msebel
By:
msebel

Private networking between regions

January 14, 2015 3.7k views

Due to the AMS2 connectivity issues yesterday that affected all our droplets, a simple question came to mind (I just couldn't find anyone posting this before).

We're running a cluster with multiple failovers on loadbalancing, webserving and database level. That doesn't help at all if ALL droplets in a datacenter have connectivity issues. Our monitoring that pings our servers every 10-30s is experiencing a lot of networking issues / small latencies that last no more than 10-20s, but mostly on all droplets at the same time. And of course yesterday it happened for 45 minutes. (Imagine furious customers now :-)).

Now, all our servers in AMS3 did't have any issues. Therefore, is it possible for droplets to communicate with private networking enabled across local regions (AMS2 and AMS3)? We're thinking about stretching our cluster across two regions, but we would need at least DB-Master/Master clusters to communicate across regions (over private networking).

3 Answers

is there a plans to provide private networking functionality between regions?

Currently private networking only allows for communication between droplets in the same data center. While AMS2 and AMS3 are in the same city, they are in separate physical facilities.

I think the point of private networking is to provide a fast (probably unencrypted) low overhead transport between hosts. I personally would setup a VPN / stunnel or SSH tunnel to traverse the (more) hostile network between datacenters / regions. I think there is some trust in knowing the data traversing within a single DC is likely to be routed through a small amount of infrastructure which is 100% controlled by digital ocean (I'm hoping, I don't work for DO so I don't actually know). Routing unencrypted traffic outside DO's infrastructure should be done with caution. While I think there may be a use for passing unencrypted traffic on a private network between DO sites I feel most customers would not be able to use this configuration due to data privacy / security. I'm setting up separate private networks in different DO zones and using a tinc VPN between the sites for private transfer.

Have another answer? Share your knowledge.