Question

How do I get my Digital Ocean load balancer's private IP?

I’m trying to migrate two nginx servers to use the new Digital Ocean Load Balancers.

One issue I run into is the load balancer needs to use the internal network IP of both nginx servers (10.134.x.x) - we have firewall rules configured to block all traffic except from known hosts. I can get the external IP of the load balancer through the dashboard (138.x.x.x) but where can I get the internal IP so I can allow traffic from the load balancer only?

Likewise if I request information about the Load Balancer through the V2 API I can only get the external IP.

As a short term solution I can allow all traffic from the 10.134.0.0/16 subnet - monitor logs to see which servers are attempting to reach my server - whittle down the 5 ips to the one coming from my load balancer by process of trial and error (by creating an iptable rule for just that IP), but for a number of reasons this is not ideal and hard to scale.

I understand the load balancers themselves are configured to automatically failover to alternate instances in an event of a failure at the load balancer layer - would the failover machine have a different IP or does Digital Ocean use floating internal IP’s?

What is the current best compromise between allowing room for failover but not exposing one’s server to unknown traffic either at the network or global level?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

I was able to detect the load balancer private IP with the netstat -natp command from one of the connected DO droplets configured in the load balancer configuration. Once I removed the droplet from the LB config, the connections timed out and disappeared from the table. When I added the droplet back in to the LB config, the status check monitor kicked in and the same Private IP connection on port 80 reconnected. Hope that helps.

Following up here after reaching out to Digital Ocean support. There currently isn’t a ‘good’ way to isolate traffic from the load balancer service.

Rather than expose my internal nginx servers to the world, I am just making them accessible on eth1 on port 80/443.