Amazon RDS
Let's connect a nodejs app in one Amazon VPC with an Amazon RDS managed Postgres database in another Amazon VPC.
Each company’s network is private, isolated, and doesn't expose ports. To learn how end-to-end trust is established, please read: “How does Ockam work?”
Run
This example requires Bash, Git, and AWS CLI. Please set up these tools for your operating system. In particular you need to login to your AWS account with aws sso login
.
Then run the following commands:
If everything runs as expected, you'll see the message: The example run was successful 🥳
Walkthrough
The run.sh script, that you ran above, and its accompanying files are full of comments and meant to be read. The example setup is only a few simple steps, so please take some time to read and explore.
Administrator
The run.sh script calls the run function which invokes the enroll command to create an new identity, sign into Ockam Orchestrator, set up a new Ockam project, make you the administrator of this project, and get a project membership credential.
The run function then generates two new enrollment tickets. The tickets are valid for 10 minutes. Each ticket can be redeemed only once and assigns attributes to its redeemer. The first ticket is meant for the Ockam node that will run in Bank Corp.’s network. The second ticket is meant for the Ockam node that will run in Analysis Corp.’s network.
In a typical production setup an administrator or provisioning pipeline generates enrollment tickets and gives them to nodes that are being provisioned. In our example, the run function is acting on your behalf as the administrator of the Ockam project.
The run function passes the enrollment tickets as variables of the run scripts provisioning Bank Corp.'s network and Analysis Corp.'s network.
Bank Corp
First, the bank_corp/run.sh
script creates a network to host the database:
We create a VPC and tag it.
We create an Internet gateway and attach it to the VPC.
We create a route table and create a route to the Internet via the gateway.
We create two subnets, located in two distinct availability zones, and associated to the route table.
We finally create a security group so that there is:
And one ingress to Postgres from within our two subnets.
Then, the bank_corp/run.sh
script creates a RDS database:
This requires a subnet group.
Once the subnet group is created, we create a database cluster an a database instance.
We are now ready to create an EC2 instance where the Ockam outlet node will run:
We select an AMI.
We start an instance using the AMI above and a start script based on
run_ockam.sh
where:ENROLLMENT_TICKET
is replaced by the enrollment ticket created by the administrator and given as a parameter torun.sh
.POSTGRES_ADDRESS
is replaced by the database address that we previously saved.
When the instance is started, the run_ockam.sh
script is executed:
We then create an Ockam node:
With a TCP outlet.
A policy associated to the outlet. The policy authorizes identities with a credential containing the attribute postgres-inlet="true".
With a relay capable of forwarding the TCP traffic to the TCP outlet.
Analysis Corp
First, the analysis_corp/run.sh
script creates a network to host the nodejs application:
We create a VPC and tag it.
We create an Internet gateway and attach it to the VPC.
We create a route table and create a route to the Internet via the gateway.
We create a subnet, and associated to the route table.
We finally create a security group so that there is:
And One SSH ingress to download and install the nodejs application.
We are now ready to create an EC2 instance where the Ockam inlet node will run:
We select an AMI.
We start an instance using the AMI above and a start script based on
run_ockam.sh
where:ENROLLMENT_TICKET
is replaced by the enrollment ticket created by the administrator and given as a parameter torun.sh
.
The instance is started and the run_ockam.sh
script is executed:
We then create an Ockam node:
With a TCP inlet.
A policy associated to the inlet. The policy authorizes identities with a credential containing the attribute postgres-outlet="true".
We finally wait for the instance to be ready and install the nodejs application:
The app.js file copied to the instance (this uses the previously created
key.pem
file to identify).
Once the nodejs application is started:
It creates a database table and runs some SQL queries to check that the connection with the Postgres database works.
Recap
We connected a nodejs app in one virtual private network with a postgres database in another virtual private network over an end-to-end encrypted portal.
Sensitive business data in the postgres database is only accessible to Bank Corp. and Analysis Corp. All data is encrypted with strong forward secrecy as it moves through the Internet. The communication channel is mutually authenticated and authorized. Keys and credentials are automatically rotated. Access to connect with postgres can be easily revoked.
Analysis Corp. does not get unfettered access to Bank Corp.’s network. It gets access only to run queries on the postgres server. Bank Corp. does not get unfettered access to Analysis Corp.’s network. It gets access only to respond to queries over a tcp connection. Bank Corp. cannot initiate connections.
All access controls are secure-by-default. Only project members, with valid credentials, can connect with each other. NAT’s are traversed using a relay and outgoing tcp connections. Bank Corp. or Analysis Corp. don’t expose any listening endpoints on the Internet. Their networks are completely closed and protected from any attacks from the Internet.
Cleanup
To delete all AWS resources:
Last updated