The Twelve-Factor App
Twelve principles for portable, declaratively-configured services that thrive across modern hosting environments.
Hosting Modern Systems
Where your software runs decides who pages you at 3 AM.
A running collection of writing, courses, and tutorials on hosting modern systems: cloud providers, PaaS, managed data services, containers, orchestration, networking, and the rest of the substrate. Less about which provider, more about the trade-offs you're committing to.
This index covers where your systems run. For what to build them with, see System Architecture. For keeping them healthy in production, see Production Operations.
Best Practices, Courses & Discussions
Cross-cutting writings on hosting trade-offs that aren't tied to one tool.
AWS Well-Architected Framework
Six pillars (ops, security, reliability, performance, cost, sustainability) for evaluating any cloud workload.
CNCF Landscape
Interactive map of cloud-native projects categorized by layer, maturity, and license.
Kubernetes The Hard Way
Bootstrap a Kubernetes cluster manually, lab by lab, to learn what the abstractions hide.
The Datacenter as a Computer (3rd ed.)
Open-access book treating warehouse-scale machines as the unit of design for modern cloud computing.
Last Week in AWS
Weekly newsletter filtering AWS announcements through cost-economist snark and practitioner skepticism.
Google SRE Books (free online)
Three free books on running planet-scale systems: SRE, the Workbook, and Building Secure & Reliable Systems.
Best practices for building containers
Signal handling, layer caching, tagging, and image hygiene rules from Google's container team.
Why we're leaving the cloud
37signals' founder argues cloud economics break down for stable, mid-sized workloads worth owning.
Hetzner Server Comparison (with benchmarks)
Benchmarked value comparison across Hetzner's Intel, AMD, and Ampere fleets with price-per-score tables.
Choose Boring Technology
Spend your limited innovation tokens carefully; default to well-understood infrastructure for everything else.
The Fly.io Blog
Engineering writeups on global app runtimes, anycast, Postgres replication, and edge compute trade-offs.
Tools by Category
Peer tools grouped by what problem they solve. The intro before each list articulates the decision space; the list is what you actually choose between.
Cloud providers
The choice is rarely "which cloud." It's how locked-in you can stomach. AWS has the deepest service catalog and the most painful exit cost. GCP and Azure offer competitive primitives with different pain points. The second tier (DigitalOcean, Hetzner, Vultr) wins when you're trading service depth for simpler billing and lower margins. Each major provider has its own managed data services in the section below.
- Amazon Web Services (AWS) The dominant cloud. Deepest service catalog and the most painful exit cost.
- Google Cloud Platform (GCP) Google's cloud. Strongest on Kubernetes (GKE), BigQuery, and global networking.
- Microsoft Azure Microsoft's cloud. Best identity story and the deepest enterprise relationships.
- DigitalOcean Predictable pricing, simple ops, generous free egress on managed offerings.
- Hetzner Cloud German provider with the cheapest serious-grade compute money can buy.
- Vultr Wide region coverage, competitive on bare-metal and high-CPU instances.
- Oracle Cloud Generous always-free tier. Deepest discount you'll find on dedicated workloads.
Getting started with AWS
Official onboarding hub with decision guides, cloud essentials, and first-build tutorials across AWS services.
Google Cloud documentation
Central hub for GCP product docs, quickstarts, architecture references, and code samples.
Azure documentation
Microsoft's full Azure docs hub: getting-started paths, product catalog, SDKs, and architecture guidance.
DigitalOcean documentation
Product docs for Droplets, App Platform, Managed Databases, Kubernetes, and developer tooling.
Hetzner Cloud documentation
Hetzner's cloud product docs covering servers, networks, volumes, firewalls, billing, and API.
Hetzner Server Comparison
Independent benchmarks across Hetzner's CPX, CCX, and CAX fleets with cost-per-score recommendations.
