{"id":38816,"date":"2026-07-08T15:12:03","date_gmt":"2026-07-08T18:12:03","guid":{"rendered":"https:\/\/www.locaweb.com.br\/ajuda\/?post_type=ht_kb&#038;p=38816"},"modified":"2026-07-08T15:12:03","modified_gmt":"2026-07-08T18:12:03","slug":"arquitetura-de-rede-isolada-na-nuvem-conectando-spring-boot-e-banco-de-dados-com-vpc-e-tiers-no-locaweb-cloud","status":"publish","type":"ht_kb","link":"https:\/\/www.locaweb.com.br\/ajuda\/wiki\/arquitetura-de-rede-isolada-na-nuvem-conectando-spring-boot-e-banco-de-dados-com-vpc-e-tiers-no-locaweb-cloud\/","title":{"rendered":"Arquitetura de Rede Isolada na Nuvem: Conectando Spring Boot e Banco de Dados com VPC e Tiers no Locaweb Cloud"},"content":{"rendered":"    \t\t<div class=\"hts-messages hts-messages--info  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Informa\u00e7\u00e3o!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\tEste tutorial ensina a implementar uma arquitetura de duas camadas (Two-Tier) segura no Locaweb Cloud, isolando seu banco de dados e garantindo controle total sobre a topologia de rede.    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<p><span style=\"font-weight: 400;\">Arquiteturas escal\u00e1veis exigem o isolamento de componentes. No Locaweb Cloud (IaaS via Apache CloudStack), voc\u00ea det\u00e9m o poder de orquestra\u00e7\u00e3o de rede e sistema operacional, sem automa\u00e7\u00f5es de PaaS que alterem configura\u00e7\u00f5es sem consentimento.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Voc\u00ea aprender\u00e1 a proteger o banco de dados criando uma VPC com duas sub-redes (Tiers): uma p\u00fablica para a aplica\u00e7\u00e3o Spring Boot e outra estritamente privada para o PostgreSQL, inacess\u00edvel via internet.<\/span><b><\/b><\/p>\n<h2><b>Pr\u00e9-requisitos<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Para acompanhar este guia, voc\u00ea deve garantir que seu ambiente atende \u00e0s seguintes condi\u00e7\u00f5es:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Conta ativa no Locaweb Cloud com permiss\u00f5es administrativas para acesso ao <\/span><a href=\"https:\/\/painel-cloud.locaweb.com.br\"><span style=\"font-weight: 400;\">painel de controle<\/span><\/a><span style=\"font-weight: 400;\"> CloudStack.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Chave privada SSH (<\/span><span style=\"font-weight: 400;\">.key<\/span><span style=\"font-weight: 400;\"> ou <\/span><span style=\"font-weight: 400;\">.pem<\/span><span style=\"font-weight: 400;\">) gerada no painel e salva localmente em sua m\u00e1quina de trabalho com as permiss\u00f5es corretas.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">[Importante!] Aplique <\/span><span style=\"font-weight: 400;\">chmod 400 sua_chave.key<\/span><span style=\"font-weight: 400;\"> para que apenas o seu usu\u00e1rio possa l\u00ea-la \u2014 caso contr\u00e1rio o cliente SSH recusa a conex\u00e3o por seguran\u00e7a.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Planejamento de rede: Planeje a janela de manuten\u00e7\u00e3o reservando o bloco de IP correto. Par\u00e2metros sugeridos:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Rede Virtual (VPC):<\/b> <span style=\"font-weight: 400;\">192.168.0.0\/16<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Subrede P\u00fablica (Web):<\/b> <span style=\"font-weight: 400;\">192.168.1.0\/24<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Subrede Privada (Database):<\/b> <span style=\"font-weight: 400;\">192.168.2.0\/24<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Dados de acesso e reposit\u00f3rio Git devidamente estruturados para o deploy.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Um dom\u00ednio pr\u00f3prio apontando para o IP p\u00fablico da VPC, necess\u00e1rio para a emiss\u00e3o de certificado HTTPS gratuito com Let&#8217;s Encrypt.<\/span><\/li>\n<\/ul>\n    \t\t<div class=\"hts-messages hts-messages--alert  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Importante!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\t<span style=\"font-weight: 400;\">Est\u00e1 com d\u00favidas sobre como come\u00e7ar no Locaweb Cloud? Acesse nosso <\/span><a href=\"https:\/\/www.locaweb.com.br\/ajuda\/wiki\/por-onde-comecar-no-locaweb-cloud\/\"><span style=\"font-weight: 400;\">tutorial de apoio<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span>    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<h2><b>Configura\u00e7\u00e3o de infraestrutura (painel CloudStack)\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">A topologia de rede \u00e9 o alicerce da seguran\u00e7a. O isolamento ser\u00e1 garantido atrav\u00e9s de Network ACLs (Listas de Controle de Acesso) processadas diretamente no Roteador Virtual do Locaweb Cloud.<\/span><\/p>\n<h3><b>Passo 1: Cria\u00e7\u00e3o da VPC e das Tiers<\/b><\/h3>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">No painel do Locaweb Cloud, navegue at\u00e9 o menu <\/span><b>Rede<\/b><span style=\"font-weight: 400;\"> e clique em <\/span><b>VPC<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Clique em <\/span><b>Adicionar VPC<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Preencha os campos essenciais:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Nome:<\/b> <span style=\"font-weight: 400;\">VPC-Producao-App<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>CIDR da VPC:<\/b> <span style=\"font-weight: 400;\">10.0.0.0\/16<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Oferta de VPC:<\/b><span style=\"font-weight: 400;\"> selecione a oferta adequada ao throughput desejado.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Ap\u00f3s a VPC ser provisionada, clique sobre o nome dela e acesse a aba <\/span><b>Redes<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Clique em <\/span><b>Adicionar novo tier na rede<\/b><span style=\"font-weight: 400;\"> e crie a primeira sub-rede (Tier Web):<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Nome:<\/b> <span style=\"font-weight: 400;\">Tier-Publica-Web<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Gateway\/CIDR da tier:<\/b> <span style=\"font-weight: 400;\">10.0.1.1\/24<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>ACL:<\/b><span style=\"font-weight: 400;\"> selecione <\/span><span style=\"font-weight: 400;\">default_allow<\/span><span style=\"font-weight: 400;\"> temporariamente (ser\u00e1 substitu\u00edda no Passo 2).<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Repita a opera\u00e7\u00e3o para criar a segunda sub-rede (Tier DB):<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Nome:<\/b> <span style=\"font-weight: 400;\">Tier-Privada-DB<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Gateway\/CIDR da tier:<\/b> <span style=\"font-weight: 400;\">10.0.2.1\/24<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>ACL:<\/b><span style=\"font-weight: 400;\"> selecione <\/span><span style=\"font-weight: 400;\">default_deny<\/span><span style=\"font-weight: 400;\"> temporariamente (ser\u00e1 substitu\u00edda no Passo 2).<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Ao final deste passo, voc\u00ea ter\u00e1 duas Tiers criadas dentro da mesma VPC: uma destinada \u00e0 aplica\u00e7\u00e3o Web (com acesso externo) e outra ao banco de dados (totalmente isolada).<\/span><\/p>\n<h3><b>Passo 2: Configura\u00e7\u00e3o das Network ACLs<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">A ACL garante prote\u00e7\u00e3o no n\u00edvel da sub-rede, independentemente do firewall (<\/span><span style=\"font-weight: 400;\">iptables<\/span><span style=\"font-weight: 400;\">\/<\/span><span style=\"font-weight: 400;\">ufw<\/span><span style=\"font-weight: 400;\">) configurado dentro do sistema operacional. \u00c9 aqui que o isolamento do banco de dados \u00e9 efetivamente aplicado.