Man!! I spent like 14 hours yesterday reading about infra, this is totally new to me. I'm a data scientist came from statistics and don't have a clue about infra, and I'm trying to get into to it to deploy my side project. And boom, your video is recommended and you are drawing exactly how I was drawing! Feel so good seeing this. Now I think I have an idea why I failed miserably for hours to set up a Bastion. Thanks!
@Lare_Paharinen4 ай бұрын
9:06 Not sure if I misunderstood you, but NAT doesn't make something publicly accessible. It let's private resources that otherwise wouldn't have any internet access at all to make requests/connections into the internet. The NAT gateways docs page from AWS: "A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.". That being said, I don't think your database needs internet access, so there's no reason to have that rdsnat traffic allowed, like you say in the video.
@WebDevCody4 ай бұрын
Thanks for pointing that out.
@bithon52424 ай бұрын
Based take 👏
@jurajzec4 ай бұрын
That is true. If you want to make your machine publicly accessible, you need Internet Gateway
@LarryMarkelАй бұрын
this video is very valuable. Thank you for sharing Cody.
@joshburgess8174 ай бұрын
Personally, I like using a 3 tier architecture. You have an API Gateway or ALB in a public subnet (network out and in), your backend services and nat in a private subnet (network out but not in), and internal subnet with a db that can only allow traffic from the private subnet (no outside traffic in or out).
@IvanRandomDude4 ай бұрын
More DevOps and hard core BackEnd stuff content is good. Maybe you can explore and create a video how does serverless like AWS Lambda work behind the scenes. We all know there is server out there somewhere. But it would be interesting to see how does AWS orchestrates that so we can just use it.
@sfygy324 ай бұрын
I love your architecture vids, so informative. Keep them up 👌
@fuzionluck1704 ай бұрын
This awesome! I am learning so much. Keep up the videos like this.
@Jay-ek7uw4 ай бұрын
These are so educative, more please!
@vincentm31354 ай бұрын
I host mine on the same vps as my API. Never exposed to the web. Exactly like you explained here with proper networking.
@michellefelix13554 ай бұрын
Great video! I would love to see more videos related to devops and cloud stuff, very helpful 👌🏻
@aymenbachiri-yh2hd4 ай бұрын
Thank you so much, keep posting videos like this
@qazyhn944 ай бұрын
from weird nextjs apps you got into this, big respect i see growth in your channel
@angelenriquechavezponce16294 ай бұрын
Thank you for sharing your knowledge with all of us, genuinely appreciate it 🙌
@guillaume56234 ай бұрын
Great content !
@mosescosme86294 ай бұрын
I would love to see way more stuff like this
@ElTebe4 ай бұрын
This setup is good and necessary, but do no not forget that it represents a significant increase in usage fees.
@kevins76214 ай бұрын
so helpful, thanks!
@Ss-zg3yj4 ай бұрын
Good. Now your website for plastic windows construction is safe.
@WebDevCody4 ай бұрын
And that’s all that matters
@tom.watkins4 ай бұрын
Great video, have you considered using the AWS Data API to allow your lambdas to connect to your RDS?
@phannguyetnguyen82544 ай бұрын
Have you made a video on how to write code that we are able to mock database when doing unit test ? If not yet, please make one. I really like your content. Thanks you.
@pranavbobde25294 ай бұрын
Liked the Turning vm on/off on demand point.
@farhanhelmycode4 ай бұрын
One thing you can do is also to use aws ssm to tunnel from jumpbox to local
@rickr9374 ай бұрын
Are you going to keep working on your SaaS starter kit?
@lordpablo19854 ай бұрын
We also want to migrate data from dynamo to rds. What is your strategy for migrating the data after the rds is established?
@raspy_on_osu4 ай бұрын
I don't use AWS, simply because my workloads are 24/7 and it would be too expensive. I have an ssh tunnel within the docker network on both the database end and service end that is used purely for communication with the database. Not sure if this is a great way to do this but it's what I've adopted. Will have to learn Wireguard at a later date
@mikexavier4 ай бұрын
I've been battling this for a minute... great vid! Do you know if it's possible to have a similar level of security for the rds without the NAT?
