How do I get my Digital Ocean load balancer's private IP?

Posted February 22, 2017 6.7k views
Load Balancing

I’m trying to migrate two nginx servers to use the new Digital Ocean Load Balancers.

One issue I run into is the load balancer needs to use the internal network IP of both nginx servers (10.134.x.x) - we have firewall rules configured to block all traffic except from known hosts. I can get the external IP of the load balancer through the dashboard (138.x.x.x) but where can I get the internal IP so I can allow traffic from the load balancer only?

Likewise if I request information about the Load Balancer through the V2 API I can only get the external IP.

As a short term solution I can allow all traffic from the subnet - monitor logs to see which servers are attempting to reach my server - whittle down the 5 ips to the one coming from my load balancer by process of trial and error (by creating an iptable rule for just that IP), but for a number of reasons this is not ideal and hard to scale.

I understand the load balancers themselves are configured to automatically failover to alternate instances in an event of a failure at the load balancer layer - would the failover machine have a different IP or does Digital Ocean use floating internal IP’s?

What is the current best compromise between allowing room for failover but not exposing one’s server to unknown traffic either at the network or global level?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

Following up here after reaching out to Digital Ocean support. There currently isn’t a ‘good’ way to isolate traffic from the load balancer service.

Rather than expose my internal nginx servers to the world, I am just making them accessible on eth1 on port 80/443.

  • Thank you for reporting back. I was following your thread - was going to play with LB this weekend, but this is a major problem for me. Hope DO will come up with a solution fairly soon.

    • I ran into a second road block where the new Digital Ocean Load Balancer service was not setting X-Forwarded-For https headers for my application and was not letting me customize X-Fowarded-For headers. Digital Ocean support says the ability to set custom headers is forthcoming. As it stands between the two issues I can no longer move forward with this service.

      Instead I followed the (extremely well written) guides for setting one’s own HAProxy 1.7 service with failover on Debian 8. I can now do SSL Termination and set the right headers. More work than I wanted, and the guides need some small updating, but very happy with the result:
      1) Create High Availability setup, Part 1
      2) Create High Availability setup, Part 2
      3) Terminate SSL with HAProxy and set X-Forward Headers

      by Mitchell Anicas
      HAProxy, which stands for High Availability Proxy, is a popular open source software TCP/HTTP Load Balancer and proxying solution. In this tutorial, we will go over how to use HAProxy for SSL termination, for traffic encryption, and for load balancing your web servers. We will also show you how to use HAProxy to redirect HTTP traffic to HTTPS. Native SSL support was implemented in HAProxy 1.5.x, which was released as a stable version in June 2014.
      • @pmg9000 - I just happen to be setting up a DO LoadBalancer tonight when you posted this (I had already read this thread).

        On my application I am seeing “X-Forwarded-For” and “X-Forwarded-Port” come through my application from the DO Load Balancer.

        It is missing “X-Forwarded-Proto” - but since I force HTTPS on my Load Balancer - I can just assume this to be true.

I was able to detect the load balancer private IP with the netstat -natp command from one of the connected DO droplets configured in the load balancer configuration. Once I removed the droplet from the LB config, the connections timed out and disappeared from the table. When I added the droplet back in to the LB config, the status check monitor kicked in and the same Private IP connection on port 80 reconnected. Hope that helps.