The proper way to secure your databases

  Рет қаралды 22,294

Web Dev Cody

Web Dev Cody

Күн бұрын

Пікірлер: 85
@SeibertSwirl
@SeibertSwirl 4 ай бұрын
Great job babe! Proud of you 👏 😊
@thelearningmachine_
@thelearningmachine_ 4 ай бұрын
Man!! I spent like 14 hours yesterday reading about infra, this is totally new to me. I'm a data scientist came from statistics and don't have a clue about infra, and I'm trying to get into to it to deploy my side project. And boom, your video is recommended and you are drawing exactly how I was drawing! Feel so good seeing this. Now I think I have an idea why I failed miserably for hours to set up a Bastion. Thanks!
@Lare_Paharinen
@Lare_Paharinen 4 ай бұрын
9:06 Not sure if I misunderstood you, but NAT doesn't make something publicly accessible. It let's private resources that otherwise wouldn't have any internet access at all to make requests/connections into the internet. The NAT gateways docs page from AWS: "A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.". That being said, I don't think your database needs internet access, so there's no reason to have that rdsnat traffic allowed, like you say in the video.
@WebDevCody
@WebDevCody 4 ай бұрын
Thanks for pointing that out.
@bithon5242
@bithon5242 4 ай бұрын
Based take 👏
@jurajzec
@jurajzec 4 ай бұрын
That is true. If you want to make your machine publicly accessible, you need Internet Gateway
@LarryMarkel
@LarryMarkel Ай бұрын
this video is very valuable. Thank you for sharing Cody.
@joshburgess817
@joshburgess817 4 ай бұрын
Personally, I like using a 3 tier architecture. You have an API Gateway or ALB in a public subnet (network out and in), your backend services and nat in a private subnet (network out but not in), and internal subnet with a db that can only allow traffic from the private subnet (no outside traffic in or out).
@IvanRandomDude
@IvanRandomDude 4 ай бұрын
More DevOps and hard core BackEnd stuff content is good. Maybe you can explore and create a video how does serverless like AWS Lambda work behind the scenes. We all know there is server out there somewhere. But it would be interesting to see how does AWS orchestrates that so we can just use it.
@sfygy32
@sfygy32 4 ай бұрын
I love your architecture vids, so informative. Keep them up 👌
@fuzionluck170
@fuzionluck170 4 ай бұрын
This awesome! I am learning so much. Keep up the videos like this.
@Jay-ek7uw
@Jay-ek7uw 4 ай бұрын
These are so educative, more please!
@vincentm3135
@vincentm3135 4 ай бұрын
I host mine on the same vps as my API. Never exposed to the web. Exactly like you explained here with proper networking.
@michellefelix1355
@michellefelix1355 4 ай бұрын
Great video! I would love to see more videos related to devops and cloud stuff, very helpful 👌🏻
@aymenbachiri-yh2hd
@aymenbachiri-yh2hd 4 ай бұрын
Thank you so much, keep posting videos like this
@qazyhn94
@qazyhn94 4 ай бұрын
from weird nextjs apps you got into this, big respect i see growth in your channel
@angelenriquechavezponce1629
@angelenriquechavezponce1629 4 ай бұрын
Thank you for sharing your knowledge with all of us, genuinely appreciate it 🙌
@guillaume5623
@guillaume5623 4 ай бұрын
Great content !
@mosescosme8629
@mosescosme8629 4 ай бұрын
I would love to see way more stuff like this
@ElTebe
@ElTebe 4 ай бұрын
This setup is good and necessary, but do no not forget that it represents a significant increase in usage fees.
@kevins7621
@kevins7621 4 ай бұрын
so helpful, thanks!
@Ss-zg3yj
@Ss-zg3yj 4 ай бұрын
Good. Now your website for plastic windows construction is safe.
@WebDevCody
@WebDevCody 4 ай бұрын
And that’s all that matters
@tom.watkins
@tom.watkins 4 ай бұрын
Great video, have you considered using the AWS Data API to allow your lambdas to connect to your RDS?
