By pmg9000
I’m trying to migrate two nginx servers to use the new Digital Ocean Load Balancers.
One issue I run into is the load balancer needs to use the internal network IP of both nginx servers (10.134.x.x) - we have firewall rules configured to block all traffic except from known hosts. I can get the external IP of the load balancer through the dashboard (138.x.x.x) but where can I get the internal IP so I can allow traffic from the load balancer only?
Likewise if I request information about the Load Balancer through the V2 API I can only get the external IP.
As a short term solution I can allow all traffic from the 10.134.0.0/16 subnet - monitor logs to see which servers are attempting to reach my server - whittle down the 5 ips to the one coming from my load balancer by process of trial and error (by creating an iptable rule for just that IP), but for a number of reasons this is not ideal and hard to scale.
I understand the load balancers themselves are configured to automatically failover to alternate instances in an event of a failure at the load balancer layer - would the failover machine have a different IP or does Digital Ocean use floating internal IP’s?
What is the current best compromise between allowing room for failover but not exposing one’s server to unknown traffic either at the network or global level?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Following up here after reaching out to Digital Ocean support. There currently isn’t a ‘good’ way to isolate traffic from the load balancer service.
Rather than expose my internal nginx servers to the world, I am just making them accessible on eth1 on port 80/443.
I was able to detect the load balancer private IP with the netstat -natp command from one of the connected DO droplets configured in the load balancer configuration. Once I removed the droplet from the LB config, the connections timed out and disappeared from the table. When I added the droplet back in to the LB config, the status check monitor kicked in and the same Private IP connection on port 80 reconnected. Hope that helps.
Hey there!
Quick update for everyone:
DigitalOcean now offers Internal Load Balancer (ILB), which is designed for securely and efficiently routing internal traffic within your private network. It’s a great way to distribute traffic across Droplets or Kubernetes (DOKS) clusters using private IPs, keeping your workloads safe from the public internet.
Key benefits of the ILB:
- Simplified Management – Create and scale ILBs with just a few clicks.
- Private Load Balancing – Distribute traffic internally with private IPs.
- VPC Peering Support – Enable secure communication across VPCs.
- DOKS Connectivity – Keep Kubernetes service traffic internal.
This is a good fit for microservices, internal apps, and backend services that need high availability and security.
Check out the full blog post for more details: DigitalOcean Internal Load Balancer is Now GA
- Bobby
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.