1

I want to run a simple Ruby Rack app (a REST API) that takes Internet requests (from iPhone clients), talks to a PostgreSQL database, and responds with JSON.

How exactly should I set this up on Amazon Web Services (AWS)?

  1. I want the app to be able to scale to serve a growing number of clients, so I think I should use Auto Scaling with Elastic Load Balancing.

  2. Should I use Elastic Beanstalk or manually set everything up myself?

    How does the question Manual deployment vs. Amazon Elastic Beanstalk apply when setting up a Ruby Rack server with PostgreSQL?

  3. Default vs Custom VPC

    Should I just use the default VPC and use security groups to prevent direct Internet access to the EC2 & DB instances? Or, should I create a custom VPC and use private subnets, as described in Example: Launching an Elastic Beanstalk in a VPC with Amazon RDS?

Community
  • 1
  • 1
ma11hew28
  • 106,283
  • 107
  • 420
  • 616

1 Answers1

4

Using the concept of public and private subnets adds a fantastic layer of security to your AWS application. By placing your database and application server instances in private subnets you can by design protect them from external penetration and accidental exposure.

I would recommend that you start by provisioning a VPC in 2 AZs with 1 public and 1 private subnet in each Availability Zone (4 subnets in all).

Place a NAT instance in each public subnet and update the main route table for your private subnets to send all non-vpc traffic to the NAT. This will allow instances launched into your private subnets to communicate with the WAN Internet even though they are not publicly addressable themselves.

I would recommend that you use a Multi-AZ RDS deployment for your Postgres deployment with the RDS instances in your private subnets within each AZ. This will maximize security (Postgres is not publicly accessible) and will provide you with fault tolerance (an AZ failure will not take down your app).

I would setup your Ruby app on Elastic Beanstalk. This will provide you with fault tolerance and auto-scaling. Your Elastic Beanstalk load balancers will reside in the public subnet of each AZ and your Elastic Beanstalk EC2 instances will reside in the private subnets.

Dave Maple
  • 6,982
  • 3
  • 39
  • 59
  • Thank you, Dave. :-) It's a simple Rack app, and I'm not sure [how to configure Puma for Amazon EC2](http://serverfault.com/q/827439/63749). – ma11hew28 Jan 21 '17 at 18:08
  • This step by step tutorial should get your rails app with puma up and running: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_Ruby_rails.html Give it a try and let us know if you run into issues. – Dave Maple Jan 21 '17 at 18:42
  • I see that. May app isn't a Rails app. It's just a plain Rack app. I also saw the article "[Deploying a Sinatra Application to AWS Elastic Beanstalk](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_Ruby_sinatra.html)," but it didn't say anything about configuring Puma. I'll give it a try though. Thank you. – ma11hew28 Jan 21 '17 at 19:18
  • Here's the generic Ruby documentation: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_Ruby.container.html. Puma and Passenger are both supported. – Dave Maple Jan 22 '17 at 10:46
  • I guess Puma is supported in ElasticBeanstalk. This link can also help http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts.platforms.html#concepts.platforms.ruby Search for "Puma" to avoid headache (Ruby is last, you see) – OpsEco Jan 23 '17 at 08:01
  • In the interest of saving money, is the NAT Gateway necessary? Why not just keep things simple and deploy my Elastic Beanstalk application to the default VPC and just secure the EC2 & RDS DB instances with security groups, instead of a private subnet? – ma11hew28 Jan 24 '17 at 00:50
  • The short answer is yes -- you can do that to save money @mattdipasquale. There are some security advantages to private subnets, see here for a good explanation here: http://stackoverflow.com/questions/22188444/why-do-we-need-private-subnet-in-vpc – Dave Maple Jan 24 '17 at 00:57