I am planning to setup a production environment for a startup. My product architecture has Node as App server, Redis as cache, and Mongo as DB. I am planning to take 3 droplets on Digital ocean
I want to open only my node server port (443 via Nginx) to outside world. Mongo and Redis ports have to be accessed only from my Node server.
I dont want to expose my Redis and Mongo to outside world.
Please guide in setting up Redis and Mongo as available only from internal network in my account.

This process could be very simple to Ops people, but this is the first time I am setting up a production environment.

Thanks in advance.

Regards,
Sudhakar

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

What comes to my mind as one of the possible solutions, is to create your 3 Droplets, in the same data center, with Private Networking enabled and Cloud Firewalls configured.

When you’re creating Droplets in the same data center, with Private Networking enabled, you’re not exposing your services directly to the Internet, and the bandwidth is not counted towards your total usage.

However, currently, DigitalOcean only offers Shared Private Networking, meaning that other Droplets, in the same data center with Private Networking, can reach your exposed services, even if they’re not on same account as your 3 Droplets.

DigitalOcean is planning to lock down Private Networking only to Droplets in your account, and the change is planned to go live this month, but there’re still no more details about this. Private Networking FAQ contains more details about this.

In meanwhile, the easiest solution to improve the security of your set up and fix the problem is to set up a Cloud Firewalls to only allow your servers to access the Redis and Mongo.

For example, you can tag your droplets using the app-production tag, and then in Cloud Firewall allow only Droplets tagged app-production to access those two Droplets.

Using Cloud Firewall, you can also allow only port 443 for your Node server to be accessed over the Internet.

There could be other solutions as well, but this one comes to my mind as the easiest one to set up and maintain.

Submit an Answer