Hi. I am currently running database and web server on single droplet, but because of site traffic increase, I am planning to put database on separate droplet with enough RAM, but there are some questions: I want my database server to be secured and accessed only by my application (web) servers. Is VPC (Private Networking) correct solution to this? Is it possible to remove public IP from database server, and make it isolated from outer network? If yes, then how can it be setup and administrated via ssh (because, well, ssh connection will be also blocked)? What IP my application/client should use to connect to database server, if they both will be added to VPC network? In general, are these steps correct for balancing the load and securing a database on other droplet? Thanks in advance for any help regarding these questions. P.S. If that helps, I am running Ubuntu / Node.js / Nginx / MongoDB.

Hi @xrjMaker , It’s totally possible what you are aiming for and I believe if the traffic to your application is huge that it’s a step in the right direction! Let’s start with your questions. Private Networking is a really good solution and you’ve correctly decided to turn your attention to it. For more information you can check the docs here -> https://www.digitalocean.com/docs/networking/vpc/ . Additionally, if you don’t want to use the Private Network product, you can achieve everything with a few Firewall rules. It’s not possible to remove the public IP of your Droplet however if you are going to use it for an SQL instance only, closing all ports to the public should be enough of a security. There are two possibilities, the first one is using the public IP of your SQL droplet to connect to it. For that to work,you’ll need to allow access from the SQL droplet to the Droplet where your application is being held. The second option would be if you are using Private Networking to use the internal IP addresses you’ll be granted. I’ve actually stated it at the beginning but yes. Separating your SQL and Application to different droplets does help balancing the load. Regards,KDSys

DigitalOcean

- Community
- DigitalOcean
- Community
- DigitalOcean

Question

Setting up a database server on another droplet in VPC

Posted on May 3, 2020

Databases

Scaling

Networking

By xrjMaker

Hi. I am currently running database and web server on single droplet, but because of site traffic increase, I am planning to put database on separate droplet with enough RAM, but there are some questions:

I want my database server to be secured and accessed only by my application (web) servers. Is VPC (Private Networking) correct solution to this?
Is it possible to remove public IP from database server, and make it isolated from outer network? If yes, then how can it be setup and administrated via ssh (because, well, ssh connection will be also blocked)?
What IP my application/client should use to connect to database server, if they both will be added to VPC network?
In general, are these steps correct for balancing the load and securing a database on other droplet?

Thanks in advance for any help regarding these questions.

P.S. If that helps, I am running Ubuntu / Node.js / Nginx / MongoDB.

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys

May 4, 2020

Accepted Answer

Hi @xrjMaker,

It’s totally possible what you are aiming for and I believe if the traffic to your application is huge that it’s a step in the right direction!

Let’s start with your questions.

Private Networking is a really good solution and you’ve correctly decided to turn your attention to it. For more information you can check the docs here -> https://www.digitalocean.com/docs/networking/vpc/ . Additionally, if you don’t want to use the Private Network product, you can achieve everything with a few Firewall rules.
It’s not possible to remove the public IP of your Droplet however if you are going to use it for an SQL instance only, closing all ports to the public should be enough of a security.
There are two possibilities, the first one is using the public IP of your SQL droplet to connect to it. For that to work,you’ll need to allow access from the SQL droplet to the Droplet where your application is being held. The second option would be if you are using Private Networking to use the internal IP addresses you’ll be granted.
I’ve actually stated it at the beginning but yes. Separating your SQL and Application to different droplets does help balancing the load.

Regards, KDSys

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

View all products

Get started for free

Get started

*This promotional offer applies to new accounts only.