@phannguyetnguyen8254
@phannguyetnguyen8254 4 ай бұрын
Have you made a video on how to write code that we are able to mock database when doing unit test ? If not yet, please make one. I really like your content. Thanks you.
@pranavbobde2529
@pranavbobde2529 4 ай бұрын
Liked the Turning vm on/off on demand point.
@farhanhelmycode
@farhanhelmycode 4 ай бұрын
One thing you can do is also to use aws ssm to tunnel from jumpbox to local
@rickr937
@rickr937 4 ай бұрын
Are you going to keep working on your SaaS starter kit?
@lordpablo1985
@lordpablo1985 4 ай бұрын
We also want to migrate data from dynamo to rds. What is your strategy for migrating the data after the rds is established?
@raspy_on_osu
@raspy_on_osu 4 ай бұрын
I don't use AWS, simply because my workloads are 24/7 and it would be too expensive. I have an ssh tunnel within the docker network on both the database end and service end that is used purely for communication with the database. Not sure if this is a great way to do this but it's what I've adopted. Will have to learn Wireguard at a later date
@mikexavier
@mikexavier 4 ай бұрын
I've been battling this for a minute... great vid! Do you know if it's possible to have a similar level of security for the rds without the NAT?
@codingwithjamal
@codingwithjamal 4 ай бұрын
imo these are the hard parts of programming, keeping your code running in production. It takes a lot of knowledge and moving parts to get things working
@reynerloza1630
@reynerloza1630 4 ай бұрын
Could you make a video about dynamodb and all the issues you've faced
@nowayicommented1314
@nowayicommented1314 4 ай бұрын
very well explained
@jackgisel3211
@jackgisel3211 4 ай бұрын
super good summary.
@comosaycomosah
@comosaycomosah 4 ай бұрын
it certainly is overwhelming trying to build big infrastructure as a beginner...i been working on building a hub and spoke architecture with web servers on instances or containers on the spokes using private subnets and routing through a pfsense firewall running on an instance and load balancer in the hub vpc, then use an overlay like netbird or netmaker or tailscale to access all securely(not 100% sure if i should use self hosted or remote connection or site to site vpn just know i only want one way access)....think this all makes sense if anyone can rate it or chime in....setting it up is fine its the getting routing right thats a pain lol i got suppper stuck trying to figure out the east west north south transit routing through the drg...still stuck
@stevanfreeborn
@stevanfreeborn 4 ай бұрын
Good stuffs!
@ALDUIINN
@ALDUIINN 4 ай бұрын
Bro this is Hard AF. i didn't knew that to develop a simple application would imply in so much complexity :((( Have much yet to learn
@biovawan
@biovawan 4 ай бұрын
definitely usefull stuf! Thanks! ❤‍🔥❤‍🔥❤‍🔥 Could you please make a video on how to implement it?
@Cdaprod
@Cdaprod 4 ай бұрын
I love it
@ivokovacevic5221
@ivokovacevic5221 4 ай бұрын
It's even safer to put it inside an isolated subnet because the database doesn't need access to the internet so there is no point in keeping it behind the NAT gateway.
@JohnLovell-FTW
@JohnLovell-FTW 4 ай бұрын
I say cider, you say cedar. Let's wall the whole thing off. (private or isolated?)
@nwylynko
@nwylynko 4 ай бұрын
I just have Neon host the Postgres instance, and host the site on Vercel, Neon gives me a connection string and I put it in the env of the Vercel site. Done in 30 seconds.
@neociber24
@neociber24 4 ай бұрын
Do services like Vercel even provide an IP address? AWS and other services allow to provide IPs to disallow access to the db
@WebDevCody
@WebDevCody 4 ай бұрын
Idk I think vercel supplies vpc support on enterprise plans maybe
@nasko235679
@nasko235679 4 ай бұрын
Newb question, but if your db sits on the same machine as your web server it's technically secure no? As it is being only hosted locally and accessed by the server?
