Question
Cloud Firewall setup for backend data processing server
- Posted January 25, 2019
- DigitalOcean Cloud FirewallsUbuntu
My app uses custom generated data that is stored in my DB and is then served to the visitors. That’s handled by a Nginx webserver on one droplet (D1) and a MongoDB on another droplet (D2). To push new data into the DB, I’m running a Python script on a 3rd droplet (D3), and I’m not sure how best to set up the Cloud Firewall for it.
Basically, the Python script calls a 3rd party API, gets the data from it, generates the output and writes it to the MongoDB in D2. So to configure the Cloud FW rules for D3, I think I need: Incoming: -SSH on port 22: all -TCP from D2 (MongoDB) Private IP <—do I need this? I do query the DB before writing new data -How do I handle the 3rd party API incoming data?
Outgoing: -ICMP/TCP/UDP to D2
Does this look reasonable and what should I do regarding the API data calls?
Thank you!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Greetings!
Great question. If you’re reaching out to the API to request the data, it will be handled over the outbound connection. It’s all about the opening of the connection rather than the direction in which the traffic flows. So if you open port 80 outbound but close it inbound, for example, you can download a website over http, but no one can make an http request to your server.
Most likely the external API you’re connecting to works over https, so port 443 outbound should be sufficient. If I’m wrong on that, you may already know the port number to be different, so just toss that in it’s place.
Jarland
Edit: I think I also need some kind of Outgoing rule to query the external API
And, to clarify, I want to restrict all other incoming/outgoing traffic to D3 beyond what is absolutely necessary. But I’m lost on how to ensure that the API data is called and received.