Vultr Docs
Quickstarts, guides, and references for Vultr Compute, Managed Database, Kubernetes, and Object Storage.
Get started with Oracle Cloud Infrastructure
Welcome path: learn OCI basics, create your first instances, and explore role-specific guides.
App hosting / PaaS
Hosting where you don't think about hosting. Fly, Railway, Render, Vercel each let you push code and get a URL. The differences are data tier, regional control, and how much they abstract. Pick by whether you want to think about regions, networking, and persistence, or specifically not think about them.
- Fly.io Edge-native PaaS that keeps multi-region in mind. Best-in-class data tier.
- Railway Push code, get a URL. Honest pricing per service-hour with a nice DX.
- Render Managed-but-flexible Heroku replacement; first-class background workers and cron.
- Vercel Next.js production company. Best edge story for frontend frameworks.
- Netlify Long-running Jamstack PaaS; still strong for static sites plus functions.
- Heroku The original PaaS. Pricing's higher; the ergonomics are still battle-tested.
- Cloudflare Pages Generous free tier; pairs naturally with Cloudflare Workers.
Fly.io documentation
Install flyctl, fly launch, then learn Machines, Volumes, networking, and language-specific deploy guides.
Railway documentation
Quick start, CLI, templates, and framework guides for deploying apps and databases on Railway.
Render documentation
Ship-your-first-app quickstarts plus configure and operate guides for services, databases, and Docker.
Vercel documentation
Framework deploys, Functions, Image Optimization, environments, and the broader AI-cloud platform.
Netlify documentation
Build, deploy, manage, and extend sites with Netlify's frameworks, Functions, and Edge Functions.
Heroku Dev Center
Language-organized guides for deploying apps, Postgres, pipelines, and the original Procfile / buildpack model.
Cloudflare Pages documentation
Deploy static and full-stack apps with Git integration, Pages Functions, and Cloudflare's global network.
Managed data services
Postgres-as-a-service is the new default for most teams. Neon, Supabase, Tiger Data, and Crunchy Bridge each take different trade-offs on branching, vector, time-series, and pricing. PlanetScale runs MySQL with serverless branching. Turso runs distributed SQLite. Decision is usually which workload you're optimizing for, plus how much you trust their backup story. The database itself is a System Architecture decision; this list is about who runs it for you.
- Neon Serverless Postgres with branching. The new default for ephemeral environments.
- Supabase Postgres plus auth, storage, realtime, and edge functions as one open-source stack.
- Tiger Data Time-series Postgres (formerly Timescale). The team behind hypertables.
- Crunchy Bridge Hosted Postgres from the Crunchy Data team. Deep Postgres expertise, conservative defaults.
- PlanetScale Serverless MySQL with branching. The Vitess-based reference offering.
- Turso Distributed SQLite. Edge databases that replicate close to users.
- Upstash Serverless Redis and Kafka with per-request pricing for in-memory workloads.
- Aiven Multi-database managed offering: Postgres, Kafka, Redis, OpenSearch, ClickHouse, more.
Neon documentation
Serverless Postgres with autoscaling, branching, and instant restore; framework quickstarts included.
Supabase documentation
Postgres-backed BaaS: Database, Auth, Storage, Realtime, Edge Functions, and per-framework quickstarts.
Tiger Data (TimescaleDB) documentation
Time-series Postgres: hypertables, continuous aggregates, columnstore compression, and Tiger Cloud.
Crunchy Bridge documentation
Fully managed Postgres with dashboard, cb CLI, and REST API for connections, networking, and logging.
PlanetScale documentation
Docs for PlanetScale's Vitess-based MySQL and PostgreSQL platforms, deployments, branching, and pricing.
Turso documentation
Embedded and cloud SQLite-compatible databases with vector search, sync, and AgentFS.
Upstash documentation
Serverless Redis, Vector, QStash, and Workflow with scale-to-zero, per-request pricing.