<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Ainda nos detalhes da sua VPC, acesse a aba <\/span><b>Listas de ACL de rede<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Clique em <\/span><b>Adicionar lista de ACL de rede<\/b><span style=\"font-weight: 400;\"> e crie a lista <\/span><span style=\"font-weight: 400;\">ACL-Tier-Web<\/span><span style=\"font-weight: 400;\">. Em seguida, abra a lista e adicione as seguintes regras (bot\u00e3o <\/span><b>Adicionar ACL<\/b><span style=\"font-weight: 400;\">):<\/span><\/li>\n<\/ol>\n<table>\n<tbody>\n<tr>\n<td><b>Regra<\/b><\/td>\n<td><b>Dire\u00e7\u00e3o<\/b><\/td>\n<td><b>CIDR<\/b><\/td>\n<td><b>Protocolo<\/b><\/td>\n<td><b>Porta<\/b><\/td>\n<td><b>A\u00e7\u00e3o<\/b><\/td>\n<td><b>Finalidade<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">10<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Entrada (Ingress)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">0.0.0.0\/0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">TCP<\/span><\/td>\n<td><span style=\"font-weight: 400;\">8080<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Permitir<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Acesso \u00e0 API Spring Boot<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">20<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Entrada (Ingress)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">0.0.0.0\/0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">TCP<\/span><\/td>\n<td><span style=\"font-weight: 400;\">22<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Permitir<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Acesso SSH administrativo<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">30<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Entrada (Ingress)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">0.0.0.0\/0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">TCP<\/span><\/td>\n<td><span style=\"font-weight: 400;\">80<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Permitir<\/span><\/td>\n<td><span style=\"font-weight: 400;\">HTTP (valida\u00e7\u00e3o Let&#8217;s Encrypt)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">40<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Entrada (Ingress)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">0.0.0.0\/0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">TCP<\/span><\/td>\n<td><span style=\"font-weight: 400;\">443<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Permitir<\/span><\/td>\n<td><span style=\"font-weight: 400;\">HTTPS seguro<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">100<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Sa\u00edda (Egress)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">0.0.0.0\/0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">ALL<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\u2014<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Permitir<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Tr\u00e1fego de sa\u00edda geral da sub-rede<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n    \t\t<div class=\"hts-messages hts-messages--alert  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Importante!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\t<span style=\"font-weight: 400;\">Por recomenda\u00e7\u00e3o estrita de seguran\u00e7a, na Regra 20 (SSH), restrinja o CIDR ao IP fixo da sua rede administrativa corporativa (ex: <\/span><span style=\"font-weight: 400;\">198.51.100.10\/32<\/span><span style=\"font-weight: 400;\">) em vez de abrir para o mundo (<\/span><span style=\"font-weight: 400;\">0.0.0.0\/0<\/span><span style=\"font-weight: 400;\">), mitigando ataques de for\u00e7a bruta.<\/span>    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Crie a lista <\/span><span style=\"font-weight: 400;\">ACL-Tier-DB<\/span><span style=\"font-weight: 400;\">. Abra a lista e adicione as seguintes regras estritas \u2014 observe que nenhuma origem p\u00fablica externa \u00e9 permitida:<\/span><\/li>\n<\/ol>\n<table>\n<tbody>\n<tr>\n<td><b>Regra<\/b><\/td>\n<td><b>Dire\u00e7\u00e3o<\/b><\/td>\n<td><b>CIDR<\/b><\/td>\n<td><b>Protocolo<\/b><\/td>\n<td><b>Porta<\/b><\/td>\n<td><b>A\u00e7\u00e3o<\/b><\/td>\n<td><b>Finalidade<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">10<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Entrada (Ingress)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">10.0.1.0\/24<\/span><\/td>\n<td><span style=\"font-weight: 400;\">TCP<\/span><\/td>\n<td><span style=\"font-weight: 400;\">5432<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Permitir<\/span><\/td>\n<td><span style=\"font-weight: 400;\">PostgreSQL, apenas a partir da Tier Web<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">20<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Entrada (Ingress)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">10.0.1.0\/24<\/span><\/td>\n<td><span style=\"font-weight: 400;\">TCP<\/span><\/td>\n<td><span style=\"font-weight: 400;\">22<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Permitir<\/span><\/td>\n<td><span style=\"font-weight: 400;\">SSH vindo da VM Web (Bastion Host)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">100<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Sa\u00edda (Egress)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">0.0.0.0\/0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">ALL<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\u2014<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Permitir<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Permite baixar atualiza\u00e7\u00f5es de seguran\u00e7a<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">O ponto cr\u00edtico aqui: a porta 5432 (PostgreSQL) s\u00f3 aceita conex\u00f5es originadas do bloco <\/span><span style=\"font-weight: 400;\">10.0.1.0\/24<\/span><span style=\"font-weight: 400;\"> (a Tier Web). Qualquer pacote vindo da internet p\u00fablica \u00e9 descartado pelo Roteador Virtual antes mesmo de chegar \u00e0 VM do banco.<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">V\u00e1 at\u00e9 a aba <\/span><b>Redes<\/b><span style=\"font-weight: 400;\"> da sua VPC, selecione a <\/span><span style=\"font-weight: 400;\">Tier-Publica-Web<\/span><span style=\"font-weight: 400;\">, clique em <\/span><b>Substituir lista de ACL<\/b><span style=\"font-weight: 400;\"> e selecione <\/span><span style=\"font-weight: 400;\">ACL-Tier-Web<\/span><span style=\"font-weight: 400;\">. Fa\u00e7a o mesmo para a <\/span><span style=\"font-weight: 400;\">Tier-Privada-DB<\/span><span style=\"font-weight: 400;\">, associando-a \u00e0 <\/span><span style=\"font-weight: 400;\">ACL-Tier-DB<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ol>\n<h3><b>Passo 3: Provisionamento das VMs<\/b><\/h3>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">No menu <\/span><b>Computa\u00e7\u00e3o &gt; VMs<\/b><span style=\"font-weight: 400;\">, clique em <\/span><b>Adicionar VM<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Crie a VM Web (<\/span><span style=\"font-weight: 400;\">VM-SpringBoot<\/span><span style=\"font-weight: 400;\">):<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Template:<\/b><span style=\"font-weight: 400;\"> Ubuntu 22.04 LTS.