Set up a droplet only accessible by VPN

Posted October 28, 2015 6.8k views

I have the following topology that I’d like to set up:

WebServer - publicly accessible
AppServer - publicly accessible
Database - Only accessible if VPN’d in

I would like to set up a droplet for a database such that it is not accessible from the open web, but I would be able to VPN into that droplet and access it that way. However, I would like AppServers (only) to be able to connect to the Database so that they can retrieve data.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

Since you did not specify what database software you are planning to use this advice is based on MySQL.

By default MySQL installed on a droplet is not accessible from any outside IP address at all. It can only be accessed from the droplet itself. If you wanted to to allow access but restrict this the best course of action would be to allow remote connections to the database, and then set up a firewall to restrict traffic on port 3306 to the IP address or range that is assigned by your VPN. This way, only connections coming from the VPN would be allowed access to the database.

by Shaun Lewis
Learn how to setup a firewall with UFW on an Ubuntu / Debian cloud server.

I wan to isolate my database server from the remaining publicly available servers. That is even if my database is only available if I open my firewall from inside the server, I only want people to be able to ssh into the system if they are going through a VPN client.