With Ceramic being more open source we figured we should share how we run our Ceramic nodes to better help understand how we secure traffic.
So we run what we refer to as a “Ceramic Cluster” This means that each set running ComposeDB has a primary node running Ceramic, a second node running IPFS, and a third node that runs Postgres. This allows us to spread the load across the machines and ensure that each piece has what it needs to operate.
Each customer’s cluster gets it’s own VPC. This allows us to control all of the traffic going in and out and ensure that all of their nodes can talk to each other appropriately. It also allows us to prevent crosstalk between customers nodes in an unintended manner.
We use CloudFlare for all of our ingress needs. We leverage tunnels for both speed and security. This allows us to run all of the traffic over 443 and have an SSL certificate as well. This allows us to block more ports on the incoming Firewall and prevent any unintended access over something else. This also provides us with a greater amount of DDoS protection that we can pass onto our clients.
Managing all of these nodes can be difficult. We leverage a lot of Ansible to help automate various workflows within our systems. This allows us to ensure that clients are always up to date and ensure that machines are always secure.
This is how we manage Ceramic Clusters for clients. We are constantly evaluating how we manage them to try and ensure that things are the most secure. If you are interested in a cluster checkout our main page to sign up: hirenodes.io