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Rede:<\/b><span style=\"font-weight: 400;\"> na etapa de Redes, selecione a <\/span><span style=\"font-weight: 400;\">Tier-Publica-Web<\/span><span style=\"font-weight: 400;\"> dentro da <\/span><span style=\"font-weight: 400;\">VPC-Producao-App<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Chave SSH:<\/b><span style=\"font-weight: 400;\"> selecione sua chave configurada.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Crie a VM Banco de Dados (<\/span><span style=\"font-weight: 400;\">VM-Postgres<\/span><span style=\"font-weight: 400;\">):<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Template:<\/b><span style=\"font-weight: 400;\"> Ubuntu 22.04 LTS.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Rede:<\/b><span style=\"font-weight: 400;\"> na etapa de Redes, selecione a <\/span><span style=\"font-weight: 400;\">Tier-Privada-DB<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Chave SSH:<\/b><span style=\"font-weight: 400;\"> selecione a mesma chave.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n    \t\t<div class=\"hts-messages hts-messages--alert  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Importante!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\t<span style=\"font-weight: 400;\">A m\u00e1quina virtual do banco de dados (<\/span><span style=\"font-weight: 400;\">VM-Postgres<\/span><span style=\"font-weight: 400;\">) permanecer\u00e1 sem IP p\u00fablico e sem nenhuma regra de Port Forwarding. Esse \u00e9 o cora\u00e7\u00e3o do isolamento: ela \u00e9 alcan\u00e7\u00e1vel unicamente atrav\u00e9s da rede interna privada da VPC.<\/span>    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<h3><b>Passo 4: Configura\u00e7\u00e3o de Acesso Externo (Port Forwarding + Firewall)<\/b><\/h3>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">V\u00e1 em <\/span><b>Rede &gt; VPC &gt; VPC-Producao-App &gt; IPs P\u00fablicos<\/b><span style=\"font-weight: 400;\">. Clique em <\/span><b>Obter um novo IP<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">No IP rec\u00e9m-adquirido, acesse a aba <\/span><b>Encaminhamento de porta (Port Forwarding)<\/b><span style=\"font-weight: 400;\">. Crie as regras direcionando o tr\u00e1fego exclusivamente para a <\/span><span style=\"font-weight: 400;\">VM-SpringBoot<\/span><span style=\"font-weight: 400;\">:<\/span><\/li>\n<\/ol>\n<table>\n<tbody>\n<tr>\n<td><b>Porta P\u00fablica<\/b><\/td>\n<td><b>Porta Privada<\/b><\/td>\n<td><b>Protocolo<\/b><\/td>\n<td><b>VM de Destino<\/b><\/td>\n<td><b>Finalidade<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">22<\/span><\/td>\n<td><span style=\"font-weight: 400;\">22<\/span><\/td>\n<td><span style=\"font-weight: 400;\">TCP<\/span><\/td>\n<td><span style=\"font-weight: 400;\">VM-SpringBoot<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Conex\u00e3o SSH<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">8080<\/span><\/td>\n<td><span style=\"font-weight: 400;\">8080<\/span><\/td>\n<td><span style=\"font-weight: 400;\">TCP<\/span><\/td>\n<td><span style=\"font-weight: 400;\">VM-SpringBoot<\/span><\/td>\n<td><span style=\"font-weight: 400;\">API do ecossistema Spring Boot<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">80<\/span><\/td>\n<td><span style=\"font-weight: 400;\">80<\/span><\/td>\n<td><span style=\"font-weight: 400;\">TCP<\/span><\/td>\n<td><span style=\"font-weight: 400;\">VM-SpringBoot<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Valida\u00e7\u00e3o HTTP Let&#8217;s Encrypt<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">443<\/span><\/td>\n<td><span style=\"font-weight: 400;\">443<\/span><\/td>\n<td><span style=\"font-weight: 400;\">TCP<\/span><\/td>\n<td><span style=\"font-weight: 400;\">VM-SpringBoot<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Acesso p\u00fablico HTTPS<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n    \t\t<div class=\"hts-messages hts-messages--danger  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Aviso!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\tN\u00e3o crie nenhuma regra de Port Forwarding ou de entrada externa para a porta 5432. A porta nativa do banco de dados jamais deve ficar exposta. O acesso ao PostgreSQL acontece exclusivamente de forma invis\u00edvel pela rede privada, da Tier Web para a Tier DB.    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Na aba <\/span><b>Firewall<\/b><span style=\"font-weight: 400;\"> deste mesmo IP P\u00fablico, adicione as regras liberando o tr\u00e1fego de entrada para as portas 22, 80, 443 and 8080, garantindo a perfeita correspond\u00eancia campo a campo com o Port Forwarding.<\/span><\/li>\n<\/ol>\n<h2><b>3. Configura\u00e7\u00e3o de Sistema (Terminal)<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Neste ponto, a infraestrutura da Locaweb Cloud garante o isolamento. Vamos agora operar os sistemas operacionais.<\/span><\/p>\n<h3><b>Passo 1: Acesso \u00e0s VMs<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Como a <\/span><span style=\"font-weight: 400;\">VM-Postgres<\/span><span style=\"font-weight: 400;\"> n\u00e3o possui IP p\u00fablico e sua ACL bloqueia o tr\u00e1fego externo direto, acessaremos o banco usando a VM Web como ponto de salto (Bastion Host).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Abra o terminal na sua m\u00e1quina local e conecte-se \u00e0 VM Web usando o IP p\u00fablico associado:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Conecta na VM P\u00fablica (Web) usando o IP p\u00fablico da VPC<\/span>\r\n\r\n<span style=\"font-weight: 400;\">ssh -i sua_chave.key ubuntu@&lt;IP_PUBLICO_LOCAWEB&gt;<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">A forma mais segura de alcan\u00e7ar a VM de banco \u00e9 usar o salto direto (flag <\/span><span style=\"font-weight: 400;\">-J<\/span><span style=\"font-weight: 400;\">) a partir da sua m\u00e1quina local, mantendo a chave privada apenas no seu computador de trabalho. Descubra antes o IP privado da <\/span><span style=\"font-weight: 400;\">VM-Postgres<\/span><span style=\"font-weight: 400;\"> no painel (aba NICs da VM, normalmente algo como <\/span><span style=\"font-weight: 400;\">10.0.2.x<\/span><span style=\"font-weight: 400;\">):<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Usa a VM Web como ponto de salto (ProxyJump) para alcan\u00e7ar a VM de banco<\/span>\r\n\r\n<span style=\"font-weight: 400;\">ssh -i sua_chave.key -J ubuntu@&lt;IP_PUBLICO_LOCAWEB&gt; ubuntu@10.0.2.5<\/span><\/pre>\n<h3><b>Passo 2: Instala\u00e7\u00e3o e Configura\u00e7\u00e3o do Banco de Dados (VM Privada)<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">J\u00e1 conectado na <\/span><span style=\"font-weight: 400;\">VM-Postgres<\/span><span style=\"font-weight: 400;\">, atualize os reposit\u00f3rios e instale o PostgreSQL:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Atualiza a lista de pacotes e instala o servidor PostgreSQL<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo apt update &amp;&amp; sudo apt install postgresql postgresql-contrib -y<\/span>\r\n\r\n<span style=\"font-weight: 400;\"># Habilita o servi\u00e7o para iniciar junto com o boot e o starta imediatamente<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo systemctl enable --now postgresql<\/span><\/pre>\n    \t\t<div class=\"hts-messages hts-messages--alert  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Importante!