Aiven documentation
Managed open-source data services (Postgres, Kafka, ClickHouse, OpenSearch) across multiple clouds.
Containers & registries
The container is the unit of deployment everywhere except where it isn't. Docker still owns mindshare; Podman is the rootless alternative. The registry choice matters more than the build tool. That's where bandwidth, image scanning, and supply-chain attacks live.
- Docker Still owns the mindshare. The default for building and running containers.
- Podman Daemonless and rootless. Drop-in for most Docker workflows.
- Buildah Focused on building OCI images. Often used alongside Podman in non-Docker stacks.
- Docker Hub The original public registry. Rate-limited free tier; ubiquitous official images.
- GitHub Container Registry Free for public images, deep GitHub Actions integration, no rate limits for auth users.
- Amazon ECR Amazon's container registry. Tight IAM integration if you're AWS-native.
Get started with Docker
Essential learning path: install, build, run, and ship containers with the canonical Docker tooling.
Podman documentation
Daemonless, rootless container engine; install, run, manage, network, and checkpoint containers.
Buildah
Script OCI image builds without a daemon or Dockerfile. Install, tutorials, and release news.
Docker Hub documentation
Push, pull, and manage public/private images; webhooks, CI/CD integrations, and Trusted Content.
Working with the GitHub Container Registry
Authenticate, push, pull, tag, and label OCI images at ghcr.io tied to your GitHub repos.
Amazon Elastic Container Registry documentation
User guides and API references for ECR private and public registries, IAM, and CLI usage.
Orchestration & runtime
Kubernetes is right when scaling out makes operating it cheaper than not. That's later than most teams reach for it. Docker Compose on a VM is often enough. Nomad is a serious alternative if you want orchestration without the YAML universe. Cloud Run and ECS sit in between: orchestration without the operational tax. Coolify and Kamal are the new wave for teams that want a single command to deploy.
- Kubernetes The dominant container orchestrator. Complex but ubiquitous; managed offerings everywhere.
- HashiCorp Nomad Simpler orchestrator supporting more than containers. Pairs well with Consul and Vault.
- Docker Compose Multi-container apps on a single host. Often enough for small deployments.
- Amazon ECS Managed container orchestration on AWS. Simpler than EKS; AWS-locked.
- Google Cloud Run Run containers without thinking about clusters. Per-request billing, scale-to-zero.
- Coolify Self-hosted Heroku alternative. PaaS ergonomics on your own infrastructure.
- Kamal Basecamp's deployment tool. SSH plus Docker; no orchestrator required.
- Dokku Single-server PaaS. Heroku's buildpack experience on a Linux box.
Kubernetes Tutorials
Official tutorials: Kubernetes Basics, stateful apps, services, and ConfigMaps.
Kubernetes Production Best Practices
Checklist covering app health, scalability, observability, security, and resource governance.
Nomad Tutorials
Official learning path: install, run jobs, schedule services, batch jobs, and integrate Consul.
Docker Compose Overview
Get started defining multi-container apps with compose.yaml, networks, volumes, and profiles.
Awesome Compose
Official sample compose files: Django + Postgres, Flask + Redis, Nginx, and other common stacks.
What is Amazon ECS?
ECS developer guide covering capacity (EC2, Fargate, Anywhere), task definitions, services, and scaling.
Cloud Run documentation
Run request- and event-driven containers serverlessly with quickstarts, custom domains, and authentication.
Coolify documentation
Self-hosted PaaS for apps, databases, and services. Heroku/Netlify-style UX on your own servers.
Kamal installation guide
Install Kamal, run kamal init/setup, and deploy Dockerized apps to bare servers with zero downtime.
Dokku getting started
Install Dokku, configure SSH, and deploy your first app to a single-server open-source PaaS.
Ingress, proxies & routing
The proxy is where your traffic story lives: TLS, routing, rate limits, auth. Nginx and HAProxy are the battle-tested defaults. Caddy makes TLS automatic. Reach for Envoy when you're building a service mesh, Traefik when you're already in orchestrated containers.
