend services and nat in a private subnet (network out but not in), and internal subnet with a db that can only allow traffic from the private subnet (no outside traffic in or out).

Man!! I spent like 14 hours yesterday reading about infra, this is totally new to me. I'm a data scientist came from statistics and don't have a clue about infra, and I'm trying to get into to it to deploy my side project. And boom, your video is recommended and you are drawing exactly how I was drawing! Feel so good seeing this. Now I think I have an idea why I failed miserably for hours to set up a Bastion. Thanks!

More DevOps and hard core BackEnd stuff content is good. Maybe you can explore and create a video how does serverless like AWS Lambda work behind the scenes. We all know there is server out there somewhere. But it would be interesting to see how does AWS orchestrates that so we can just use it.

9:06 Not sure if I misunderstood you, but NAT doesn't make something publicly accessible. It let's private resources that otherwise wouldn't have any internet access at all to make requests/connections into the internet. The NAT gateways docs page from AWS: "A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.".
That being said, I don't think your database needs internet access, so there's no reason to have that rdsnat traffic allowed, like you say in the video.

I love your architecture vids, so informative. Keep them up 👌

I host mine on the same vps as my API. Never exposed to the web. Exactly like you explained here with proper networking.

These are so educative, more please!

I would love to see way more stuff like this

This awesome! I am learning so much. Keep up the videos like this.

Thank you for sharing your knowledge with all of us, genuinely appreciate it 🙌

from weird nextjs apps you got into this, big respect i see growth in your channel

Have you made a video on how to write code that we are able to mock database when doing unit test ? If not yet, please make one. I really like your content. Thanks you.

Good. Now your website for plastic windows construction is safe.

Thank you so much, keep posting videos like this

Great video!
I would love to see more videos related to devops and cloud stuff, very helpful 👌🏻

Liked the Turning vm on/off on demand point.

so helpful, thanks!

One thing you can do is also to use aws ssm to tunnel from jumpbox to local

imo these are the hard parts of programming, keeping your code running in production. It takes a lot of knowledge and moving parts to get things working

Bro this is Hard AF.
i didn't knew that to develop a simple application would imply in so much complexity :(((
Have much yet to learn

This setup is good and necessary, but do no not forget that it represents a significant increase in usage fees.

Great content !

I don't use AWS, simply because my workloads are 24/7 and it would be too expensive. I have an ssh tunnel within the docker network on both the database end and service end that is used purely for communication with the database. Not sure if this is a great way to do this but it's what I've adopted. Will have to learn Wireguard at a later date

I say cider, you say cedar. Let's wall the whole thing off. (private or isolated?)

I've been battling this for a minute... great vid! Do you know if it's possible to have a similar level of security for the rds without the NAT?

We also want to migrate data from dynamo to rds. What is your strategy for migrating the data after the rds is established?

super good summary.

Are you going to keep working on your SaaS starter kit?

definitely usefull stuf! Thanks! ❤‍🔥❤‍🔥❤‍🔥
Could you please make a video on how to implement it?

Could you make a video about dynamodb and all the issues you've faced

very well explained

Great video, have you considered using the AWS Data API to allow your lambdas to connect to your RDS?

I love it

it certainly is overwhelming trying to build big infrastructure as a beginner...i been working on building a hub and spoke architecture with web servers on instances or containers on the spokes using private subnets and routing through a pfsense firewall running on an instance and load balancer in the hub vpc, then use an overlay like netbird or netmaker or tailscale to access all securely(not 100% sure if i should use self hosted or remote connection or site to site vpn just know i only want one way access)....think this all makes sense if anyone can rate it or chime in....setting it up is fine its the getting routing right thats a pain lol i got suppper stuck trying to figure out the east west north south transit routing through the drg...still stuck

It's even safer to put it inside an isolated subnet because the database doesn't need access to the internet so there is no point in keeping it behind the NAT gateway.

Newb question, but if your db sits on the same machine as your web server it's technically secure no? As it is being only hosted locally and accessed by the server?

Good stuffs!

I just have Neon host the Postgres instance, and host the site on Vercel, Neon gives me a connection string and I put it in the env of the Vercel site. Done in 30 seconds.

Do services like Vercel even provide an IP address? AWS and other services allow to provide IPs to disallow access to the db

What do you say about accessing the database through a URL from a database service (e.g. supabase). Isn't that insecure as it's just a url with username + password through https? Wouldn't it be more secure to have the db within a private network with the application being part of it so it can access it? That way we wouldn't need to expose it to the public and have additional layer of security.

I wanted to ask you , do you think its worth to get aws cloud and solution certs for a junior software engineer ?

can you please make a tutorial about nodejs concurrency/ workers

yep but that ties you to a non serverless architecture. you could skip it by security groups replacing your jumpbox ec2

Just a minor correction: NATs do not allow requests initiated from the internet to come into the vpc or a private subnet. What they do allow is any traffic initiated from the private subnet to reach out to the public internet.
But yeah networking in AWS is a really cool subject!

hOw proficient are you with C# or C++

It's 2024, why are you using SQLite instead of LibSQL?

Not talked about enough. Newer or front end devs trying to build apps on Vercel + something like Planetscale don't realize these middlemen databases only allow you to truly secure your database with enterprise tier, many of them not even then.

What's the $$ of this architecture on AWS?

The proper way to secure your databases: just use SQLite file

First!!!

this is overkill. Why not just use a firewall

Bro is picking video ideas from reddit