Set up a droplet only accessible by VPN

I have the following topology that I’d like to set up:

WebServer - publicly accessible AppServer - publicly accessible Database - Only accessible if VPN’d in

I would like to set up a droplet for a database such that it is not accessible from the open web, but I would be able to VPN into that droplet and access it that way. However, I would like AppServers (only) to be able to connect to the Database so that they can retrieve data.

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

I wan to isolate my database server from the remaining publicly available servers. That is even if my database is only available if I open my firewall from inside the server, I only want people to be able to ssh into the system if they are going through a VPN client.

Since you did not specify what database software you are planning to use this advice is based on MySQL.

By default MySQL installed on a droplet is not accessible from any outside IP address at all. It can only be accessed from the droplet itself. If you wanted to to allow access but restrict this the best course of action would be to allow remote connections to the database, and then set up a firewall to restrict traffic on port 3306 to the IP address or range that is assigned by your VPN. This way, only connections coming from the VPN would be allowed access to the database.