- Nginx Battle-tested high-performance web server and reverse proxy.
- Traefik Modern proxy designed for container orchestrators; auto-discovers services.
- Caddy Web server with automatic TLS by default. Written in Go. Simplest config of the bunch.
- HAProxy High-performance TCP/HTTP proxy with deep tuning surface for serious load.
- Envoy Proxy designed for service meshes. Powers Istio, Consul Connect, Linkerd.
Nginx Beginner's Guide
Official intro: serving static content, reverse proxy, FastCGI, and load balancing basics.
Nginx Admin's Handbook
Operator guide covering configuration patterns, hardening, performance, and debugging.
Traefik Quick Start
Run Traefik with Docker, discover services automatically, and route HTTP traffic.
Caddy Getting Started
Run Caddy as a static file server, reverse proxy, and HTTPS terminator with automatic TLS.
Caddyfile Concepts
Caddyfile syntax, matchers, directives, and snippets for typical reverse-proxy setups.
HAProxy Starter Guide
Introduction to load balancing concepts, frontends, backends, and ACLs in HAProxy.
HAProxy Configuration Manual
Canonical reference for every config directive: timeouts, health checks, stick tables, SSL.
Envoy Getting Started
Run Envoy in Docker, configure listeners, clusters, and basic HTTP routing.
Envoy Sandboxes
Working Docker Compose examples for front proxy, gRPC bridge, JWT auth, and more.
Networking
Networking is the layer everyone forgets until it bites them. The big three are DNS (where your domain lives), CDN (where users hit before your origin), and private networking (how your services find each other without going through the internet). Tailscale changed the calculus on the last one: operating a private network is now as easy as adding users to a group.
- Cloudflare DNS, CDN, WAF, edge compute as one stack. The default for most teams.
- AWS Route 53 Amazon's DNS service. Strong health checks; tight Route53 ↔ ALB integration.
- AWS CloudFront AWS's CDN. Deepest integration with the rest of the AWS ecosystem.
- Fastly Programmable CDN. VCL gives you real control at the edge.
- Bunny.net Low-cost, high-quality CDN with simple pricing. The new wave.
- Tailscale Mesh VPN built on WireGuard. Operating a private network became trivial.
- Twingate Zero-trust network access. Closer to enterprise than Tailscale's developer-first feel.
- WireGuard Modern VPN protocol. Underlies Tailscale; run it raw if you want full control.
- ZeroTier Mesh networking with a different design point than Tailscale. Layer-2 virtual networks.
Cloudflare developer docs
Unified portal for DNS, CDN, WAF, Workers, R2, and Zero Trust products with code-first examples.
What is Amazon Route 53?
Domain registration, authoritative DNS routing, health checks, traffic flow, and VPC resolver.
What is Amazon CloudFront?
Distribute content from AWS edges with origins, distributions, caching, and SaaS multi-tenant modes.
Fastly documentation
CDN, security, and edge Compute reference covering VCL, configuration, and platform APIs.
Bunny.net Developer Hub
CDN, Stream, Storage, Optimizer, DNS, and Magic Containers quickstarts and reference docs.
Tailscale quickstart
Create a tailnet, install clients, add devices, and configure your first mesh in minutes.
How Tailscale works
Architecture writeup on WireGuard, the coordination server, NAT traversal, and DERP relay fallbacks.
Twingate documentation
Zero Trust access docs: connectors, resources, identity, policies, and replacing traditional VPNs.
WireGuard quick start
Generate keys, configure interfaces, traverse NAT, and bring up a minimal WireGuard tunnel.
ZeroTier: Create a Network
Sign up, create a network, install the client, authorize devices, and verify mesh connectivity.
