Give droplet access to other droplet's couchdb

April 3, 2017 1.4k views
Firewall Networking Ubuntu 16.04

Hi,

I have a droplet running Tornadoweb to serve some sweet REST apis and another droplet that hosts couchdb.

I have enabled private networking on both droplets however I am struggling to ping one from the other let alone curl droplet_ip:5984

I want to block all public access to the droplet running couchdb, only the droplet running tornado should be able to read/write said couchdb droplet.

2 Answers
theplumptomato April 3, 2017
Accepted Answer

And for the couchdb issue:

I change the bind_address in /etc/couchdb/default.ini to the droplets private IP address, so now I can access couch from the other droplet. I tried to curl the droplet from my local computer and could not access couch as desired.

  • @theplumptomato
    Great you got it working.
    Just remember that DigitalOcean sadly calls the feature "Private Networking", which is very confusing, since it's not private at all.
    Private Networking means "local network in the data center", which means anyone in the data center can connect to your CouchDB.
    So remember to protect yourself with firewall, logins and/or VPN.

    • @hansen
      Thanks!
      Yes, I wasn't sure about how exactly they would isolate the private networks, thanks for that information.

      To update my firewall should I be doing something along the lines of:
      sudo ufw allow from tornado_droplet_ip
      and denying all other in-comings?

To answer the ping part of my question. One of the droplets was made before I selected enable private networking and as such I hadn't followed the guide properly to set up the interfaces.

I can now ping the droplets via their private ip addresses. Still no luck on access to couchdb, though.
https://www.digitalocean.com/community/tutorials/how-to-enable-digitalocean-private-networking-on-existing-droplets

DigitalOcean offers shared private networking for Droplets in all data centers at no additional charge. When private networking is enabled as part of creating a Droplet, it is automatically configured. If it's not set up when the Droplet is created, it can be enabled manually. In this article, we'll explain how to enable and manually configure private networking for Droplets that were created without private networking.
Have another answer? Share your knowledge.