Hey everyone! I've set up three different VPCs — for development, staging, and production — and created EKS clusters for each. We use Redash to let our developers access databases, but my director wants the production EKS cluster to host Redash and communicate with all of our databases, which means Redash in production would access development, staging, and production environments.
I could set up VPC Peering between production and development, but I'd prefer not to go that route. Initially, I suggested hosting Redash in the development cluster, but he's insisted that having it in production and peering would be simpler.
I tested it, and while it does work, it raises major security concerns for me. Am I overthinking the risks of creating a separate Redash service for each environment? What do you think?
3 Answers
We use a shared services account instead of peering. PrivateLink is how we access resources across VPCs and it works really well for us.
Having your development tools accessing production resources seems like it could be a GDPR violation. It complicates your infrastructure as code (IaC) setup between different environments, making everything harder to maintain and test reliably. Sometimes, you can't avoid it due to costs, but it’s something to consider seriously.
Honestly, I feel the same way. Keeping environments separate is essential. You might want to look into using PrivateLink and endpoint services. They give you more control over who can access what, and I believe they can be used across accounts too, along with being cross-region and cross-VPC.
Yeah, after discussing with my data team, we've decided to keep separate Redash services for each environment since it makes integration with our applications smoother. Thanks for the suggestion!
I'll definitely check out PrivateLink and endpoint services. I've never set them up before but it's good to know they could help manage accessibility better!