Edge & functions
The functional argument for serverless was "don't manage servers." The actual argument that won was "don't manage cold starts." Edge pushes compute closer to users at the cost of less local state. Pick when latency-to-user matters more than compute density, or when you specifically want stateless scale-to-zero pricing.
- Cloudflare Workers Runs JavaScript and TypeScript on Cloudflare's edge. Sub-millisecond cold starts.
- Cloudflare Durable Objects Single-instance, stateful objects on Workers. The coordinator pattern at the edge.
- Vercel Functions Edge and serverless functions tied to Next.js apps. Hot path for the Vercel stack.
- AWS Lambda The original serverless platform. Deepest service-integration story in the AWS ecosystem.
- Fastly Compute WebAssembly at the edge. Higher cold-start floor than Workers; broader language support.
- Deno Deploy Edge platform built around the Deno runtime. TypeScript first-class.
Cloudflare Workers documentation
Serverless edge compute with Wrangler CLI, multi-language runtimes, and bindings to Cloudflare services.
Cloudflare Durable Objects
Stateful Workers combining compute with storage, WebSocket hibernation, and scheduled alarms.
Vercel Functions documentation
Run server-side code on Vercel with Fluid compute, autoscaling, and region-aware data locality.
What is AWS Lambda?
Lambda developer guide: triggers, runtimes, permissions, scaling, layers, SnapStart, and VPC integration.
Fastly Compute
Serverless WebAssembly edge runtime; supported languages, deploy tooling, and logging integrations.
Deno Deploy documentation
Serverless JS/TS platform with apps, KV, cron, environments, and the REST API reference.
Server OS
For 99% of teams, the OS is whatever the platform gives you. The real decision points are long-term support cycles (Ubuntu LTS, Debian stable, RHEL/Rocky), minimal surface area (Alpine, Wolfi for hardened images), and reproducibility (NixOS if you've drunk that kool-aid).
- Ubuntu Server The most common server OS. LTS releases every two years; sane defaults.
- Debian The stable foundation Ubuntu is built on. Slower-moving, very predictable.
- Alpine Linux Minimal distro built on musl libc. Tiny container images; smaller attack surface.
- RHEL / Rocky Linux Red Hat's enterprise distro and its community-driven rebuild. The compliance default.
- NixOS Declarative, reproducible OS. Steep learning curve; deep payoff once you're in.
- Wolfi Container-focused secure base images from Chainguard. Built for SBOM and CVE hygiene.
Ubuntu Server documentation
Install, configure, secure, and administer Ubuntu Server LTS, covering networking, virtualization, and HA.
Debian documentation
Installation guide, FAQ, release notes, admin handbook, and the broader Debian Documentation Project.
Alpine Linux Wiki
Install, configure, and develop with musl/BusyBox-based Alpine. The de facto minimal container base.
Rocky Linux documentation
Guides, books, and labs for installing and operating the community RHEL-compatible enterprise Linux.
Learn Nix and NixOS
Install Nix, take first steps, and dig into the Nix, Nixpkgs, and NixOS manuals plus Nix Pills.
Wolfi overview
Wolfi is a container-native Linux undistro built for supply-chain security; intro and how it differs.
Creators to follow
Engineers consistently publishing on cloud strategy, containers, and the production substrate.
Kelsey Hightower
x · @kelseyhightower
Ex-Google; the Kubernetes whisperer who argues constantly for simplicity over orchestration.
Corey Quinn
newsletter · @QuinnyPig
Last Week in AWS; the canonical commentator on AWS strategy, cost, and absurdity.
Daniel Vassallo
blog · @dvassallo
Ex-AWS; writes on "the good and bad of AWS" and small-team hosting trade-offs.
Forrest Brazeal
blog · @forrestbrazeal
Cloud educator and cartoonist; the most accessible explainer of AWS architecture decisions.
Bret Fisher
youtube · @BretFisher
Docker Captain; the canonical Docker and containers teacher with deep practical workshops.