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\tO Ubuntu 22.04 LTS instala o PostgreSQL 14 por padr\u00e3o. Execute o comando abaixo para confirmar sua vers\u00e3o e certificar-se do caminho correto nos arquivos de configura\u00e7\u00e3o:    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Valida a vers\u00e3o ativa para confer\u00eancia t\u00e9cnica do diret\u00f3rio<\/span>\r\n\r\n<span style=\"font-weight: 400;\">psql --version<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Por padr\u00e3o de seguran\u00e7a, o PostgreSQL escuta apenas no <\/span><span style=\"font-weight: 400;\">localhost<\/span><span style=\"font-weight: 400;\">. Vamos alterar isso para aceitar conex\u00f5es vindas da rede interna privada da Tier:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Abre o arquivo de configura\u00e7\u00e3o principal do PostgreSQL 14<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo nano \/etc\/postgresql\/14\/main\/postgresql.conf<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Encontre a linha <\/span><span style=\"font-weight: 400;\">#listen_addresses = &#8216;localhost&#8217;<\/span><span style=\"font-weight: 400;\"> e altere para permitir a escuta de todas as interfaces (o isolamento de portas e blocos j\u00e1 \u00e9 feito de forma invis\u00edvel pela ACL da nossa VPC):<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Ini, TOML<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">listen_addresses = '*'<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Agora, restrinja no n\u00edvel da aplica\u00e7\u00e3o quais hosts podem se autenticar. Edite o arquivo de autentica\u00e7\u00e3o para aceitar conex\u00f5es apenas da sub-rede p\u00fablica <\/span><span style=\"font-weight: 400;\">10.0.1.0\/24<\/span><span style=\"font-weight: 400;\"> (Tier Web):<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Abre il file di configurazione pg_hba.conf<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo nano \/etc\/postgresql\/14\/main\/pg_hba.conf<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Adicione a seguinte linha ao final do arquivo, liberando autentica\u00e7\u00e3o criptografada (<\/span><span style=\"font-weight: 400;\">scram-sha-256<\/span><span style=\"font-weight: 400;\">) somente para a sub-rede da aplica\u00e7\u00e3o:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Plaintext<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># TYPE\u00a0 DATABASE\u00a0 \u00a0 \u00a0 \u00a0 USER\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ADDRESS \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 METHOD<\/span>\r\n\r\n<span style=\"font-weight: 400;\">host\u00a0 \u00a0 all \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 all \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 10.0.1.0\/24 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 scram-sha-256<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Acesse o prompt para criar o usu\u00e1rio e o banco de dados dedicados \u00e0 aplica\u00e7\u00e3o. Substitua as credenciais fict\u00edcias por valores pr\u00f3prios e fortes:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Acessa o prompt administrativo do psql<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo -u postgres psql<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">SQL<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">-- Cria o banco de dados da aplica\u00e7\u00e3o<\/span>\r\n\r\n<span style=\"font-weight: 400;\">CREATE DATABASE app_db;<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">-- Cria o usu\u00e1rio com credenciais fortes e criptografadas<\/span>\r\n\r\n<span style=\"font-weight: 400;\">CREATE USER spring_user WITH ENCRYPTED PASSWORD 'TROQUE_POR_UMA_SENHA_FORTE';<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">-- Concede os privil\u00e9gios necess\u00e1rios para a manipula\u00e7\u00e3o das tabelas<\/span>\r\n\r\n<span style=\"font-weight: 400;\">GRANT ALL PRIVILEGES ON DATABASE app_db TO spring_user;<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">-- Encerra o prompt administrativo do psql<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\\q<\/span>\r\n\r\n\r\n<\/pre>\n<p><span style=\"font-weight: 400;\">Reinicie o servi\u00e7o para aplicar as configura\u00e7\u00f5es e valide o status:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Aplica as novas diretrizes do sistema do banco de dados<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo systemctl restart postgresql<\/span>\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Garanta que o servi\u00e7o est\u00e1 rodando perfeitamente (active\/running)<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo systemctl status postgresql<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Encerre a sess\u00e3o na VM de banco e retorne ao terminal da VM Web:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">exit<\/span><\/pre>\n<h3><b>Passo 3: Prepara\u00e7\u00e3o da VM Web (Spring Boot)<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">J\u00e1 conectado na <\/span><span style=\"font-weight: 400;\">VM-SpringBoot<\/span><span style=\"font-weight: 400;\">, instale o Java Runtime Environment necess\u00e1rio para executar o arquivo <\/span><span style=\"font-weight: 400;\">app.jar<\/span><span style=\"font-weight: 400;\">. O Spring Boot 3.x exige Java 17 ou superior:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Sincroniza a lista de pacotes e instala o OpenJDK 17 headless<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo apt update<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo apt install openjdk-17-jre-headless -y<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Confirme o sucesso do provisionamento:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Exibe a vers\u00e3o ativa do Java no ambiente de execu\u00e7\u00e3o<\/span>\r\n\r\n<span style=\"font-weight: 400;\">java -version<\/span><\/pre>\n<p>&nbsp;<\/p>\n<h2><b>4. Banco de Dados: String de Conex\u00e3o da Aplica\u00e7\u00e3o<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Ao empacotar sua aplica\u00e7\u00e3o Spring Boot, o seu arquivo <\/span><span style=\"font-weight: 400;\">application.properties<\/span><span style=\"font-weight: 400;\"> (ou <\/span><span style=\"font-weight: 400;\">application.yml<\/span><span style=\"font-weight: 400;\">) deve apontar obrigatoriamente para o IP privado da sub-rede do banco de dados. A comunica\u00e7\u00e3o acontece inteiramente dentro do backbone de alta performance da nossa nuvem.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Properties<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Conex\u00e3o isolada via rede interna da VPC (Tier Web -&gt; Tier DB)<\/span>\r\n\r\n<span style=\"font-weight: 400;\"># Substitua 10.0.2.5 pelo IP privato real da sua VM-Postgres<\/span>\r\n\r\n<span style=\"font-weight: 400;\">spring.datasource.url=jdbc:postgresql:\/\/10.0.2.5:5432\/app_db<\/span>\r\n\r\n<span style=\"font-weight: 400;\">spring.datasource.username=spring_user<\/span>\r\n\r\n<span style=\"font-weight: 400;\">spring.datasource.password=TROQUE_POR_UMA_SENHA_FORTE<\/span>\r\n\r\n<span style=\"font-weight: 400;\">spring.datasource.driver-class-name=org.postgresql.Driver<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Estrat\u00e9gia de gera\u00e7\u00e3o de schema do Hibernate<\/span>\r\n\r\n<span style=\"font-weight: 400;\">spring.jpa.hibernate.ddl-auto=update<\/span>\r\n\r\n<span style=\"font-weight: 400;\">spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Porta de exposi\u00e7\u00e3o da aplica\u00e7\u00e3o no ecossistema<\/span>\r\n\r\n<span style=\"font-weight: 400;\">server.port=8080<\/span><\/pre>\n    \t\t<div class=\"hts-messages hts-messages--alert  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Importante!