Cloud Firewall setup for backend data processing server

January 25, 2019 378 views
Ubuntu DigitalOcean Cloud Firewalls

My app uses custom generated data that is stored in my DB and is then served to the visitors. That’s handled by a Nginx webserver on one droplet (D1) and a MongoDB on another droplet (D2).
To push new data into the DB, I’m running a Python script on a 3rd droplet (D3), and I’m not sure how best to set up the Cloud Firewall for it.

Basically, the Python script calls a 3rd party API, gets the data from it, generates the output and writes it to the MongoDB in D2. So to configure the Cloud FW rules for D3, I think I need:
Incoming:
-SSH on port 22: all
-TCP from D2 (MongoDB) Private IP <—do I need this? I do query the DB before writing new data
-How do I handle the 3rd party API incoming data?

Outgoing:
-ICMP/TCP/UDP to D2

Does this look reasonable and what should I do regarding the API data calls?

Thank you!

1 comment
  • Edit: I think I also need some kind of Outgoing rule to query the external API

    And, to clarify, I want to restrict all other incoming/outgoing traffic to D3 beyond what is absolutely necessary. But I’m lost on how to ensure that the API data is called and received.

1 Answer

Greetings!

Great question. If you’re reaching out to the API to request the data, it will be handled over the outbound connection. It’s all about the opening of the connection rather than the direction in which the traffic flows. So if you open port 80 outbound but close it inbound, for example, you can download a website over http, but no one can make an http request to your server.

Most likely the external API you’re connecting to works over https, so port 443 outbound should be sufficient. If I’m wrong on that, you may already know the port number to be different, so just toss that in it’s place.

Jarland

  • Hi Jarland,

    Thank you for the answer. It was close, but not quite. After some trial and error, here’s the outbound ruleset that I ended up with:
    Outbound from D3 (python droplet):

    1. All TCP ports to D2 (database droplet) [to write to the database]
    2. HTTP TCP Port 80 for all IPv4, IPv6 [one of the APIs needed this]
    3. HTTPS TCP Port 443 for all IPv4, IPv6 [the second API needed this]
    4. All UDP on all port for all IPv4, IPv6 [neither API would work without this]

    Hope someone will find this useful in a few year from now :)

Have another answer? Share your knowledge.