
Ask HN: Setting up/deploying a REST based service – need some help - taurenk
I have developed a service that is REST based, which makes calls to a separate database server. Both of these are currently hosted on digital ocean, as separate servers - probably not best practice.<p>I would like to create a simple website that can show off what I have just created (eventually users will be able to make calls directly or use the site to access data). From what I understand, It seems it would be best practice to put the RESTful engine and the Database behind a VPN - where a user could send calls to the engine and get some results back. I am not sure whether i should put the app server behind the VPN as well.<p>Does anyone have any advice on how to set this up&#x2F;best practices - or if this is even the proper way to do this? I am lagging a bit behind in my web tech skills, so please bare with me if any of this sounds strange. Any help is greatly appreciated!
======
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

~~~
taurenk
Thanks for the help! I definitely was confusing VPN with Shared Private
Networking and VPC. Just started to read up on the AWS VPC and this is exactly
was I needed!

------
rubyn00bie
As the other commenter said, you definitely want the db on a different server.
Hosting the database on your application servers is generally a terrible idea
as the DB will starve for resources.

I'm not in anyway sure why would want a VPN in this case as it's "Virtual
Private Network." Are you trying to anonymize it or protect it from some sort
of local authority? I don't care either way, I just can't figure out the VPN
deal.

Maybe you're talking about setting an "upstream" connection to proxy requests
to? That is to say, you want to set up a load balancer so you can distribute
requests amongst many app servers?

If you can give us more details on the environment (web server, app server, or
your end goal) I'm sure someone here will be happy to fill in the blanks.

~~~
taurenk
So my goal was to take this code I created in Python, and turn it into a REST
engine [Probably via Flask]. The Database Server is running PostgreSQL.

I would like to create an application server that simply takes user input,
call the REST engine and, returns the results in a "pretty" manor.

I am trying to figure out how to deploy this all in the best way, in a hosted
envionment. I suppose i can rephrase: what is the best [and simplest] way to
host a 3 tiered app?

~~~
v_ignatyev
Probably you want to expose REST API to the web application. Everything you
need is just set up domain for your RESTful service and setup CORS settings to
access REST API from application server, no matter where web application
server would be. The database should have no public IP and should be in the
same network as your REST server is. If I were you, I set up for the first
time everything on the same server on EC2 instance for example. Then using
Docker I 'd set up accurate deployment system. Then "scale" it to three
separate servers. You should keep DB on dedicated instance because of
performance and because you probably will need (if so) to use master/slave
replication or kind of scaling.

Don't do it on early stage. Just make it somehow working for the first time,
until existing infrastructure become unstable/laggy.

------
jtchang
Do you mean firewall and not VPN? VPN means something pretty specific.

Separate servers isn't necessarily bad. In fact it is a "best practice".

To get started if you wanted everything on one server:

    
    
      Web server with port 80 and 443 open (apache or nginx).
      Web server proxies to app server (unless you are on PHP)
      App server connects to database on specific port. Port is not exposed to outside world.

~~~
taurenk
Thank you for the tip- still a bit confused (and maybe mixing up terms). If I
wanted to keep the DB and App server on separate servers, would i leave them
out in the open or house them in a private network?

~~~
v_ignatyev
Remove Public IP for DB server. Keep them in one private network. You don't
need VPN. Servers in any data-center are already connected into one network.
You can use iptables to prevent external connections to your DB.

------
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

------
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

------
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

------
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

------
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

------
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

------
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

------
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

------
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

------
pjungwir
These days if you have low traffic you can run everything on one box, but
separating them is more "best practice," so if you've already done that,
congratulations!

The database should not be on a public network or have a public IP address, so
that only the REST app can reach it. (In fact if it were all on a single box,
you'd want the db to bind only to 127.0.0.1.)

Assuming the web pages will contact the REST app via Ajax, the REST app will
need a public IP and should accept connections from anywhere. But if it's the
web _server_ that hits the REST service, then as you say the REST service can
be private like the database.

I think maybe you are saying "VPN" to mean what DO calls "Shared Private
Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an
encrypted tunnel that lets you pretend to be on a LAN even if you are remote,
so that is maybe why some other replies are asking questions about that.

It sounds like you are doing great so far. Good luck with the rest! :-)

------
taurenk
Thanks everyone for the help! I hope to post my site here soon

