How will we deploy? - Githubissues

lloyd / mozilla-idp

Persona support for mozilla.{org,com} email addresses. An LDAP <-> Persona IdP bridge!

2 stars 2 forks source link

How will we deploy? #3

Closed lloyd closed 11 years ago

lloyd commented 11 years ago

Awsboxen might work really well. Suggest:

2 US regions (east/west coast), 1 european region. 2 m1.small per region, 1 ELB, and autoscaling, because it's easy.

How will we generate AMIs from code? What exactly will cloudinit do to hydrate? (if we use awsbox, this is simply to populate /home/app/config.json)

mostlygeek commented 11 years ago

A few things (just brain dumping) mostly questions.

Are we replicating our LDAP auth stuff into AWS or accessing current systems through an encrypted link?
I think we should go multi-AZ (and not Multi-region) for now. Easier to accomplish, less indirection, and a pattern we already have in production.
+1 for an ELB + Amazon Route53 or hiding some of the ugly CNAMEs.
-1 for Auto-scaling groups. I can't see return on investment on the admin/ops overhead.
I can step up for the generating AMIs from code / automating deployments.

lloyd commented 11 years ago

I'd like to start with encrypted link with ldap over LAN. It's safer and easier. The concerns others have are around HA. I have ideas here.

Really attached to multi region, here's why.

This server is stateless, and crazy simple. Zero server to server traffic inter region.
Multi region is higher availability.
Lower latency for mozillians everywhere
Costs virtually nothing.
Mitigates (perceived) fragility of ldap over wan.

Agree, Screw auto scaling. We could handle all the traffic on an m1.small. Only reason for multiple instances is HA.

lloyd commented 11 years ago

5 stars (obviously)

mostlygeek commented 11 years ago

You mean LDAP over encrypted WAN (like public internet) connection?

For multi-region

most of this stuff depends on the above, WAN vs LAN
WAN latency will likely be quite a big hit to the overall perceived performance. We can revisit this
I'm good w/ just doing HA across regions. Likely we'll use DNS geo-location/failover to accomplish both lower latency/HA.

Notes on performance / latency

this isn't important for launch, just capturing notes
my gut says the WAN LDAP lookup will be > 300ms.
client -> AWS server will be < 100ms (average)
for best performance optimizing the WAN link is lowest hanging fruit
let's test w/ real people to see if they think it is a) too slow, b) acceptable

Fragility of LDAP over WAN

Can you elaborate a bit on this?

lloyd commented 11 years ago

You mean LDAP over encrypted WAN (like public internet) connection?

yeah!

let's test w/ real people to see if they think it is a) too slow, b) acceptable

hell yeah!

Fragility of LDAP over WAN

in the meeting we had with all interested parties at mozilla, several people were uncomfortable with LDAP over WAN and wanted to optimize this without trying it first. I think we should first deploy with LDAP over LAN and turn on monitoring and only optimize if there is a problem (link falls down, or latency is unbearably high).

lloyd commented 11 years ago

moving conversation to mozilla/vinz-clortho#16