Security - Iglu load balancer is public

Hi, when deploying Iglu using the Snowplow Terraform module, Laceworks flags terraform-aws-alb/ at main · snowplow-devops/terraform-aws-alb · GitHub as an issue because it’s public. Are there Snowplow components that required this to be public or was this a design decision to make Iglu accessible outside AWS?

Hey @pt-mike,

No, it’s not necessary for Iglu to be available publicly - you can have it live in a private VPC or put whatever other network restrictions in place, the only requirement is that enrich and the transformer/loader can speak to it.

In our prod deployments it’s always in a locked down network. We do host a public Iglu instance separately ourselves (iglu central), but that’s deliberately public as it’s got all common schemas for standard events etc.

I don’t know what the reasoning was to make it public in the terraform module, but it is a quick start guide, not a recommended production setup. You’ll notice that it also doesn’t have anything to help with scaling etc.

My guess would be that doing it this way was just simpler or involved less complications for a first time user just looking to get a quick start going to experiment.

I don’t know what the impact of making a change would be, but we always welcome GitHub issues to request changes like that. :slight_smile:

Hope that’s helpful.