@WebDevCody
@WebDevCody 4 ай бұрын
For the most part, yes, assuming your web server doesnt have some security back door that someone can use to hit your db directly
@abiodun6897
@abiodun6897 4 ай бұрын
can you please make a tutorial about nodejs concurrency/ workers
@albert3120
@albert3120 4 ай бұрын
yep but that ties you to a non serverless architecture. you could skip it by security groups replacing your jumpbox ec2
@WebDevCody
@WebDevCody 4 ай бұрын
I'm not sure what exactly in my talk ties us to non severless?
@eclipse-224
@eclipse-224 4 ай бұрын
@@WebDevCody the bastion host
@albert3120
@albert3120 4 ай бұрын
​@@WebDevCody by using bastion hosts or jumpboxes (EC2) you are by definition spinning up a virtual machine that will run 24/7... so you have one more non serverless virtual machine to mantain. I mean I see no difference between 1) having the EC2 in a public subnet then connect from it to the private subnet where the RDS is and 2) having the RDS in a public subnet with a security group only allowing known IPs and AWS Services to interact with it. The latter allows you to avoid having an EC2 running 24/7. Correct me if I am missing something because I might be! Great video as always :)
@WebDevCody
@WebDevCody 4 ай бұрын
@@albert3120 why can’t I start up the ec2 instance when I need it and stop it when I don’t? I don’t get charged when it’s stopped right? I guess I could just lookup the public ip of my cicd runner (using circleci) and add it to the SG
@albert3120
@albert3120 4 ай бұрын
@@WebDevCody seems overcomplicating things to me, still non-serverless though which is the only thing I pointed out :)
@musashi542
@musashi542 4 ай бұрын
I wanted to ask you , do you think its worth to get aws cloud and solution certs for a junior software engineer ?
@WebDevCody
@WebDevCody 4 ай бұрын
Maybe it would be useful if you don’t know anything about aws.
@doz7979
@doz7979 4 ай бұрын
Haha, the content discussed in this video is exactly one of the topics in AWS SAA-C03 exam. I got one cert on K8s and one cert for AWS this year as a junior SWE with 1-yr exp. I would say these exams provide structured learning paths for beginners indeed.
@musashi542
@musashi542 4 ай бұрын
@@doz7979 hello can i ask which k8s cert you got ?
@doz7979
@doz7979 4 ай бұрын
@@musashi542 CKAD. It is not cheap so better wait for sale.
@DaveTheDeveloper
@DaveTheDeveloper 4 ай бұрын
What do you say about accessing the database through a URL from a database service (e.g. supabase). Isn't that insecure as it's just a url with username + password through https? Wouldn't it be more secure to have the db within a private network with the application being part of it so it can access it? That way we wouldn't need to expose it to the public and have additional layer of security.
@WebDevCody
@WebDevCody 4 ай бұрын
I think it’s fine if you have a small team. If multiple engineers have access to the prod database, it means you increase your chances of someone leaking the password. Having vpc at least allows more control over what can hit your db.
@charleschukwuemeka8482
@charleschukwuemeka8482 4 ай бұрын
​​@@WebDevCody Okay, I wanted to ask this same question about MongoDB, is there a way to make it more secure? And does this VPC work in MongoDB? Sorry I am asking about MongoDB, that's what I mostly use, even at work.
@SeibertSwirl
@SeibertSwirl 4 ай бұрын
First!!!
@WebDevCody
@WebDevCody 4 ай бұрын
love you babe!
@vinialves12362
@vinialves12362 4 ай бұрын
What's the $$ of this architecture on AWS?
@WebDevCody
@WebDevCody 4 ай бұрын
Rds can be around 30 a month for a micro instance, I think public subnets charge for public ip addresses or something. Overall probably like 40-50 a month. Aws isn’t cheap
@vinialves12362
@vinialves12362 4 ай бұрын
@@WebDevCody I don't get when people say AWS is cheaper than other solutions built on top of AWS like Vercel, etc
@hello19286
@hello19286 4 ай бұрын
@@vinialves12362 Because Vercel is hosted on AWS, cutting out the middleman will always be cheaper at scale.
