I am evaluating SST vs Serverless Framework. I hav...
# sst

Question

What are some recommendations for using RDS with serverless technologies like SST? Should a VPN be used or is there an alternative? Is it possible to use ORM with data-api in AWS? What are the considerations for using a VPC for lambdas and RDS, and are there any alternatives?

Answer

For using RDS with serverless technologies like SST, several options could be considered. One is to use a VPN to connect to the RDS instance. However, this can be tricky and requires several steps. Another alternative is to use AWS's Data API for RDS, which provides a more secure way to use AWS Lambda and enables access to the DB cluster without needing to configure a Lambda function to access resources in a virtual private cloud (VPC). However, the structure of the results can be slightly bizarre, and the use of ORM might not be supported with Data API. Using a VPC for lambdas and RDS can create some operational overhead and doesn't offer any added security boundary over using entirely managed services gated by IAM auth. Still, if VPCs are used, they will need to use a managed NAT which is billed 24/7 and not in a serverless way. Other alternatives include using a true serverless database like DynamoDB or Planetscale, particularly if a relational database is needed. However, DynamoDB requires changing how to think about a database, and it doesn't have many features out of the box, which might require implementing features in the application layer.

k
I am evaluating SST vs Serverless Framework. I have used SF successfully on a few projects in the past. I think I prefer SST especially with its live coding experience and CDK support… however I’m weighing it against the maturity and community side of SF. Does anyone have strong thoughts one way or another that would help me make this decision in a more informed way. Right now I’m focused on POC with SST to be sure it is meeting our need. Any thoughts would be helpful. Also might be good to have a dedicated channel or page on this as I’m sure it’s a common concern. Thanks!
a
I’ve decided to move my SLS stack to SST because in the end, it’s using CDK, which is amazing in my opinion, I love the concept/idea.
I work in a company where we have a legacy app, written in PHP, and there are couple of PHP devs in my team. One of the main complains is the lack of a reliable local environment. That was another decision making on choosing SSL. Still, not something that I accomplished yet, due we use a VPC for RDS, I need to setup VPN to have local environment working, and I couldn’t setup that yet.
r
We have some SF projects which we're migrating over to SST. My experience of SF was okay, it worked but the local development options required serverless-offline (or localstack but that was very flaky) In terms of getting help with stuff, the main forum is dead, there's a bit of activity in the Slack workspace. SST, just makes intuitively much more sense to me. Even though we were using TypeScript to define the stack (I hate yaml) I still found it fiddly and unintuitive. There weren't types for anything non-serverless related so that was painful. I've found the community here, while obviously smaller right now than for SF, much more helpful, engaging and the owners are incredibly fast to help or even make changes to the platform to accommodate user requests. With the recent recruitment of Jeremy Daly and the recently announced Serverless Cloud, things might improve and change for SF but I actually just strongly prefer SST (and CDK)'s way of doing things.
@Adrián Mouly - you could consider using the Data API for RDS instead of a VPC
a
Yeah but you can use ORM with data-api?
r
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html "You can also use Data API to integrate Aurora Serverless with other AWS applications such as AWS Lambda, AWS AppSync, and AWS Cloud9. The API provides a more secure way to use AWS Lambda. It enables you to access your DB cluster without your needing to configure a Lambda function to access resources in a virtual private cloud (VPC)."
Not sure on the ORM, although I doubt it. The results that come back are in a slightly bizarre structure. We've pretty much made the decision to migrate our use of RDS to DynamoDB Sorry @Kevin Baker we hijacked your thread!
k
I dig it, great to see all the good activity on the thread!
Any major issues I should look out for? I’m trying to get my head around the data access to RDS for live coding… how does that work given that the function is running off local
a
@Kevin Baker it works with VPN like I said.