@codingwithjamal4 ай бұрын
imo these are the hard parts of programming, keeping your code running in production. It takes a lot of knowledge and moving parts to get things working
@reynerloza16304 ай бұрын
Could you make a video about dynamodb and all the issues you've faced
@nowayicommented13144 ай бұрын
very well explained
@jackgisel32114 ай бұрын
super good summary.
@comosaycomosah4 ай бұрын
it certainly is overwhelming trying to build big infrastructure as a beginner...i been working on building a hub and spoke architecture with web servers on instances or containers on the spokes using private subnets and routing through a pfsense firewall running on an instance and load balancer in the hub vpc, then use an overlay like netbird or netmaker or tailscale to access all securely(not 100% sure if i should use self hosted or remote connection or site to site vpn just know i only want one way access)....think this all makes sense if anyone can rate it or chime in....setting it up is fine its the getting routing right thats a pain lol i got suppper stuck trying to figure out the east west north south transit routing through the drg...still stuck
@stevanfreeborn4 ай бұрын
Good stuffs!
@ALDUIINN4 ай бұрын
Bro this is Hard AF. i didn't knew that to develop a simple application would imply in so much complexity :((( Have much yet to learn
@biovawan4 ай бұрын
definitely usefull stuf! Thanks! ❤🔥❤🔥❤🔥 Could you please make a video on how to implement it?
@Cdaprod4 ай бұрын
I love it
@ivokovacevic52214 ай бұрын
It's even safer to put it inside an isolated subnet because the database doesn't need access to the internet so there is no point in keeping it behind the NAT gateway.
@JohnLovell-FTW4 ай бұрын
I say cider, you say cedar. Let's wall the whole thing off. (private or isolated?)
@nwylynko4 ай бұрын
I just have Neon host the Postgres instance, and host the site on Vercel, Neon gives me a connection string and I put it in the env of the Vercel site. Done in 30 seconds.
@neociber244 ай бұрын
Do services like Vercel even provide an IP address? AWS and other services allow to provide IPs to disallow access to the db
@WebDevCody4 ай бұрын
Idk I think vercel supplies vpc support on enterprise plans maybe
@nasko2356794 ай бұрын
Newb question, but if your db sits on the same machine as your web server it's technically secure no? As it is being only hosted locally and accessed by the server?
@WebDevCody4 ай бұрын
For the most part, yes, assuming your web server doesnt have some security back door that someone can use to hit your db directly
@abiodun68974 ай бұрын
can you please make a tutorial about nodejs concurrency/ workers
@albert31204 ай бұрын
yep but that ties you to a non serverless architecture. you could skip it by security groups replacing your jumpbox ec2
@WebDevCody4 ай бұрын
I'm not sure what exactly in my talk ties us to non severless?
@eclipse-2244 ай бұрын
@@WebDevCody the bastion host
@albert31204 ай бұрын
@@WebDevCody by using bastion hosts or jumpboxes (EC2) you are by definition spinning up a virtual machine that will run 24/7... so you have one more non serverless virtual machine to mantain. I mean I see no difference between 1) having the EC2 in a public subnet then connect from it to the private subnet where the RDS is and 2) having the RDS in a public subnet with a security group only allowing known IPs and AWS Services to interact with it. The latter allows you to avoid having an EC2 running 24/7. Correct me if I am missing something because I might be! Great video as always :)
@WebDevCody4 ай бұрын
@@albert3120 why can’t I start up the ec2 instance when I need it and stop it when I don’t? I don’t get charged when it’s stopped right? I guess I could just lookup the public ip of my cicd runner (using circleci) and add it to the SG
@albert31204 ай бұрын
@@WebDevCody seems overcomplicating things to me, still non-serverless though which is the only thing I pointed out :)
@musashi5424 ай бұрын
I wanted to ask you , do you think its worth to get aws cloud and solution certs for a junior software engineer ?
