ok great, we'll take a look at that. thanks!

actually one question: what exactly would we connect the api gateway to? is it the contents of the node security group (i think that's where the peers are, which is what we need for db access)?

I think the larger architectural problem is that you’re running your application in heroku and trying to access your database in a different datacenter. Independent of datomic cloud, this is likely going to result in slower performance than you like because you’ll need to be streaming data out over the open internet. Is there a reason you chose to use datomic cloud but not elastic beanstalk instead of heroku?

If I understand correctly HTTP Direct is only relevant for Ions, right? i.e. it’s not for providing access to client applications in general

That is my understanding as well.

Thanks 🙂

no, we'll be protected by static IP

our app runs on heroku but it has static ips, so we only allow access from those

oh, what happens if i use an nlb with tls?

NLBs don't have TLS

NLB is layer 4 load balancing

what i mean is when i create an nlb, i select this

that does not do what you think it does

haha ok

ok so i need to terminate tls somewhere in front of the nlb

i'm not going help you put your database on internet 🙂

we have no choice ¯\(ツ)/¯

the socks tunnel we use is encrypted, so long as we can terminate that somewhere in AWS we're fine

using socks to the bastion is fine if you can get that running in Heroku

yeah but we don't want to be running all our db traffic over a low-availability bastion server

https://forum.datomic.com/t/keeping-alive-socks-proxy/593

we haven't had any problems with the tunnel so far tbh

we aren't using the datomic-socks-proxy script though

“low availability bastion”?

as in, it's a single ec2 instance. there doesn't seem to be much point running a high-availability production topology instance of datomic cloud if we run all the traffic over a single point of failure like the bastion

am i misunderstanding how the bastion works?

then use API Gateway

(i haven't spent much time thinking about it, the docs very much present the bastion as a dev tool rather than a production resource)

I'm not sure what you mean?

since can accept t, tx or an instant

yeah, but in case t form time i guess is used, which time value does it check internal to know the database version which fulfill the requirement?

it's always transaction time

every transaction has a datom [tx :db/txInstant instant]. Tx is the transaction's entity id; t is just that id with partition bits stripped off (use d/tx->t and d/t->tx to convert between them). instant is a java.util.Date corresponding to whatever the transaction time is

if you supply a time (rather than t or tx) to since, as-of, tx-range, etc, it just looks for the txid at or before that moment

Thank you very much, those information really helped 😄