Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

DigitalOcean is not comparable to EC2 unless you are literally-literally only using compute. The second you want a network that is private to you or any sort of hosted solutions for stuff like SQL databases, DigitalOcean folds.

I use AWS despite the (moderate, and with reserved instances largely nonexistent) premium on compute because of everything else that's right there.



> The second you want a network that is private to you or any sort of hosted solutions for stuff like SQL databases, DigitalOcean folds.

Can you explain what you mean by this?


EC2 has VPC, a software-defined networking solution with route tables, subnetting, ACLs, the nice abstraction of security groups, and (importantly) the ability to peer separate VPCs, across multiple accounts.

DigitalOcean does not have VPC; they've had a backplane of "private network IPs" isolated merely to all DigitalOcean customers. This month they instead changed their underlying system behavior (WTF) to isolate their private IPs to your account. So they also just broke that for their customers. On top of that--can you firewall/segment off that private network to certain machines? Nah. Can you talk to other customers' machines over this private network. Nah. It's a bad, partial solution for limited use cases.

AWS also has a managed solution for MariaDB, MySQL, Oracle, Postgres, and MS SQL. DigitalOcean has an emoji shrug.


Yeah, I'm not clear on that either. I know you can set up servers with different IPs on DO to talk with each other and from there "privacy" is a matter of configuration. Seems like UFW would be a tool to use for that.

But I am not a "network specialist" and I've never even looked at AWS so there's bound to be lot I don't know in this arena.


In my experience non-cloud networks run by professionals rarely use compute-side firewalls in general, and VPC is a powerful analogue for this. AWS VPC and security groups expose the entirety of your network configuration in a single location with easy ways to visualize it and manipulate it. They are also a lot easier for someone who is not a network specialist to correctly work with; "only allow network access over port X from machines tagged with security group A" is trivial (using an additional layer atop VPC's lower-level subnet/route table/gateway primitives).

I don't remember the last time I configured a compute-side firewall, whether in a cloud environment, a physical network environment, or in my home (my router does VLANs and allows rules between them).




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: