...
- The inner layer is the central database (and optionally Deltares Open Archive).
- The middle layer are Delft-FEWS components that communicate directly with the database using encryption.
- The third layer (optional) is a reverse proxy to the database that can be accessed externally.
- The outer layer is the bastion host (optional).
Installation of Operator Clients
| non-exhaustive list of options | remarks |
|---|---|
| database http proxy using SSL | |
| Azure Virtual Desktop | only in Azure |
| ssh + mobaxterm |
Use of managed services
There is no actual requirement for the Delft-FEWS components to use managed services. Managed services can be used as long performance is not affected. As an example, customers that are using SQLServer database replication between different geographical locations reported database timeouts. In response, we've adjusted our database indexes and reconnection strategy for these problems. Since we expect Delft-FEWS users add many more simultaneous running Forecasting Shell servers in the future, we expect / foresee more challenges in this area. It is much better not to use the automated placement of database indexes.
How to deal with (incoming, outgoing) data feeds
- for file-based imports, use
- for server imports serving public data, ftp / http can be used (encryption would provide unnecessary overhead), other services in need of passwords should should use a secure connection / https
Important cost variables
An estimate for the cost for a basic/medium-sized Delft-FEWS system in the cloud would be around 12k€- 15k€. Many cloud providers offer a "cloud calculator" to calculate, upfront, the expected cost, e.g. Azure calculator.| The estimate differs per Delft-FEWS system.
...
High Availability, Disaster Recovery, performance
Installation of Operator Clients
...
Use of managed services
There is no actual requirement for the Delft-FEWS components to use managed services. Managed services can be used as long performance is not affected. As an example, customers that are using SQLServer database replication between different geographical locations reported database timeouts. In response, we've adjusted our database indexes and reconnection strategy for these problems. Since we expect Delft-FEWS users add many more simultaneous running Forecasting Shell servers in the future, we expect / foresee more challenges in this area. It is much better not to use the automated placement of database indexes.
How to deal with (incoming, outgoing) data feeds
- for file-based imports, use
- for server imports serving public data, ftp / http can be used (encryption would provide unnecessary overhead), other services in need of passwords should should use a secure connection / https
Security
Securing your cloud assets requires continuous investment in keeping your containers safe. An infamous example of malconfigured Kubernetes has been Tesla's unsecured admin console for a Kubernetes cluster (Lessons from the Cryptojacking Attack at Tesla). This led to malicious actors getting hold of credentials for Tesla's wider AWS environment who used it for cryptomining. Tesla highlighted that it was a test instance "only", but this incident shows why it's really important to secure both production and pre-production resources as far as possible.
...
Deltares has successfully completed Delft-FEWS projects with Azure ARM templates and AWS Elastic Beanstalk. For practical reasons, will keep our requirements / installation instructions as cloud neutral as possible.
...
Getting started with Kubernetes
Deltares has done several migrations and implementations of Delft-FEWS in the cloud. Microsoft Azure is the most popular provider among the community but Delft-FEWS will run in any cloud-environment.
Based on our experience with successful migration and implementations like MDBA (link) we drafted a "how to get started" bullet list.
...