Set up a droplet only accessible by VPN

October 28, 2015 4k views
VPN Networking Ubuntu

I have the following topology that I'd like to set up:

WebServer - publicly accessible
AppServer - publicly accessible
Database - Only accessible if VPN'd in

I would like to set up a droplet for a database such that it is not accessible from the open web, but I would be able to VPN into that droplet and access it that way. However, I would like AppServers (only) to be able to connect to the Database so that they can retrieve data.

1 Answer

Since you did not specify what database software you are planning to use this advice is based on MySQL.

By default MySQL installed on a droplet is not accessible from any outside IP address at all. It can only be accessed from the droplet itself. If you wanted to to allow access but restrict this the best course of action would be to allow remote connections to the database, and then set up a firewall to restrict traffic on port 3306 to the IP address or range that is assigned by your VPN. This way, only connections coming from the VPN would be allowed access to the database.

by Shaun Lewis
Learn how to setup a firewall with UFW on an Ubuntu / Debian cloud server.
Have another answer? Share your knowledge.