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\t<span style=\"font-weight: 400;\">Como boa pr\u00e1tica de governan\u00e7a e prote\u00e7\u00e3o de dados em produ\u00e7\u00e3o, evite versionar senhas e chaves direto no c\u00f3digo do arquivo <\/span><span style=\"font-weight: 400;\">application.properties<\/span><span style=\"font-weight: 400;\">. Prefira injet\u00e1-las de forma segura via vari\u00e1veis de ambiente (ex: <\/span><span style=\"font-weight: 400;\">SPRING_DATASOURCE_PASSWORD<\/span><span style=\"font-weight: 400;\">) lidas na inicializa\u00e7\u00e3o.<\/span>    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<h2><b>5. Deploy da Aplica\u00e7\u00e3o (Dois M\u00e9todos)<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">A seguir, apresentamos dois caminhos para colocar seu projeto rodando. O primeiro foca em um modelo manual via gerenciamento de servi\u00e7os do sistema operacional, ideal para valida\u00e7\u00f5es r\u00e1pidas. O segundo adota automa\u00e7\u00f5es via Docker e GitHub Actions, garantindo agilidade no seu time-to-market.<\/span><\/p>\n<h3><b>M\u00e9todo 1: Deploy manual com systemd<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Transfira o arquivo <\/span><span style=\"font-weight: 400;\">app.jar<\/span><span style=\"font-weight: 400;\"> compilado localmente para a sua VM Web. Como apenas a camada Web possui IP p\u00fablico, o comando o alcan\u00e7a de forma direta:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Transfere o artefato para o diret\u00f3rio home do usu\u00e1rio ubuntu<\/span>\r\n\r\n<span style=\"font-weight: 400;\">scp -i sua_chave.key app.jar ubuntu@&lt;IP_PUBLICO_LOCAWEB&gt;:\/home\/ubuntu\/app.jar<\/span><\/pre>\n    \t\t<div class=\"hts-messages hts-messages--alert  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Importante!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\t<span style=\"font-weight: 400;\">Executar o comando <\/span><span style=\"font-weight: 400;\">java -jar app.jar<\/span><span style=\"font-weight: 400;\"> direto no terminal causa a interrup\u00e7\u00e3o da aplica\u00e7\u00e3o assim que a sess\u00e3o SSH for encerrada. Para garantir autonomia, alta disponibilidade e auto-restart em caso de falhas, configure a aplica\u00e7\u00e3o como um servi\u00e7o do sistema gerenciado pelo <\/span><span style=\"font-weight: 400;\">systemd<\/span><span style=\"font-weight: 400;\">.<\/span>    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<p><span style=\"font-weight: 400;\">Crie o arquivo de defini\u00e7\u00e3o da unidade:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Cria o arquivo de servi\u00e7o para gerenciar a aplica\u00e7\u00e3o em segundo plano<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo nano \/etc\/systemd\/system\/springboot.service<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Cole a estrutura abaixo, validando os caminhos dos execut\u00e1veis:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Ini, TOML<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">[Unit]<\/span>\r\n\r\n<span style=\"font-weight: 400;\">Description=Aplicacao Spring Boot Locaweb Cloud<\/span>\r\n\r\n<span style=\"font-weight: 400;\">After=network.target<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">[Service]<\/span>\r\n\r\n<span style=\"font-weight: 400;\">User=ubuntu<\/span>\r\n\r\n<span style=\"font-weight: 400;\">WorkingDirectory=\/home\/ubuntu<\/span>\r\n\r\n<span style=\"font-weight: 400;\">ExecStart=\/usr\/bin\/java -jar \/home\/ubuntu\/app.jar<\/span>\r\n\r\n<span style=\"font-weight: 400;\">SuccessExitStatus=143<\/span>\r\n\r\n<span style=\"font-weight: 400;\">Restart=always<\/span>\r\n\r\n<span style=\"font-weight: 400;\">RestartSec=10<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">[Install]<\/span>\r\n\r\n<span style=\"font-weight: 400;\">WantedBy=multi-user.target<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Atualize o daemon, habilite e inicialize a aplica\u00e7\u00e3o:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Atualiza os registros do systemd para reconhecer o novo servi\u00e7o<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo systemctl daemon-reload<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Habilita a inicializa\u00e7\u00e3o autom\u00e1tica no boot da VM e starta o app<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo systemctl enable --now springboot<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Valida se a sua API est\u00e1 rodando sem erros (active\/running)<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo systemctl status springboot<\/span>\r\n\r\n\r\n<\/pre>\n<p><span style=\"font-weight: 400;\">Sempre que precisar atualizar o seu sistema manualmente, basta enviar o novo <\/span><span style=\"font-weight: 400;\">app.jar<\/span><span style=\"font-weight: 400;\"> via SCP e reiniciar o servi\u00e7o de forma limpa:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Reinicia o servi\u00e7o aplicando as atualiza\u00e7\u00f5es do bin\u00e1rio jar<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo systemctl restart springboot<\/span><\/pre>\n<p>&nbsp;<\/p>\n<h3><b>M\u00e9todo 2: Deploy moderno com Docker e GitHub Actions<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Este m\u00e9todo automatiza o pipeline de ponta a ponta: empacota a aplica\u00e7\u00e3o em um cont\u00eainer isolado e realiza a entrega a cada push na sua branch principal, encurtando o seu time-to-market atrav\u00e9s do modelo self-service.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Instale a Engine do Docker na <\/span><span style=\"font-weight: 400;\">VM-SpringBoot<\/span><span style=\"font-weight: 400;\"> atrav\u00e9s do reposit\u00f3rio oficial do fabricante, garantindo o rastreio e fixa\u00e7\u00e3o correta de vers\u00f5es est\u00e1veis:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Adiciona depend\u00eancias de seguran\u00e7a e chaves de reposit\u00f3rio GPG oficiais<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo apt-get update<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo apt-get install -y ca-certificates curl gnupg<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">sudo install -m 0755 -d \/etc\/apt\/keyrings<\/span>\r\n\r\n<span style=\"font-weight: 400;\">curl -fsSL https:\/\/download.docker.com\/linux\/ubuntu\/gpg | sudo gpg --dearmor -o \/etc\/apt\/keyrings\/docker.gpg<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo chmod a+r \/etc\/apt\/keyrings\/docker.gpg<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Registra a fonte oficial do Docker na lista do apt corporativo<\/span>\r\n\r\n<span style=\"font-weight: 400;\">echo \\<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\"deb [arch=$(dpkg --print-architecture) signed-by=\/etc\/apt\/keyrings\/docker.gpg] https:\/\/download.docker.com\/linux\/ubuntu \\<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0$(. \/etc\/os-release &amp;&amp; echo \"$VERSION_CODENAME\") stable\" | \\<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0sudo tee \/etc\/apt\/sources.list.d\/docker.list &gt; \/dev\/null<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Realiza a instala\u00e7\u00e3o limpa da Engine, CLI e componentes do Docker Compose<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo apt-get update<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Inicializa o servi\u00e7o e adiciona seu usu\u00e1rio ao grupo para eliminar o uso de sudo<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo systemctl enable --now docker<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo usermod -aG docker $USER<\/span><\/pre>\n<p>&nbsp;<\/p>\n    \t\t<div class=\"hts-messages hts-messages--alert  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Importante!