Fork me on GitHub

Hiya, we're using Datomic Cloud and need to open it to the internet. What's the easiest way to do this in a production topology? We have a solo topology where we add ingress rules to the node security group, but in production there's an internal NLB that presumably routes requests to the nodes; if we swap that out for an internet-facing NLB then CloudFormation will probably kill it?

Joe Lane14:06:14

@conan api gateway. In solo, use apigw lambda proxy, in production use the new http-direct integration with api-gateway.


ok great, we'll take a look at that. thanks!


actually one question: what exactly would we connect the api gateway to? is it the contents of the node security group (i think that's where the peers are, which is what we need for db access)?

Joe Lane15:06:56

I think the larger architectural problem is that you’re running your application in heroku and trying to access your database in a different datacenter. Independent of datomic cloud, this is likely going to result in slower performance than you like because you’ll need to be streaming data out over the open internet. Is there a reason you chose to use datomic cloud but not elastic beanstalk instead of heroku?

Michael Griffiths16:06:27

If I understand correctly HTTP Direct is only relevant for Ions, right? i.e. it’s not for providing access to client applications in general

Joe Lane17:06:39

That is my understanding as well.

Joe Lane14:06:45

Don’t expose your database over the internet directly, you want api gateway to handle security, throttling, etc.


no, we'll be protected by static IP


our app runs on heroku but it has static ips, so we only allow access from those


clients with static IP or not, the traffic flowing over the NLB does not have TLS @conan


oh, what happens if i use an nlb with tls?


NLBs don't have TLS


NLB is layer 4 load balancing


what i mean is when i create an nlb, i select this


that does not do what you think it does


ok so i need to terminate tls somewhere in front of the nlb


i'm not going help you put your database on internet 🙂

😎 4

we have no choice ¯\(ツ)


the socks tunnel we use is encrypted, so long as we can terminate that somewhere in AWS we're fine


using socks to the bastion is fine if you can get that running in Heroku


yeah but we don't want to be running all our db traffic over a low-availability bastion server


we haven't had any problems with the tunnel so far tbh


we aren't using the datomic-socks-proxy script though


“low availability bastion”?


as in, it's a single ec2 instance. there doesn't seem to be much point running a high-availability production topology instance of datomic cloud if we run all the traffic over a single point of failure like the bastion


am i misunderstanding how the bastion works?


then use API Gateway

thumbsup_all 4

(i haven't spent much time thinking about it, the docs very much present the bastion as a dev tool rather than a production resource)


Hey Folks, can you tell me which time attribute is used by datomic.api/since to return a given version of a database?


I'm not sure what you mean?


since can accept t, tx or an instant


yeah, but in case t form time i guess is used, which time value does it check internal to know the database version which fulfill the requirement?


it's always transaction time


every transaction has a datom [tx :db/txInstant instant]. Tx is the transaction's entity id; t is just that id with partition bits stripped off (use d/tx->t and d/t->tx to convert between them). instant is a java.util.Date corresponding to whatever the transaction time is


if you supply a time (rather than t or tx) to since, as-of, tx-range, etc, it just looks for the txid at or before that moment


Thank you very much, those information really helped 😄