So with us just doing development on it and the MySQL running on a free instance right now, they’re paying $150 a month roughly. But that is with a couple of extra servers running. Also once they start having clients on it bandwidth usage will go up, and they’ll eventually run out of the free trial on MySQL as well.
As for exposing Ignition server directly, I’m using HAProxy to serve multiple functions. It’s acting as the reverse proxy for both Ignition and MQTT. I’m getting auto-renewing SSL certificates from LetsEncrypt to encrypt MQTT connections as well as both the MQTT management portal and Ignition which is then tunneled on the backend unencrypted to the MQTT and Ignition servers. I also have HAProxy requiring you use the correct domain name to access the servers. If you just try to hit the exposed IP with only the IP or a wrong domain name, you’ll just get an error page. On top of that, I’m monitoring connections with fail2ban to only allow X login attempts every Y minutes to Ignition. While this is built into Ignition, Ignition only blocks that user from logging in, while I’m blocking that IP from accessing any services on the servers completely. That way if it is some bot trying random usernames, it prevents the bot from going any further with any login attempts, and not just that one username. We also won’t know end user IPs as the clients they have could be connecting from anywhere. Same with the edge devices being on cellular modems. Their IPs could change so I have to allow any IP to connect to the MQTT server. (We’re using EMQ-X for our server/broker)