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\t<span style=\"font-weight: 400;\">Ap\u00f3s rodar o comando <\/span><span style=\"font-weight: 400;\">usermod<\/span><span style=\"font-weight: 400;\">, encerre sua sess\u00e3o SSH (<\/span><span style=\"font-weight: 400;\">exit<\/span><span style=\"font-weight: 400;\">) e reconecte-se \u00e0 VM Web para atualizar as permiss\u00f5es do grupo docker no seu terminal.<\/span>    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<p><span style=\"font-weight: 400;\">Crie um arquivo chamado <\/span><span style=\"font-weight: 400;\">Dockerfile<\/span><span style=\"font-weight: 400;\"> na raiz do seu projeto Java:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Dockerfile<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Imagem base enxuta Alpine com Java 17 runtime<\/span>\r\n\r\n<span style=\"font-weight: 400;\">FROM eclipse-temurin:17-jre-alpine<\/span>\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">WORKDIR \/app<\/span>\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Copia o artefato compilado para o escopo do cont\u00eainer<\/span>\r\n\r\n<span style=\"font-weight: 400;\">COPY target\/app.jar app.jar<\/span>\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">EXPOSE 8080<\/span>\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">ENTRYPOINT [\"java\", \"-jar\", \"app.jar\"]<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">No seu reposit\u00f3rio Git do GitHub, monte a estrutura do workflow automatizado criando o arquivo <\/span><span style=\"font-weight: 400;\">.github\/workflows\/deploy.yml<\/span><span style=\"font-weight: 400;\">:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">YAML<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">name: Deploy Spring Boot na Locaweb Cloud<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">on:<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0push:<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0branches: [ main ]<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">jobs:<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0deploy:<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0runs-on: ubuntu-latest<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0steps:<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0- name: Checkout do c\u00f3digo<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0uses: actions\/checkout@v4<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0- name: Configurar JDK 17<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0uses: actions\/setup-java@v4<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0with:<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0distribution: temurin<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0java-version: '17'<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0- name: Compilar a aplica\u00e7\u00e3o com Maven<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0run: mvn -B clean package -DskipTests<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0- name: Deploy via SSH na VM Web<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0uses: appleboy\/ssh-action@v1.0.3<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0with:<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0host: ${{ secrets.SSH_HOST }}<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0username: ${{ secrets.SSH_USER }}<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0key: ${{ secrets.SSH_KEY }}<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0script: |<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0cd \/home\/ubuntu\/app<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0git pull origin main<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0docker build -t spring-app .<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0docker stop spring-app || true<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0docker rm spring-app || true<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0docker run -d --name spring-app --restart always -p 8080:8080 spring-app<\/span><\/pre>\n    \t\t<div class=\"hts-messages hts-messages--alert  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Importante!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\t<span style=\"font-weight: 400;\">Lembre-se de acessar as configura\u00e7\u00f5es do seu reposit\u00f3rio no GitHub (<\/span><i><span style=\"font-weight: 400;\">Settings &gt; Secrets and variables &gt; Actions<\/span><\/i><span style=\"font-weight: 400;\">) para registrar as vari\u00e1veis secretas obrigat\u00f3rias do deploy:<\/span>    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SSH_HOST<\/span><span style=\"font-weight: 400;\">: O IP p\u00fablico da sua VPC no painel Locaweb.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SSH_USER<\/span><span style=\"font-weight: 400;\">: O usu\u00e1rio padr\u00e3o do sistema operacional (ex: <\/span><span style=\"font-weight: 400;\">ubuntu<\/span><span style=\"font-weight: 400;\">).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SSH_KEY<\/span><span style=\"font-weight: 400;\">: O conte\u00fado textual completo da sua chave privada SSH.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">A partir de agora, cada push na sua branch <\/span><span style=\"font-weight: 400;\">main<\/span><span style=\"font-weight: 400;\"> dispara de forma automatizada o build e a atualiza\u00e7\u00e3o do cont\u00eainer na nuvem, mantendo sua infraestrutura moderna e \u00e1gil.<\/span><\/p>\n<h2><b>6. HTTPS com Let&#8217;s Encrypt (Recomendado para Produ\u00e7\u00e3o)<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Expor a API diretamente atrav\u00e9s de conex\u00f5es HTTP transmite dados textuais sens\u00edveis sem prote\u00e7\u00e3o. Vamos plugar o Nginx operando como proxy reverso na frente do Spring Boot para gerenciar os certificados TLS de forma simples.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Instale o Nginx e o cliente Certbot:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Instala o servidor web e o gerador autom\u00e1tico do Let's Encrypt<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo apt update<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo apt install -y nginx certbot python3-certbot-nginx<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Configure o bloco do servidor para realizar o roteamento interno:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Cria o arquivo de configura\u00e7\u00e3o para o roteamento do seu dom\u00ednio<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo nano \/etc\/nginx\/sites-available\/springboot.conf<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Nginx<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">server {<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0listen 80;<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0server_name seu-dominio.com.br;<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0location \/ {<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# Encaminha as requisi\u00e7\u00f5es de rede para a porta local da aplica\u00e7\u00e3o<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0proxy_pass http:\/\/127.0.0.1:8080;<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0proxy_set_header Host $host;<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0proxy_set_header X-Real-IP $remote_addr;<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0proxy_set_header X-Forwarded-Proto $scheme;<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0}<\/span>\r\n\r\n<span style=\"font-weight: 400;\">}<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Ative a configura\u00e7\u00e3o no