I have one web application, that is deployed on cloud. Now, this web application needs to access 3 Postgres databases, located in 3 different location(Lets call them, client systems).
So one day, I met with this guy, who is very experienced and senior to me. He gave me following solution.
- Install OpenVPN on Raspberry Pi
- Put this Raspberry Pi in the network (behind the firewall, he said) where Postgres database server is installed.
- Access Postgres databases via VPN from cloud.
Now I am wondering why I need to do this when I can access all 3 databases by just doing port forwarding from client systems.
Am I missing something ?
A database connection is a very critical part of any infrastructure as it usually contains much more data than the clients can/should see. You want to protect this as much as possible, which means that you want to prevent anyone from even attempting to connect to it and also want to completely encrypt the traffic so no one can eavesdrop on it, and optimally you don't want anyone to know that the database is even there.
A VPN is a very good option to achieve all these goals, but it is not necessarily the only option, depending on the specific situation. Should you mean SSH port forwarding in your question, this is certainly another option but then you have take care to restablish the connection if it breaks for whatever reason, e.g. with something like
autossh.Also I think it's debatable if you would really want to use something as unreliable and slow (hardware wise) as a RasPi to protect your production network, but you can use any other VPN software/hardware combination anyway.