I’m trying to migrate two nginx servers to use the new Digital Ocean Load Balancers.
One issue I run into is the load balancer needs to use the internal network IP of both nginx servers (10.134.x.x) - we have firewall rules configured to block all traffic except from known hosts. I can get the external IP of the load balancer through the dashboard (138.x.x.x) but where can I get the internal IP so I can allow traffic from the load balancer only?
Likewise if I request information about the Load Balancer through the V2 API I can only get the external IP.
As a short term solution I can allow all traffic from the 10.134.0.0/16 subnet - monitor logs to see which servers are attempting to reach my server - whittle down the 5 ips to the one coming from my load balancer by process of trial and error (by creating an iptable rule for just that IP), but for a number of reasons this is not ideal and hard to scale.
I understand the load balancers themselves are configured to automatically failover to alternate instances in an event of a failure at the load balancer layer - would the failover machine have a different IP or does Digital Ocean use floating internal IP’s?
What is the current best compromise between allowing room for failover but not exposing one’s server to unknown traffic either at the network or global level?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Click below to sign up and get $100 of credit to try our products over 60 days!