painel do Nginx, valide a sintaxe do arquivo e recarregue o servi\u00e7o:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Cria o link simb\u00f3lico para ativar o site no Nginx<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo ln -s \/etc\/nginx\/sites-available\/springboot.conf \/etc\/nginx\/sites-enabled\/<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Valida se a sintaxe estrutural do arquivo possui alguma inconformidade t\u00e9cnica<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo nginx -t<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Recarrega o servi\u00e7o para aplicar a nova rota ativa<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo systemctl reload nginx<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Dispare o comando do Certbot. O assistente automatizado emitir\u00e1 o certificado digital SSL e reconfigurar\u00e1 o Nginx para for\u00e7ar o redirecionamento seguro para HTTPS:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Executa a valida\u00e7\u00e3o e gera o certificado digital SSL para a sua URL<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo certbot --nginx -d seu-dominio.com.br<\/span><\/pre>\n<h2><b>7. Valida\u00e7\u00e3o<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">A etapa de valida\u00e7\u00e3o atesta a integridade e o sucesso da topologia IaaS implementada no ecossistema.<\/span><\/p>\n<h3><b>1. Teste interno na VM Web<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Conectado via SSH na <\/span><span style=\"font-weight: 400;\">VM-SpringBoot<\/span><span style=\"font-weight: 400;\">, realize uma chamada local para o endpoint de sa\u00fade da sua aplica\u00e7\u00e3o e verifique se o servi\u00e7o est\u00e1 escutando a porta corretamente:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Verifica se o servi\u00e7o systemd est\u00e1 em execu\u00e7\u00e3o normal<\/span>\r\n\r\n<span style=\"font-weight: 400;\">sudo systemctl status springboot<\/span>\r\n\r\n\r\n\r\n\r\n<span style=\"font-weight: 400;\"># Faz a requisi\u00e7\u00e3o local de teste<\/span>\r\n\r\n<span style=\"font-weight: 400;\">curl -I http:\/\/localhost:8080\/api\/health<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p><i><span style=\"font-weight: 400;\">Resultado esperado:<\/span><\/i><span style=\"font-weight: 400;\"> Status <\/span><span style=\"font-weight: 400;\">HTTP\/1.1 200 OK<\/span><span style=\"font-weight: 400;\">, indicando que a stack Java subiu e responde localmente.<\/span><\/p>\n<h3><b>2. Teste externo da aplica\u00e7\u00e3o (M\u00e1quina de Trabalho)<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">A partir do terminal do seu computador local, envie uma chamada HTTP apontando para o IP p\u00fablico associado \u00e0 sua VPC:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Requisi\u00e7\u00e3o externa para validar o Port Forwarding do painel<\/span>\r\n\r\n<span style=\"font-weight: 400;\">curl -I http:\/\/&lt;IP_PUBLICO_LOCAWEB&gt;:8080\/api\/health<\/span><\/pre>\n<p><i><span style=\"font-weight: 400;\">Resultado esperado:<\/span><\/i><span style=\"font-weight: 400;\"> Retorno <\/span><span style=\"font-weight: 400;\">HTTP\/1.1 200 OK<\/span><span style=\"font-weight: 400;\">. A aplica\u00e7\u00e3o respondeu externamente, provando que a VM Web processou o pacote e realizou a conex\u00e3o interna em tempo real com a VM de banco de dados para buscar as tabelas. (Caso j\u00e1 tenha rodado o passo anterior do Nginx, teste apontando para a sua URL segura: <\/span><span style=\"font-weight: 400;\">curl -I https:\/\/seu-dominio.com.br\/api\/health<\/span><span style=\"font-weight: 400;\">).<\/span><\/p>\n<h3><b>3. Teste de isolamento do banco de dados (A\u00e7\u00e3o Cr\u00edtica)<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Este \u00e9 o teste definitivo que valida o compliance e a prote\u00e7\u00e3o da sua arquitetura de rede. A partir do seu computador local, tente for\u00e7ar uma conex\u00e3o direta ao PostgreSQL usando o IP p\u00fablico da nuvem:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\"># Tentativa intencional de burlar o isolamento pela internet p\u00fablica<\/span>\r\n\r\n<span style=\"font-weight: 400;\">psql -h &lt;IP_PUBLICO_LOCAWEB&gt; -U spring_user -d app_db -p 5432<\/span><\/pre>\n<p><i><span style=\"font-weight: 400;\">Resultado esperado:<\/span><\/i><span style=\"font-weight: 400;\"> Mensagem de erro de <\/span><span style=\"font-weight: 400;\">Connection timed out<\/span><span style=\"font-weight: 400;\"> ou <\/span><span style=\"font-weight: 400;\">Connection refused<\/span><span style=\"font-weight: 400;\">. Como n\u00e3o h\u00e1 regras de Port Forwarding mapeando a porta 5432 externa e a ACL da nossa sub-rede privada rejeita pacotes fora do bloco <\/span><span style=\"font-weight: 400;\">10.0.1.0\/24<\/span><span style=\"font-weight: 400;\">, o Roteador Virtual barra o tr\u00e1fego imediatamente.<\/span><\/p>\n    \t\t<div class=\"hts-messages hts-messages--danger  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Aviso!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\t<span style=\"font-weight: 400;\">Caso este comando consiga estabelecer conex\u00e3o e exibir o prompt do banco, sua arquitetura est\u00e1 vulner\u00e1vel. Acesse o painel da Central do Cliente imediatamente e revise suas tabelas de Port Forwarding e regras da <\/span><span style=\"font-weight: 400;\">ACL-Tier-DB<\/span><span style=\"font-weight: 400;\">.<\/span>    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<h2><b>8. Solu\u00e7\u00e3o de problemas (Troubleshooting)<\/b><b><\/b><\/h2>\n<ul>\n<li aria-level=\"1\">Permiss\u00e3o SSH negada no terminal (Permission denied (publickey))<\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Sintoma:<\/b><span style=\"font-weight: 400;\"> Ao tentar disparar o comando de acesso, o console recusa o par\u00e2metro e exibe a mensagem de chave inv\u00e1lida.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Causa:<\/b><span style=\"font-weight: 400;\"> A sua chave privada <\/span><span style=\"font-weight: 400;\">.key<\/span><span style=\"font-weight: 400;\"> ou <\/span><span style=\"font-weight: 400;\">.pem<\/span><span style=\"font-weight: 400;\"> est\u00e1 com permiss\u00f5es de leitura abertas demais no sistema de arquivos local, fazendo com que o cliente SSH recuse a credencial por seguran\u00e7a.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Solu\u00e7\u00e3o:<\/b><span style=\"font-weight: 400;\"> Ajuste os privil\u00e9gios do arquivo local restringindo o acesso apenas ao seu usu\u00e1rio administrador da m\u00e1quina e repita a conex\u00e3o:<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Bash<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">chmod 400 sua_chave.key<\/span>\r\n\r\n<span style=\"font-weight: 400;\">ssh -i sua_chave.key ubuntu@&lt;IP_PUBLICO_LOCAWEB&gt;<\/span><b><\/b><\/pre>\n<h3><b>Aplica\u00e7\u00e3o inacess\u00edvel externamente (<\/b><b>Connection timed out<\/b><b>)<\/b><\/h3>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Sintoma:<\/b><span style=\"font-weight: 400;\"> O comando <\/span><span style=\"font-weight: 400;\">curl<\/span><span style=\"font-weight: 400;\"> externo na porta 8080 retorna estouro de tempo de resposta, mas o teste interno local dentro do servidor responde com sucesso.