DigitalOcean

Question

Using a Droplet's private IP - security

I have two droplets, one hosting backend servers (server2) and the other is an edge server (server1) that hosts front end client and edge servers.

On both servers I have NGINX managing proxying and SSL certificates.

I am looking for advice on configure edge servers on server1 that are connecting to backend servers on server2 using the private IP, specifically, does/should one use https for initiating api call to backend server or will http suffice (doesn’t feel right). If https is recommended then how does one setup SSL certificate as a reachable domain name is required.

Also, can any servers outside of my servers connect to any of my servers via their private IP address.

I am happy to read more, just didn’t find much on the topic so thought I would reach out to the community.

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
November 9, 2023

Hi there,

In the DigitalOcean VPC environment, the traffic between Droplets is isolated from the public internet. This isolation provides a layer of security, making internal communication over HTTP between your servers relatively safe compared to exposure over public networks.

However, even within a VPC, implementing HTTPS can add a layer of security that guards against potential internal threats, such as a compromised server attempting to intercept traffic. This is particularly important if your applications handle sensitive data that would necessitate encryption for compliance with data protection regulations or company policies. But in some cases, this could also be an overkill.

When it comes to setting up HTTPS without a domain, for internal communications, you can use self-signed SSL certificates. While these certificates won’t provide the same level of trust as those signed by a public CA, they will encrypt the traffic between your servers.

Finally, regarding connectivity via private IP addresses, the access is typically restricted to within your own account. It’s critical to configure firewalls, like the DigitalOcean’s Cloud Firewalls, to enforce strict access controls, ensuring that only your servers can communicate with each other on the VPC network.

Hope that this helps!

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Learn more

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Learn more

Featured Tutorials

Kubernetes CourseLearn Python 3Machine Learning in PythonGetting started with GoIntro to Kubernetes

DigitalOcean Products

CloudwaysVirtual MachinesManaged DatabasesManaged KubernetesBlock StorageObject StorageMarketplaceVPCLoad Balancers

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel
© 2024 DigitalOcean, LLC.Sitemap.