Totally Private Postgres

We had a comment come in via YouTube and I’m translating it here for visibility to all. The question was:

can you make a video on how to add a service such as a database on the same VPC as the controller/router? I am having difficultly wrapping my head around the entire process. For instance, i have followed this video where i have a provisioned GCP compute instance that has the controller/router installed and on the same subnet I have a Cassandra node. I would like to be able to setup the service, identities and policies to connect to this Cassandra node.

I used postgres as an example and uploaded the video here:

1 Like

Step two is cool (tunneler on db’s instance) in that I can now close all the inbound ports to PostgreSQL.

Similarly, if I deploy an OpenZiti fabric router in between the client-side tunneller and the edge router in my VPC, then can I also close all inbound ports to my VPC (if nothing else requires inbound access), and open outbound only from my edge router towards the fabric router?

Finally, are there agentless options, e.g. SDK or JDBC implementation on the client side so that the solution is agentless zero trust from an end user perspective?

A very cool demo. It inspires me to replicate it for an Oracle db… over the coming weeks.

Checking if anyone has connected up with and Oracle db using SQL Developer. I can see how it could be done with a thin client… but the SQL Developer requires I believe the zitified JBDC driver.

Let me know if you have any tips

You may find this useful… I am still yet to use it… and I will play around with it in the coming weeks

Multi-cloud

Correct. here’s a diagram that shows this setup. (i didn’t put any firewalls that are ‘closed’ on the diagram). OpenZiti is amazing at multicloud/private cloud/private networking for this reason alone in my opinion. Here I show two aws vpc’s but you can see that “vpc 2” could be in azure, google cloud, could be your home network, it literally doesn’t matter.

“Agent-less”

As @markamind suggests - there is indeed “zdbc”. This is a “zitification” which knows how to wrap/poke a JDBC library for use in a zero-trust way. Unfortunately we (OpenZiti) haven’t written this up yet but it’s been on my plan to do for quite some time. There are a couple of good NetFoundry links though. There’s this one and this one too

You can also use an SDK and write code. I have an older youtube video here Zero Trust Postgres - YouTube which you can watch.

2 Likes