Performance of AWS RDS <-> Wireguard bastion <-> Fly Private Networking

1

I’m trying to decide if I should be deploying my Hasura instances (and possibly Postgres read replicas) via fly or via AWS.

I’d personally prefer fly, but then I need to sort out how fly gets access to my AWS VPC where my RDS instance is running. Based on my research that seems like it’s via a Wireguard bastion host that I deploy in AWS.

Adding a hop like this seems like it would be a bottleneck (for both bandwidth and latency) as well as a single point of failure. But perhaps that’s not a problem in practice?

Does anyone here have real world experiences with a setup like this? How has it turned out?

2

This will work great in some AWS regions, and less great in others. In us-east-1, for example, it should work well because we’re <1ms away from AWS. In other regions latency is higher. The gateway is definitely another moving part to manage, though.

As much as I want you to use Fly for all the things, I would probably run Hasura on the same infrastructure as my database.

3

Well once postgres is dialed in (and closer to fully managed), I’ll experiment with moving this entire part of the stack over to fly. :slight_smile:

1 Like
4

Soon! We’re working on Postgres full time now, there have been vast improvements in the last couple of weeks.

5

@ajbouh did you ever get this working? If so, what kind of latency do you experience? I’m trying to do similar in Fly.io + RDS & Elasticache - #5 by nate-dwell.

6

No, sadly. I decided to keep things that needed direct access to RDS inside of AWS.

7

@kurt which fly region is 1ms away from AWS?

8

That would depend on the AWS region, for example, our iad region is the closest to us-east-1 since it’s all in Virginia.

9

I just set up wireguard using the config from GitHub - fly-apps/rds-connector: Trivial Terraform example for a WireGuard peer to RDS. My app is in fly:iad and I’m in us-east-1

iex> :timer.tc(fn -> Super.Repo.query("SELECT 1") end)    |> elem(0) |> Kernel./(1_000)
7.259

I’m seeing ~7ms total round trip for my query. Originally I accidentally created everything in US Ohio and round trip was 30ms.

1 Like
10

Hey @sb8244

We’re trying to do the same, but I’m unable to connect my fly app to the ec2 peer… what ip / hostname are you using? My fly app → peer connection string looks something like:

DATABASE_URL=postgres://<user>:<pass>@<fly-app-name>._peer.internal:5432

Does this look similar to what you used? I can connect using the above string from my local machine in the wireguard VPN, but not from a fly app :thinking:

11

My connect string looks like: postgres://USER:PASS@pgbouncer._peer.internal:6432/db_name. The pgbouncer name is based on the wireguard config that I setup for ec2 to use. I chose to use 6432 but I think the default would be 5432. I picked 6 to make it very clear that it’s not a normal postgres connection.

When you use wireguard, you’re effectively operating on a private network. So your app will never reference an IP or external DNS name.