Setting up Datomic Cloud in an existing VPC


#1

Hello all,

I’m trying to introduce Datomic Cloud into an enterprise environment. My coworkers are interested, but there are some security/compliance constraints in place that limit the amount of things we can do in our AWS account. These include:

  • We cannot create our own VPC
  • We must use provided subnets
  • Internet traffic from the VPC has to go through a forward proxy
  • We might be required to use specific hardened AMI’s

I have looked through the CloudFormation template to see if it can be tweaked for our specific environment. My questions would be:

  • Is manually altering the CloudFormation templates a reasonable solution
  • What can be adjusted to ensure Datomic will run properly
  • Can we ask for a support team to help us setting it up for our specific environment

I understand this question is a bit loaded, but I’m hoping to have a starting point for us and others wanting to run Datomic in similar enterprisey infrastructures.


#2

We would be happy to discuss some of these particulars with you, however several of them are likely to be difficult, if not impossible, to resolve.

In particular, the Datomic Cloud AMI is generated by AWS Marketplace and handles hourly monitoring for billing purposes and can’t be altered.

The reason Datomic creates a new VPC is to ensure that settings and configurations are correct for the proper functioning of the system. You may be able to manually adjust the CFTs to achieve your desired deployment, but your resulting system will likely be incompatible with straightforward “Update Stack” upgrades to future releases of Datomic.

Datomic’s deployment model is designed to follow AWS’ best practices regarding security and isolation, including isolating the Datomic system in a separate VPC and managing all incoming traffic to that VPC. Datomic’s defaults may be a good fit for a security-conscious system, would it be possible to evaluate the possibility of using it as-is?