How to Connect FME Flow Hosted to an External Database

Liz Sanderson
Liz Sanderson
  • Updated

FME Version

  • FME 2023.0

Introduction

FME Flow Hosted (formerly FME Cloud) runs on Amazon Web Services (AWS). Many workflows that you will run on FME Flow Hosted are likely to require a database. FME Flow Hosted instances do ship with a PostgreSQL database that you can store your own data in, but for production workloads, we strongly recommend using an external database.

You don’t need to worry about performance if you are writing to databases on other clouds. We benchmarked writing to Azure from FME Flow Hosted which runs on AWS and it was extremely fast. Just remember to launch your FME Flow Hosted in a geographic region close to your database. Security is the main consideration.

When a workspace running on an FME Flow (formerly  FME Server) on FME Flow Hosted connects to any service or database, the data will travel over the public internet so it is imperative that the data is secure.
 

HTTPS Connections

For many cloud databases, you interact with them via an API (HTTPS protocol). As data is encrypted over HTTPS. you can read/write to the database without making any changes to the FME Flow Hosted security settings.
To further enhance security, you could enable firewall rules to limit access to a specific IP range. This helps protect networks from unauthorized access. On FME Flow Hosted, you can assign a static IP to the FME Flow instance so we can also support this workflow.
 

TCP Connections

Encrypting the connection between FME and the database is critical when transmitting data over the public internet. SSL/TLS is supported by all major databases. FME supports communicating over SSL for most databases, but you will need to do some minor configuration, which varies slightly by the database.
 

Configure Connecting to PostgreSQL over SSL on FME Flow Hosted

PostgreSQL has native support for using SSL connections to encrypt client/server communications for increased security. A client certificate is generated that contains basic information about the client and the server uses it to verify the client on connection.
  • In FME Form (formerly FME Desktop), set the “SSL Mode” on the database connection to either Verify-CA or Verify-Full.
AddPostgres.png
  • ​​​​​​​Obtain the root certificate for the database you are connecting to.
  • Download this workspace template from FME Hub . This workspace is configured for PostgreSQL running on AWS RDS. By modifying the DownloadCert transformer and pointing to your PEM, you can easily modify it to work for a PostgreSQL DB running anywhere.
  • Publish the workspace to the FME Flow running on FME Flow Hosted and then run the workspace. The workspace only needs to be run once. Running this workspace places the certificate in the correct place on FME Flow.
  • Publish your workflow with the PostgreSQL reader/writer in it and run. The workspace will pick up the certificate you uploaded.
In addition to encrypting the connection, when making a database public, you will need to define firewall rules to limit which IPs can access the database. FME Flow Hosted supports static IPs and also allows you to define the inbound network firewall rules, which allows you to control the protocols, ports, and source IP ranges that are allowed to reach the FME Flow instance.
 

Conclusion

As with the cloud services, it is easy to open up the database to the public internet so FME Flow Hosted can access it. However, depending on the sensitivity of the data, this might not be feasible. If this is the case, deploying FME Flow yourself on the cloud platform in the same network as your database is the solution. If you can open the data up to the public internet, then the technology exists both on the database and FME Flow Hosted to connect and transmit data securely.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.