DigitalOcean

Report this

What is the reason for this report?
Question

Nginx with Application & Database on a Private Network

Posted on July 11, 2019
Ubuntu 18.04
Nginx
dev8923

By dev8923

Hello,

I want to have the following in a private network, so that the application and database cannot be directly accessed, perhaps using the Digital Ocean Cloud Firewall.

  • Nginx Reverse Proxy Server
  • Application
  • Database

To prevent access to the application server, would I need 3 separate Droplets, one for each?

Currently, Nginx & the application are hosted on the same Droplet, but I assume I will need to split these to prevent access to the application directly?

Thank you.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
CarterB
CarterB
July 11, 2019

It depends on what you mean by access. It sounds like you want to separate out Nginx in case someone gains access to that server over the web somehow, so that they don’t gain access to the application.

You could have the application on a private droplet and configure it to refuse all connections except the private networking to Nginx, which proxies for it. In that case yes, you need a separate droplet.

For the database, you could have that on the same droplet as the application with no direct connections allowed to the web, or you could have it on a separate privately networked droplet much like the application, or you could have it on a privately networked managed database that DO now offers.

In my opinion, security-wise this all seems like it could provide some benefits, but perhaps not as many as you would maybe expect. If there’s a vulnerability in the application code that allows malicious users can exploit to gain access, having it proxied and on a separate droplet won’t help. Since the database needs to be accessible from the application, if they have control of the app, they likely have control of the database as well. It’s not a bad idea, but may be overkill depending on your needs.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.