Cloud Firewall setup for backend data processing server

My app uses custom generated data that is stored in my DB and is then served to the visitors. That’s handled by a Nginx webserver on one droplet (D1) and a MongoDB on another droplet (D2). To push new data into the DB, I’m running a Python script on a 3rd droplet (D3), and I’m not sure how best to set up the Cloud Firewall for it.

Basically, the Python script calls a 3rd party API, gets the data from it, generates the output and writes it to the MongoDB in D2. So to configure the Cloud FW rules for D3, I think I need: Incoming: -SSH on port 22: all -TCP from D2 (MongoDB) Private IP <—do I need this? I do query the DB before writing new data -How do I handle the 3rd party API incoming data?

Outgoing: -ICMP/TCP/UDP to D2

Does this look reasonable and what should I do regarding the API data calls?

Thank you!


Edit: I think I also need some kind of Outgoing rule to query the external API

And, to clarify, I want to restrict all other incoming/outgoing traffic to D3 beyond what is absolutely necessary. But I’m lost on how to ensure that the API data is called and received.

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer


Great question. If you’re reaching out to the API to request the data, it will be handled over the outbound connection. It’s all about the opening of the connection rather than the direction in which the traffic flows. So if you open port 80 outbound but close it inbound, for example, you can download a website over http, but no one can make an http request to your server.

Most likely the external API you’re connecting to works over https, so port 443 outbound should be sufficient. If I’m wrong on that, you may already know the port number to be different, so just toss that in it’s place.