Liz Rice
blog · @lizrice
CNCF Chief Open Source Officer; container security and eBPF foundations.
Charity Majors
blog · @mipsytipsy
Honeycomb co-founder; writes on hosting cost, reliability, and the case against premature K8s.
Will Larson
blog · @lethain
Engineering leader writing concrete frameworks for hosting and infra strategy decisions.
Jérôme Petazzoni
blog · @jpetazzo
Long-time Docker educator; deep container internals and pragmatic Kubernetes guidance.
Fly.io Engineering
blog · @flydotio
Thomas Ptacek and the Fly engineering team write some of the best hosting prose on the web.
Frequently Asked Questions
Short answers grounded in the work of practitioners running real production systems.
Do I really need Kubernetes?
Probably not yet. Kubernetes pays off when scaling out makes operating it cheaper than not (multi-region, many services, a dedicated platform team). For most teams, Docker Compose on a VM, a managed PaaS, or Cloud Run / ECS will run the same workload with a fraction of the operational tax. The honest question is whether you're choosing Kubernetes for the workload or for the résumé.
Should I default to AWS, or are the alternatives real?
The alternatives are real. Hetzner gives you serious-grade compute at a fraction of AWS prices. Fly and Render handle most of what Elastic Beanstalk did with a tenth of the surface area. The honest reasons to choose AWS now are deep service integrations (RDS, S3, Lambda, EventBridge), enterprise contracts you're locked into, or a specific compliance bar. For most teams, the lock-in cost has gotten bigger relative to the alternatives.
Source: DHH: Why we're leaving the cloud
When does managed Postgres beat self-hosting?
Almost always when you weigh in operational cost. Neon, Supabase, Tiger Data, and Crunchy Bridge each handle backups, point-in-time recovery, replication, and version upgrades. Self-hosting wins on cost at significant scale and when you need extensions the hosts don't support. The break-even is later than most teams think; the day you need an unplanned recovery, you'll be glad you outsourced.
Should I host on a VM, a PaaS, containers, or serverless?
Each is the right answer at a different point. A VM is the simplest substrate: predictable cost, full control, you do the ops. PaaS wins when you'd rather pay for someone else's ops. Containers are the unit of deployment if you have multiple services or environments. Serverless wins on idle cost and burst-able workloads, loses on long-running connections and warm-state. Default to the simplest thing that scales to your year-2 traffic, not your year-5 fantasy.
How do I think about vendor lock-in without overdoing it?
Lock-in is a cost. Every cost is fine if the value's higher. The question isn't avoiding lock-in, it's matching depth-of-integration to your exit cost tolerance. Use standard interfaces (Postgres, S3-compatible, OAuth, OpenTelemetry) wherever the value of vendor-specific features doesn't justify the migration cost. AWS's value is exactly the inverse: deep proprietary integrations. If you don't need them, don't pay the lock-in tax.
Source: Gregor Hohpe: Don't get locked up into avoiding lock-in
What's the smallest production-ready hosting setup that scales?
A single VM running Docker Compose, a managed Postgres, a managed Redis, and Cloudflare in front. That setup runs more production traffic than most teams will ever ship. Add secrets in a real manager (Vault, Doppler, 1Password), observability via Honeycomb or Logfire, and deploys via Kamal or GitHub Actions. You can run a real company on this stack and only outgrow it when you actually have to.
When does it make sense to add a private mesh like Tailscale?
As soon as you have more than a couple of servers that need to talk to each other without going through the public internet. Tailscale gives you SSH access, internal services, and database connections from a developer's laptop without managing a bastion or a VPN. The cost is per-user pricing at scale; the value is that "connect to the internal network" becomes the same thing as "log in."
Source: Tailscale: How Tailscale works
From Smarter Dev
Original writing coming.
Smarter Dev essays, walkthroughs, and short courses on hosting production systems will land here as they're written.
Join the Discord to be notifiedLast updated