Add docs with networking scenarios

[hrodmn]

While working on #114 I have experimented with different networking arrangements and have been reminded that it is easy to create a configuration that does not work! It could be helpful for users to see a few example configurations while they consider their own deployment.

Here are a few that do work:

Scenario 1: Higher security, higher cost

• RDS Instance in a PRIVATE_ISOLATED subnet
  • [optional] pgbouncer instance in a PRIVATE_WITH_EGRESS subnet
  • pgstac_secret host value is the private IP address for pgbouncer or the RDS hostname
• Lambdas added to the vpc in a PRIVATE_WITH_EGRESS subnet (adds a NAT Gateway which costs $)
  • granted connect access to either the RDS instance or the pgbouncer instance
• important: add an S3 Endpoint to the vpc to make it possible to read data from S3 buckets in the same region as the VPC for free even within the vpc instead of paying the NAT Gateway tax

Scenario 2: Lower security, lower cost

• RDS Instance in a PUBLIC subnet
  • [optional]pgbouncer instance in a PUBLIC subnet with a public IP address assigned
  • pgstac_secret host value is the public IP address for the pgbouncer instance or the RDS hostname
  • important: RDS Instance (or pgbouncer instance) allow all traffic (any Ipv4) on port 5432
• Lambdas in PUBLIC subnet
• Makes it possible to connect to the database from any client with the credentials
  • convenient for loading STAC items without the ingestor infrastructure

[vincentsarago]

add an S3 Endpoint to the vpc (to make it possible to read data from S3 for free even within the vpc instead of paying the NAT Gateway tax)

The S3 endpoint only work for a specific region right ?

[hrodmn]

The S3 endpoint only work for a specific region right?

Yeah that is right - data transfer will be free for buckets in the same region as the VPC but not for buckets in a different region.