Hi,
I’m using terraform to provision an environment. But I’m running into an issue.
I’d like to terminate SSL on the LB, and then restrict port 80 on my 2 backend servers to only allow the LB to connect on the private network.
The problem I’m seeing with terraform is, there’s no way to define a private IP for the LB (no output, seems it only outputs the public IP).
Is there a way to at least restrict it to the private network CIDR without knowing it ahead of time?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
There are a couple important things to know about how load balancers and firewalls work. First, from the load balancer docs:
And from the firewall docs:
So if you have both enabled private networking on the Droplets and specified the load balancer in the firewall rules, communication will happen over the private network and be properly restricted.
The key thing is using
source_load_balancer_uids
anddestination_load_balancer_uids
to specify the load balancer rather than its public IP address.So your Terraform configuration would (in part) look something like:
If I attempt to ping the Droplets or run
nmap
against them, I can see that port 80 is not accessible publicly nor from another Droplet using private networking while the load balancer is serving content as expected…