1. 1

    Hi, author here. I’m following up this blog post with an eBook on how to the migration even if you have no AWS experience in your team: https://pawelurbanek.com/heroku-migrate-postgres-rds

    1. 1

      Does Heroku offer network peering with AWS services on other accounts? Or does AWS magically reroute RDS traffic to public IPs via AWS infrastructure? I’m trying to understand why there isn’t a latency penalty since naively routing from Heroku VMs on AWS to a public IP is going to hit the public internet.

      1. 2

        Hi, author here. Honestly I don’t know tech details on how it works. From my experience migrating a medium size client’s application from Heroku addon to RDS, none of the performance measuring tools reported any overhead after the switch.

        Maybe Heroku routing is able to detect that RDS hostname is in the same AWS region and does not go over the public net?

      1. 1

        2FA for SSH sounds great but I can only imagine how cumbersome it must be for using on a daily basis. I’ve recently started permanently locking my SSH ports and only briefly whitelisting them for only my IP with a bash scripts whenever the access is needed https://pawelurbanek.com/ec2-ssh-dynamic-access

        1. 2

          If you use a U2F hardware key instead of TOTP it’s not cumbersome at all.

          I use a Yubikey 5 Nano which is always in my laptop and use OpenSSH’s native PKCS#11 support to use the Yubikey as a hardware-backed SSH key. I documented how I did it at https://github.com/jamesog/yubikey-ssh.

          (Yubikeys can also do TOTP if you want to use a regular SSH key.)

          1. 1

            I think I read about beign able to reuse a SSH connection after it’s established. Something like connection reuse or multuplexing.

            Would surely make using multiple connections much easier after the first one is established.

            1. 1

              Yes, it’s configured using ControlMaster, ControlPath, and ControlPersist. Once you enable ControlMaster a socket is created which future connections will use. Once that’s enabled if you SSH to a 2FA-enabled server you’ll only have to do that once, as long as the control socket is alive.