By the end of March, our SaaS will be launched while relying on OVH as our infrastructure provider. They suggested a complicated infrastructure plan including separate servers for DB, application, and a Network firewall. Our stack is composed of .net core for backend, Typescript for front end, and mySQL for DB. For development testing, we are currently using a single server with a Windows-based machine that has IIS for hosting both the API and front end.
We have a few questions regarding our setup: 1) Since OVH offers an effective Anti-DDOS protection, do we need a third-party DDOS protection,
2) Is a network firewall necessary or will the OS-based firewall and security groups suffice for now, and 3) Though we currently find it more efficient to have the DB on the same server, would it be better to have a separate server for the database? This would require setting up a private network and Vrack, which may require the assistance of a dedicated infrastructure expert. At the moment, we anticipate fewer than 50 users using our application.
1. OVH provides effective Anti-DDOS protection, but for layer 7 attacks it's recommended to have third-party protection.
2. Based on your initial period needs, a network firewall may not be necessary. A software firewall and security group should suffice.
3. It's actually better to have separate servers for the application and database. This will enhance performance.
Please note that this requires setting up a private network, Vrack, and several configurations which may necessitate the input of an infrastructure specialist. You can allow DB connection from the application server or use VPN tunnelling to connect the two servers.
For a production money-making operation, it's crucial to start with a highly available and decoupled system. It's advised to utilize a third-party for DDoS protection and to avoid relying on only one hosting provider. Running your SaaS out of multiple physical locations is vital, so ensure your platform can run from a minimum of three locations.
Separate your database servers, making them privately accessible while setting up VPN if necessary. Your primary database server should send data to at least two replicas in each of the other locations. Make sure your application server is scalable, allowing you to scale up or down by adding more instances in various locations. Your API servers should also be independently scalable. Create a monitoring cluster accessible internally, where you can view dashboards, reports, and see your SIEM.
Establish a backup cluster to store backups regularly and archived logs. Consider a hybrid approach to gain the benefits of the cloud, enabling better scalability and saving costs by paying only for what's used. Finally, use a service to keep backups offsite and offline, ensuring only privileged admins can access them during emergencies.
Regarding your questions:
1) If OVH offers effective Anti-DDOS protection, it is generally not necessary to have a third-party DDOS protection. However, it's always a good idea to evaluate the specific features and capabilities of OVH's DDOS protection to ensure it meets your needs.
2) A network firewall can provide an additional layer of security for your infrastructure. While OS-based firewalls and security groups can provide some level of protection, a dedicated network firewall can offer more advanced features and customization options. It is advisable to assess the specific requirements and potential risks of your application before deciding whether a network firewall is necessary at this stage.
3) Having a separate server for the database can provide benefits in terms of scalability, performance, and separation of concerns. By setting up a private network and Vrack, you can enhance the security and isolation of your database server. While having the DB on the same server may be efficient for development testing, it is recommended to consider separating them in a production environment, especially if you anticipate growth in the number of users. Engaging a dedicated infrastructure expert can help ensure a smooth setup and configuration of the separate server and private network.
Infrastructure network security involves safeguarding the foundational components of a network to prevent unauthorized access, data breaches, and cyberattacks. It encompasses implementing firewalls, intrusion detection systems, and encryption protocols to protect network traffic and sensitive data. Regular security audits and vulnerability assessments are crucial to identify and address potential weaknesses in the infrastructure. Network segmentation, strong authentication methods, and access controls contribute to minimizing security risks. Overall, a robust infrastructure network security strategy is essential to ensure the confidentiality, integrity, and availability of network resources.
Relying solely on OVH's Anti-DDoS might seem convenient, but it's a gamble. What if they experience a failure? It's better to have a backup plan in place. The OS-based firewall is a basic measure; you're playing with fire if you think it's enough.
A dedicated network firewall isn't just a luxury, it's a necessity if you want to avoid vulnerabilities. As for your database, keeping it on the same server is shortsighted. You might be fine now, but as you scale, you'll regret not investing in a separate DB server. It's better to set up a Vrack now than scramble later.
Infrastructure Network Security involves safeguarding network systems and data from cyber threats. It includes firewalls, VPNs, encryption, intrusion detection, access control, and regular updates. These measures protect data integrity, prevent unauthorized access, and ensure reliable network performance and security.
Great topic. I'd lean toward using a third-party DDoS solution in addition to OVH's protection, and separating your DB server now. It'll pay off when scaling.