CompanyOctober 16, 2020

Get Your Head In the Clouds (Part 2 of 3): Virtual Private Cloud (VPC) Peering Now in DataStax Astra DBaaS

Matt Kennedy
Matt KennedyProduct Strategy, DataStax
Get Your Head In the Clouds (Part 2 of 3): Virtual Private Cloud (VPC) Peering Now in DataStax Astra DBaaS

This week, we announced that DataStax Astra is now available on Amazon Web Services, Google Cloud Platform, and Microsoft Azure. We also launched new features in Astra: Storage-Attached Indexing (SAI), Virtual Private Cloud (VPC) Peering, and support for multi-region databases. 

We talked about SAI in part 1 of 3 in the blog series, “Get Your Head in the Clouds.” Today, we are focusing on VPC Peering.

Now, I don't know a lot about medieval siege warfare (bear with me), but I imagine that if you're going to attack a castle, one of your focal points is going to be the drawbridge. The location of the drawbridge is well-known. After all, the road leads up to it. It's probably made of wood, which is going to splinter and burn a lot better than those stone walls.

This isn't dissimilar to the plight of services that run on the open internet. There is a constant barrage of attackers and miscreants probing and often successfully getting through to wreak havoc. When a service is intended to serve the public, it's a necessary evil. You follow best practices, you make everything as secure as you can, use the best crypto techniques the use case will allow, and you watch that drawbridge, er… port.

However, there are many use cases out there that aren't for public consumption. This is especially true at a large enterprise where some use-cases are for a smaller and easily vetted and controlled population. What if we could just brick over the drawbridge and get in and out some other way? Via a channel that the public can't see, so the riff-raff can't attack it. And for some large enterprises, it's not just riff-raff that we're worried about, it's nation-state level actors that are making targeted attacks.

Effectively, this is what VPC Peering (or Vnet peering in Azure) allows us to do. With a little bit of setup, Astra users can peer the virtual private cloud (VPC) environment where they run their code, to the Astra environment where they store their data. Everything goes over a completely private network connection that isn't accessible to parties that aren't otherwise authorized to be in those VPCs. That dramatically cuts down on the potential attack surface of the connection between Astra and the applications that rely on it.

As far as drawbridges go, the default connection that you get with an Astra database is secure. The Astra Secure Connect Bundle that is custom built for each individual database is used to set up a two-way TLS certificate handshake, which gives your database connection two-factor authentication (cert + username/password) that is application friendly and better than what many VPNs provide. 

But if you're a multi-billion dollar enterprise that has legitimate worries about potential attacks from well-funded entities, why not take the extra step of establishing the VPC Peering connection to Astra as an added measure of risk reduction?

Interested in taking DataStax Astra for a spin? 

Sign up for the free 5GB Astra tier and start building today!

To learn more about DataStax Astra’s architecture and security features, check out this whitepaper


One-stop Data API for Production GenAI

Astra DB gives JavaScript developers a complete data API and out-of-the-box integrations that make it easier to build production RAG apps with high relevancy and low latency.