Set up a droplet only accessible by VPN

I have the following topology that I’d like to set up:

WebServer - publicly accessible AppServer - publicly accessible Database - Only accessible if VPN’d in

I would like to set up a droplet for a database such that it is not accessible from the open web, but I would be able to VPN into that droplet and access it that way. However, I would like AppServers (only) to be able to connect to the Database so that they can retrieve data.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I wan to isolate my database server from the remaining publicly available servers. That is even if my database is only available if I open my firewall from inside the server, I only want people to be able to ssh into the system if they are going through a VPN client.

Since you did not specify what database software you are planning to use this advice is based on MySQL.

By default MySQL installed on a droplet is not accessible from any outside IP address at all. It can only be accessed from the droplet itself. If you wanted to to allow access but restrict this the best course of action would be to allow remote connections to the database, and then set up a firewall to restrict traffic on port 3306 to the IP address or range that is assigned by your VPN. This way, only connections coming from the VPN would be allowed access to the database.