Amazon Timestream
Last updated
Was this helpful?
Last updated
Was this helpful?
Let's connect a nodejs app in one Amazon VPC with a Amazon Timestream managed InfluxDB database in another Amazon VPC. We’ll create an end-to-end encrypted Ockam Portal to InfluxDB.
To understand the details of how end-to-end trust is established, and how the portal works even though the two networks are isolated with no exposed ports, please read: “”
Then run the following commands:
If everything runs as expected, you'll see the message: The example run was successful 🥳
In a typical production setup an administrator or provisioning pipeline generates enrollment tickets and gives them to nodes that are being provisioned. In our example, the run function is acting on your behalf as the administrator of the Ockam project.
First, the metrics_corp/run.sh script creates a network to host the database:
TCP egress to the Internet.
Ingress to InfluxDB from within the subnet.
SSH ingress to provision EC2 instances.
When EC2 starts the instance, it executes the run_ockam.sh script:
A TCP outlet.
An access control policy associated to the outlet. The policy authorizes only identities with a credential attesting to the attribute influxdb-inlet="true".
A a relay that can forward TCP traffic to the TCP outlet.
First, the datastream_corp/run.sh script creates a network to host the nodejs application:
TCP egress to the Internet,
SSH ingress to provision EC2 instances.
Next, the script creates an EC2 instance. This instance runs an Ockam TCP Inlet.
When EC2 starts the instance, it executes the run_ockam.sh script:
It then creates an Ockam node with:
A TCP inlet.
Finally, the nodejs application is started:
We connected a nodejs app in one virtual private network with a InfluxDB database in another virtual private network over an end-to-end encrypted portal.
Datastream Corp. does not get unfettered access to Metrics Corp.’s network. It gets access only to query InfluxDB. Metrics Corp. does not get unfettered access to Datastream Corp.’s network. It gets access only to respond to queries over a tcp connection. Metrics Corp. cannot initiate connections.
To delete all AWS resources:
This example requires Bash, Git, AWS CLI. Please set up these tools for your operating system. In particular you need to .
The , that you ran above, and its are full of comments and meant to be read. The example setup is only a few simple steps, so please take some time to read and explore.
The calls the which invokes the to create an new identity, sign into Ockam Orchestrator, set up a new Ockam project, make you the administrator of this project, and get a project membership .
The run function then . The tickets are valid for 10 minutes. Each ticket can be redeemed only once and assigns to its redeemer. The is meant for the Ockam node that will run in Metrics Corp.’s network. The is meant for the Ockam node that will run in Datastream Corp.’s network.
The run function passes the enrollment tickets as variables of the run scripts provisioning and .
It and tags it.
It and attaches it to the VPC.
It and to the Internet via the gateway.
It and associates it with the route table.
It which allows:
Then, the metrics_corp/run.sh script creates a InfluxDB using Timestream. Next the script creates an EC2 instance. This instance runs an Ockam TCP Outlet.
It .
It then and a start script based on run_ockam.sh where:
created by the administrator and given as a parameter to run.sh.
that we previously saved.
It and .
It installs the and
It to send to Datastream Corp and saves it to file.
It installs the command.
It uses the .
It then with:
It and tags it.
It and attaches it to the VPC.
It and to the Internet via the gateway.
It and associates it with the route table.
It that allows:
It .
It then and a start script based on run_ockam.sh in which the:
The variable created by the administrator and given as a parameter to run.sh.
It installs command.
It uses the .
An access control . The policy authorizes identities with a credential attesting to the attribute influxdb-outlet="true".
Next datastream_corp/run.sh waits for the instance to be ready and :
It copies into the instance using SCP
It then , which:
.
.
.
It .
It to show that the connection with the InfluxDB database is working.
Sensitive business data in the InfluxDB database is only accessible to Metrics Corp. and Datastream Corp. All data is with strong forward secrecy as it moves through the Internet. The communication channel is and . Keys and credentials are automatically rotated. Access to connect with InfluxDB can be easily revoked.
All are secure-by-default. Only project members, with valid credentials, can connect with each other. NAT’s are traversed using a relay and outgoing tcp connections. Metrics Corp. or Datastream Corp. don’t expose any listening endpoints on the Internet. Their networks are completely closed and protected from any attacks from the Internet.
