Guidance needed in setting up production servers

May 19, 2018 385 views
Node.js Redis MongoDB Ubuntu 16.04

I am planning to setup a production environment for a startup. My product architecture has Node as App server, Redis as cache, and Mongo as DB. I am planning to take 3 droplets on Digital ocean
I want to open only my node server port (443 via Nginx) to outside world. Mongo and Redis ports have to be accessed only from my Node server.
I dont want to expose my Redis and Mongo to outside world.
Please guide in setting up Redis and Mongo as available only from internal network in my account.

This process could be very simple to Ops people, but this is the first time I am setting up a production environment.

Thanks in advance.

Regards,
Sudhakar

1 Answer
xMudrii May 19, 2018
Accepted Answer

What comes to my mind as one of the possible solutions, is to create your 3 Droplets, in the same data center, with Private Networking enabled and Cloud Firewalls configured.

When you're creating Droplets in the same data center, with Private Networking enabled, you're not exposing your services directly to the Internet, and the bandwidth is not counted towards your total usage.

However, currently, DigitalOcean only offers Shared Private Networking, meaning that other Droplets, in the same data center with Private Networking, can reach your exposed services, even if they're not on same account as your 3 Droplets.

DigitalOcean is planning to lock down Private Networking only to Droplets in your account, and the change is planned to go live this month, but there're still no more details about this. Private Networking FAQ contains more details about this.

In meanwhile, the easiest solution to improve the security of your set up and fix the problem is to set up a Cloud Firewalls to only allow your servers to access the Redis and Mongo.

For example, you can tag your droplets using the app-production tag, and then in Cloud Firewall allow only Droplets tagged app-production to access those two Droplets.

Using Cloud Firewall, you can also allow only port 443 for your Node server to be accessed over the Internet.

There could be other solutions as well, but this one comes to my mind as the easiest one to set up and maintain.

by Melissa Anderson
DigitalOcean Cloud Firewalls, available in all regions at no charge, provide a network-based, stateful firewall service for your DigitalOcean Droplets. They block all traffic that isn't expressly permitted by a rule. They're designed to be easy to configure, quick to apply, and automation-friendly. In this guide, we'll explore how to create and manage DigitalOcean Cloud Firewalls.
Have another answer? Share your knowledge.