@WebDevCody4 ай бұрын
Maybe it would be useful if you don’t know anything about aws.
@doz79794 ай бұрын
Haha, the content discussed in this video is exactly one of the topics in AWS SAA-C03 exam. I got one cert on K8s and one cert for AWS this year as a junior SWE with 1-yr exp. I would say these exams provide structured learning paths for beginners indeed.
@musashi5424 ай бұрын
@@doz7979 hello can i ask which k8s cert you got ?
@doz79794 ай бұрын
@@musashi542 CKAD. It is not cheap so better wait for sale.
@DaveTheDeveloper4 ай бұрын
What do you say about accessing the database through a URL from a database service (e.g. supabase). Isn't that insecure as it's just a url with username + password through https? Wouldn't it be more secure to have the db within a private network with the application being part of it so it can access it? That way we wouldn't need to expose it to the public and have additional layer of security.
@WebDevCody4 ай бұрын
I think it’s fine if you have a small team. If multiple engineers have access to the prod database, it means you increase your chances of someone leaking the password. Having vpc at least allows more control over what can hit your db.
@charleschukwuemeka84824 ай бұрын
@@WebDevCody Okay, I wanted to ask this same question about MongoDB, is there a way to make it more secure? And does this VPC work in MongoDB? Sorry I am asking about MongoDB, that's what I mostly use, even at work.
@SeibertSwirl4 ай бұрын
First!!!
@WebDevCody4 ай бұрын
love you babe!
@vinialves123624 ай бұрын
What's the $$ of this architecture on AWS?
@WebDevCody4 ай бұрын
Rds can be around 30 a month for a micro instance, I think public subnets charge for public ip addresses or something. Overall probably like 40-50 a month. Aws isn’t cheap
@vinialves123624 ай бұрын
@@WebDevCody I don't get when people say AWS is cheaper than other solutions built on top of AWS like Vercel, etc
@hello192864 ай бұрын
@@vinialves12362 Because Vercel is hosted on AWS, cutting out the middleman will always be cheaper at scale.
@vinialves123624 ай бұрын
@@hello19286 Yes I understand it mathematically but in reality what happens is that they can offer smaller costs because they get discounts on volume and other startup incentives or b2b contracts
@ConnectDaPlug4 ай бұрын
hOw proficient are you with C# or C++
@d0fty84 ай бұрын
Not talked about enough. Newer or front end devs trying to build apps on Vercel + something like Planetscale don't realize these middlemen databases only allow you to truly secure your database with enterprise tier, many of them not even then.
@magnusred29454 ай бұрын
It's 2024, why are you using SQLite instead of LibSQL?
@WebDevCody4 ай бұрын
Did I even talk about SQLite in this video? I don’t think I did. Just use Postgres.
@magnusred29454 ай бұрын
@@WebDevCody you on Twitter :D
@tmanley19854 ай бұрын
Just a minor correction: NATs do not allow requests initiated from the internet to come into the vpc or a private subnet. What they do allow is any traffic initiated from the private subnet to reach out to the public internet. But yeah networking in AWS is a really cool subject!
@WebDevCody4 ай бұрын
Thanks for the correction!
@tmanley19854 ай бұрын
@@WebDevCody No worries and thank YOU for that CIDR tool recommendation.
@Ss-zg3yj4 ай бұрын
The proper way to secure your databases: just use SQLite file
@tylerewing81634 ай бұрын
this is overkill. Why not just use a firewall
@mastermind54214 ай бұрын
This works best if your app has a static outbound IP, but most of the time with these cloud services your web app can have multiple outbound IP's when it scales out. Much easier to handle this using a virtual network and subnet
@jessequartey4 ай бұрын
Bro is picking video ideas from reddit
@WebDevCody4 ай бұрын
my team goes on reddit to figure out what tech debt we should refactor next in our system
@jessequartey4 ай бұрын
@@WebDevCody that's brilliant. Very brilliant. I count the number of times your videos solve my problems