You can find more info on the sst site, this is a common challenge for everybody.
f
Hey guys, here’s the link to setting up VPN doc @Adrián Mouly mentioned https://docs.serverless-stack.com/live-lambda-development#connecting-to-a-vpc
I remember @Dmitry Pavluk mentioned he was using this service called https://tailscale.com for setting up the VPN, and it was a breeze.
a
@Frank this is the client app right? still need to create VPN in AWS?
I’ve looked into creating VPN in AWS, and isn’t easy, it requires bunch of steps… I have to check if can be done with CDK.
t
For rds I'd recommend just running a local postgres or MySQL for local development
Or you can conditionally run rds outside a vpc for dev environments
a
What’s the reason behind it?
Why not just setting up VPN?
t
Just that VPN setup can be tricky and more to manage for local development
a
Oh yeah, from setup side, it’s tricky.
t
This may be more than you want to tackle at once but as others have mentioned I'd suggest using a true serverless database. You can do fine with RDS but it's really fighting against the serverless paradigm, I did a whole prototype with serverless PG and ultimately switched over to dynamo
Planetscale is as great option if you want to still use a relational db
k
I’ve setup a jump box with ash tunnel off local machine before. Secure Pipes app makes it simple. Jump box isn’t exactly serverless though… this is just an alternative to VPN. https://www.opoet.com/pyro/
a
But well, that also allows us to have other capabilities, sometimes we want to debug something on the DB and can not connect without a jump box.
@thdxr the problem in that area is how to use ORM.
@Kevin Baker yeah my devops team also created a jumpbox, but doesn’t work for sst local stack.
t
Why doesn't it work for sst local?
Yeah I was using Prisma at the time and they really were flaky on whether they were putting resources behind supporting Data API so I gave up
a
Well, not sure how to make jump box to work with sst local.
If anybody has an idea of how to use that model.
t
From my understanding you'd be forwarding your local port 5432 (if postgres) so your function would just have to connect to localhost:5432
This is what I was doing before (except with a docker container instead of forwarding)
k
I haven’t setup yet but no reason it shouldn’t work… it’s just networking. Makes the local function think it is connecting to local host database, or whatever service. It just forward the networ mm traffic remote
a
Ok, makes sense.
t
Another word of warning with using VPCs - your lambdas will need to use a managed nat which is billed 24/7 and not in a serverless way. Means at minimum you're paying $60 a month
a
Would be interesting to test that model, I wanted to do VPN just because it’s recommended in the doc.
k
Yeah, I’ll prob try both
If your in an office with a team, VPN makes a lot of sense. It’s just me and maybe a couple remote developers, so will prob use tunnel
t
Looking forward many teams are avoiding VPCs entirely. Creates some operational overhead and doesn't truly offer any added security boundary over using entirely managed services gated by iam auth
k
Get a free tier EC2 for jump box and only use for this. Can lock down networking via AWS pretty easy too, if you want to testify jump box access although SSH keys are pretty secure
t
upstash planetscale fauna dynamo are good options engineered for use with serverless specifically
k
Yeah I would think Dynamo would maybe need different solution. I’ve only used for mongo, Postgres and MySQL and only for local Docker stuff
t
With dynamo I just use dynamo up in aws (although aws provides local dynamo as a docker file)
k
Does dynamo have geospatial queries ? Maybe I’ll have another look.
https://www.npmjs.com/package/tunnel-ssh here’s another way to setup tunnel that could be added to dev of a project rather than installing something like Secure Pipes… it’s actually just a one liner in bash if you wanted to got that way too… seems like something that could be setup with a mix of a script command in package.JSON and a .env var for database connection string.
t
Dynamo has almost nothing. Requires changing how you think about a database but I love it
t
The database itself is minimal (but powerful) and you can implement things in the application layer - as this library does
r
@Kevin Baker I haven't used it myself but there is this for geospatial DDB https://www.npmjs.com/package/dynamodb-geo
Slack collapsed the thread and missed your latest post. Looks like you've found the original Java library, not sure what you're working in but I'll leave this here ^ in case it's useful
266 Views