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Causa:<\/b><span style=\"font-weight: 400;\"> H\u00e1 uma quebra de consist\u00eancia ou aus\u00eancia de regras na infraestrutura: falta configurar o Port Forwarding, liberar a porta no Firewall do IP p\u00fablico ou cadastrar a entrada correspondente na lista da <\/span><span style=\"font-weight: 400;\">ACL-Tier-Web<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Solu\u00e7\u00e3o:<\/b><span style=\"font-weight: 400;\"> Acesse o painel de controle do Locaweb Cloud e certifique-se de que as tr\u00eas camadas possuem correspond\u00eancia exata: a aba <\/span><i><span style=\"font-weight: 400;\">Port Forwarding<\/span><\/i><span style=\"font-weight: 400;\"> deve mapear a porta <\/span><span style=\"font-weight: 400;\">8080<\/span><span style=\"font-weight: 400;\">, a aba <\/span><i><span style=\"font-weight: 400;\">Firewall<\/span><\/i><span style=\"font-weight: 400;\"> deve conter a libera\u00e7\u00e3o de tr\u00e1fego de entrada e a regra da sua Network ACL deve permitir pacotes TCP na porta <\/span><span style=\"font-weight: 400;\">8080<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><b>Aplica\u00e7\u00e3o falha ao conectar ao banco (<\/b><b>Connection refused<\/b><b> na porta 5432)<\/b><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Sintoma:<\/b><span style=\"font-weight: 400;\"> Os logs do Spring Boot (<\/span><span style=\"font-weight: 400;\">sudo journalctl -u springboot -f<\/span><span style=\"font-weight: 400;\">) indicam falhas de conex\u00e3o de banco de dados (<\/span><span style=\"font-weight: 400;\">Connection refused<\/span><span style=\"font-weight: 400;\">).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Causa:<\/b><span style=\"font-weight: 400;\"> O PostgreSQL na VM privada est\u00e1 escutando apenas localmente, as regras do arquivo <\/span><span style=\"font-weight: 400;\">pg_hba.conf<\/span><span style=\"font-weight: 400;\"> n\u00e3o liberam o IP da sub-rede p\u00fablica ou a regra de entrada da <\/span><span style=\"font-weight: 400;\">ACL-Tier-DB<\/span><span style=\"font-weight: 400;\"> est\u00e1 bloqueando a porta 5432.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Solu\u00e7\u00e3o:<\/b><span style=\"font-weight: 400;\"> Na <\/span><span style=\"font-weight: 400;\">VM-Postgres<\/span><span style=\"font-weight: 400;\">, valide se a linha <\/span><span style=\"font-weight: 400;\">listen_addresses = &#8216;*&#8217;<\/span><span style=\"font-weight: 400;\"> est\u00e1 ativa no arquivo <\/span><span style=\"font-weight: 400;\">postgresql.conf<\/span><span style=\"font-weight: 400;\"> e se a linha <\/span><span style=\"font-weight: 400;\">host all all 10.0.1.0\/24 scram-sha-256<\/span><span style=\"font-weight: 400;\"> foi adicionada ao arquivo <\/span><span style=\"font-weight: 400;\">pg_hba.conf<\/span><span style=\"font-weight: 400;\">. Reinicie o servi\u00e7o (<\/span><span style=\"font-weight: 400;\">sudo systemctl restart postgresql<\/span><span style=\"font-weight: 400;\">). No painel da nuvem, confirme se a lista <\/span><span style=\"font-weight: 400;\">ACL-Tier-DB<\/span><span style=\"font-weight: 400;\"> possui a regra de entrada TCP habilitada para a porta 5432 vinda da origem <\/span><span style=\"font-weight: 400;\">10.0.1.0\/24<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n    \t\t<div class=\"hts-messages hts-messages--success  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Pronto!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\tSua infraestrutura est\u00e1 consolidada e sua aplica\u00e7\u00e3o Spring Boot est\u00e1 no ar de forma est\u00e1vel, centralizada e segura para suportar a escala do seu faturamento.    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n    \t\t<div class=\"hts-messages hts-messages--info  hts-messages--withtitle hts-messages--withicon \"   >\r\n    \t\t\t<span class=\"hts-messages__title\">Dica!<\/span>    \t\t\t    \t\t\t\t<p>\r\n    \t\t\t\t\tPara continuar expandindo a maturidade e a efici\u00eancia da sua topologia de IaaS, recomendamos as seguintes a\u00e7\u00f5es:    \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div><!-- \/.ht-shortcodes-messages -->\r\n    \t\t\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Snapshots Recorrentes:<\/b><span style=\"font-weight: 400;\"> Ative a rotina de Snapshots automatizados no volume de disco da sua <\/span><span style=\"font-weight: 400;\">VM-Postgres<\/span><span style=\"font-weight: 400;\"> para garantir pontos de restaura\u00e7\u00e3o r\u00e1pidos e c\u00f3pias de seguran\u00e7a sem esfor\u00e7o (<\/span><i><span style=\"font-weight: 400;\">Armazenamento &gt; Discos &gt; Snapshots Recorrentes<\/span><\/i><span style=\"font-weight: 400;\">).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Balanceador de Carga:<\/b><span style=\"font-weight: 400;\"> Conforme sua aplica\u00e7\u00e3o crescer em volume de acessos, provisione novas m\u00e1quinas virtuais id\u00eanticas \u00e0 <\/span><span style=\"font-weight: 400;\">VM-SpringBoot<\/span><span style=\"font-weight: 400;\"> na sub-rede p\u00fablica e conecte-as ao <\/span><i><span style=\"font-weight: 400;\">Load Balancer<\/span><\/i><span style=\"font-weight: 400;\"> do Roteador Virtual para distribuir as requisi\u00e7\u00f5es sem gargalos.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Monitoramento Ativo:<\/b><span style=\"font-weight: 400;\"> Configure as m\u00e9tricas de telemetria no painel da sua conta para acompanhar o uso de mem\u00f3ria RAM, CPU e throughput de rede das inst\u00e2ncias, antecipando gargalos antes que eles impactem seus usu\u00e1rios.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">[Conhe\u00e7a!]<\/span><span style=\"font-weight: 400;\"> Quer automatizar disparos de confirma\u00e7\u00e3o de cadastro, relat\u00f3rios de uploads ou faturas transacionais diretamente do seu app Django? Conhe\u00e7a o <\/span><a href=\"https:\/\/www.locaweb.com.br\/smtp-locaweb\/\"><b>SMTP Locaweb<\/b><\/a><span style=\"font-weight: 400;\">, nossa plataforma de alta reputa\u00e7\u00e3o e entregabilidade de mensagens desenvolvida para fazer o seu sistema se comunicar com velocidade e seguran\u00e7a!<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Arquiteturas escal\u00e1veis exigem o isolamento de componentes. No Locaweb Cloud (IaaS via Apache CloudStack), voc\u00ea det\u00e9m o poder de orquestra\u00e7\u00e3o de rede e sistema operacional, sem automa\u00e7\u00f5es de PaaS que alterem configura\u00e7\u00f5es sem consentimento. Voc\u00ea aprender\u00e1 a proteger o banco de dados criando uma VPC com duas sub-redes (Tiers): uma&#8230;<\/p>\n","protected":false},"author":29,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[666],"ht-kb-tag":[],"class_list":["post-38816","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-locaweb-cloud"],"_links":{"self":[{"href":"https:\/\/www.locaweb.com.br\/ajuda\/wp-json\/wp\/v2\/ht-kb\/38816","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.locaweb.com.br\/ajuda\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/www.locaweb.com.br\/ajuda\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.locaweb.com.br\/ajuda\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.locaweb.com.br\/ajuda\/wp-json\/wp\/v2\/comments?post=38816"}],"version-history":[{"count":1,"href":"https:\/\/www.locaweb.com.br\/ajuda\/wp-json\/wp\/v2\/ht-kb\/38816\/revisions"}],"predecessor-version":[{"id":38817,"href":"https:\/\/www.locaweb.com.br\/ajuda\/wp-json\/wp\/v2\/ht-kb\/38816\/revisions\/38817"}],"wp:attachment":[{"href":"https:\/\/www.locaweb.com.br\/ajuda\/wp-json\/wp\/v2\/media?parent=38816"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/www.locaweb.com.br\/ajuda\/wp-json\/wp\/v2\/ht-kb-category?post=38816"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/www.locaweb.com.br\/ajuda\/wp-json\/wp\/v2\/ht-kb-tag?post=38816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}