Dgraph Ratel UI is a client (ReactJS single-page-application) whose UI is served by a small web service. You can run this anywhere, such as docker container or directly on your laptop. In this scope, there’s no difference between Enterprise or Community Edition.
The part that does need to be secured are the public-endpoints with the Dgraph Alpha service. Below is a list of some ways you can secure the Dgraph Alpha service and the Dgraph Ratel UI web service:
- Infrastructure (AWS) layer
- Security Group: Add a security group for the endpoint to white list only allowed access, such as home office, and remote WFH addresses
- TLS terminated on LB, such as ACM (AWS Certificate Manager).
- Internal Facing LB so that it is only accessible to private networks. Then this can be accessed using bastion host or VPN. (ref. Internal Classic Load Balancers)
- Setup bastion host (example quickstart guide) where you can setup SSH tunnel to access the private internal load balancer endpoint.
- Setup at VPN (such as AWS Client VPN to get access to the private internal load balancer endpoint.
- Dgraph Alpha layer
- Mutual TLS (Community and Enterprise): You can use Mutual TLS, which requires you to submit a client certificate for access. For requiring a client certificate, Dgraph Alpha server must be configured with
REQUIREANDVERIFY(ref. docs) - Access Control Lists (Enterprise only): Enabling this will requires logging into Dgraph Alpha to get an AccessJWT token that is then used to access Dgraph Alpha. (ref. docs)
- Mutual TLS (Community and Enterprise): You can use Mutual TLS, which requires you to submit a client certificate for access. For requiring a client certificate, Dgraph Alpha server must be configured with
- Dgraph Ratel UI web service:
- TLS can be added directly to the web service with
-tls_crtand-tls_keyarguments todgraph_ratel.
- TLS can be added directly to the web service with