I have a customer that wants to put their Ignition server on Azure (with SQL also). Has anyone done this before? What server specs did you use? How much does Azure cost? Is it a bandwitdth calculation?
Thanks for any info.
I have a client right now running an instance of Ignition that we’re doing development on still, but we’re using a Standard B2ms (2 vcpus, 8 GiB memory) instance for Igniiton and an Azure Database for MySQL flexible server that says it’s running on a Burstable, B1ms, 1 vCores, 2 GiB RAM, 20480 storage configuration (copied and pasted it right from the portal). These are both running in the US East datacenter.
They’re also running an MQTT server and HAProxy reverse proxy as separate VMs to try to protect the servers and only expose HAproxy and not directly expose Ignition or the MQTT server directly. The MySQL server is not a VM and is a direct service provided by Azure, so not sure if it saves money doing it that way or not.
I don’t have access to their billing, but I can reach out and ask to see if they’ll share some costs with me that I can pass on.
1 Like
Why would you not want to expose the Ignition server directly? Security I assume but can’t you whitelist everyone that will connect?
If you can find out the general cost that would help me a lot. I would think bandwidth, even if a small amount, woud add up when we implement 100+ clients.
So with us just doing development on it and the MySQL running on a free instance right now, they’re paying $150 a month roughly. But that is with a couple of extra servers running. Also once they start having clients on it bandwidth usage will go up, and they’ll eventually run out of the free trial on MySQL as well.
As for exposing Ignition server directly, I’m using HAProxy to serve multiple functions. It’s acting as the reverse proxy for both Ignition and MQTT. I’m getting auto-renewing SSL certificates from LetsEncrypt to encrypt MQTT connections as well as both the MQTT management portal and Ignition which is then tunneled on the backend unencrypted to the MQTT and Ignition servers. I also have HAProxy requiring you use the correct domain name to access the servers. If you just try to hit the exposed IP with only the IP or a wrong domain name, you’ll just get an error page. On top of that, I’m monitoring connections with fail2ban to only allow X login attempts every Y minutes to Ignition. While this is built into Ignition, Ignition only blocks that user from logging in, while I’m blocking that IP from accessing any services on the servers completely. That way if it is some bot trying random usernames, it prevents the bot from going any further with any login attempts, and not just that one username. We also won’t know end user IPs as the clients they have could be connecting from anywhere. Same with the edge devices being on cellular modems. Their IPs could change so I have to allow any IP to connect to the MQTT server. (We’re using EMQ-X for our server/broker)
4 Likes
Thank you, this was very informative.