@vinialves12362
@vinialves12362 4 ай бұрын
@@hello19286 Yes I understand it mathematically but in reality what happens is that they can offer smaller costs because they get discounts on volume and other startup incentives or b2b contracts
@ConnectDaPlug
@ConnectDaPlug 4 ай бұрын
hOw proficient are you with C# or C++
@d0fty8
@d0fty8 4 ай бұрын
Not talked about enough. Newer or front end devs trying to build apps on Vercel + something like Planetscale don't realize these middlemen databases only allow you to truly secure your database with enterprise tier, many of them not even then.
@magnusred2945
@magnusred2945 4 ай бұрын
It's 2024, why are you using SQLite instead of LibSQL?
@WebDevCody
@WebDevCody 4 ай бұрын
Did I even talk about SQLite in this video? I don’t think I did. Just use Postgres.
@magnusred2945
@magnusred2945 4 ай бұрын
@@WebDevCody you on Twitter :D
@tmanley1985
@tmanley1985 4 ай бұрын
Just a minor correction: NATs do not allow requests initiated from the internet to come into the vpc or a private subnet. What they do allow is any traffic initiated from the private subnet to reach out to the public internet. But yeah networking in AWS is a really cool subject!
@WebDevCody
@WebDevCody 4 ай бұрын
Thanks for the correction!
@tmanley1985
@tmanley1985 4 ай бұрын
@@WebDevCody No worries and thank YOU for that CIDR tool recommendation.
@Ss-zg3yj
@Ss-zg3yj 4 ай бұрын
The proper way to secure your databases: just use SQLite file
@tylerewing8163
@tylerewing8163 4 ай бұрын
this is overkill. Why not just use a firewall
@mastermind5421
@mastermind5421 4 ай бұрын
This works best if your app has a static outbound IP, but most of the time with these cloud services your web app can have multiple outbound IP's when it scales out. Much easier to handle this using a virtual network and subnet
@jessequartey
@jessequartey 4 ай бұрын
Bro is picking video ideas from reddit
@WebDevCody
@WebDevCody 4 ай бұрын
my team goes on reddit to figure out what tech debt we should refactor next in our system
@jessequartey
@jessequartey 4 ай бұрын
@@WebDevCody that's brilliant. Very brilliant. I count the number of times your videos solve my problems
How web applications are secured
19:54
Web Dev Cody
Рет қаралды 29 М.
Гениальное изобретение из обычного стаканчика!
00:31
Лютая физика | Олимпиадная физика
Рет қаралды 4,8 МЛН
人是不能做到吗?#火影忍者 #家人  #佐助
00:20
火影忍者一家
Рет қаралды 20 МЛН
Try this prank with your friends 😂 @karina-kola
00:18
Andrey Grechka
Рет қаралды 9 МЛН
Сестра обхитрила!
00:17
Victoria Portfolio
Рет қаралды 958 М.
What does larger scale software development look like?
24:15
Web Dev Cody
Рет қаралды 1,4 МЛН
Setting up a production ready VPS is a lot easier than I thought.
29:50
It’s Perfect. It’s Unusable. - Snapdragon for a Month Challenge Conclusion
18:08
Why is everyone LYING?
7:56
NeetCodeIO
Рет қаралды 372 М.
Don't build another effin' chatbot - Web Dev Challenge S1E1
21:54
Learn With Jason
Рет қаралды 160 М.
Serverless might bankrupt you (and how to deploy to a VPS instead)
14:26
How To Handle Permissions Like A Senior Dev
36:39
Web Dev Simplified
Рет қаралды 306 М.
Cloudflare Deploys Really Slow Code, Takes Down Entire Company
13:24
Do this before you deploy to Vercel
20:28
Web Dev Cody
Рет қаралды 31 М.
So You Think You Know Git - FOSDEM 2024
47:00
GitButler
Рет қаралды 1,3 МЛН
Гениальное изобретение из обычного стаканчика!
00:31
Лютая физика | Олимпиадная физика
Рет қаралды 4,8 МЛН