HiveBrain v1.2.0
Get Started
← Back to all entries
principleMinor

Securing communication between cloud VMs without private networks. Any strategy besides building own VPN? Spiped?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
withoutbesidesvpnsecuringcommunicationanynetworkscloudprivatebuilding

Problem

I am working on an application that requires a number of different services (web application + database + worker queues, XMPP server for messaging, redis, central authentication via LDAP, etc). For my first attempt at designing the thing, I am estimating that I will need ~15 instances of varying sizes: more RAM/SSD for the database, less so for web server and LDAP, more cores for the worker queues, and so on.

I don't want to use the big cloud Providers (AWS, Azure, GCP) for matters of cost. This is something I am still bootstrapping and GCP pricing calculator put this at ~$5800/month. A similar (in terms of CPU/RAM/SSD) spec in Hetzner cloud would be ~$430/month.

Of course, the difference in price also comes with some difference in features. Hetzner Cloud VM instances do not have any sort of private networking. So I am wondering how I can ensure that all those machines can be effectively protected from the public internet. Some of these services (web server, xmpp server) should also have a public IP, but ideally all other services should have all ports closed (including SSH)

I know that one of the answers is "build your own OpenVPN AS". However, (a) I never done it before and (b) I am under the impression this would mean yet more services to add to this infrastructure.

One thing I did do before was to connect machines via spiped. This does not give you a private network but at least ensures that only those with the key can connect to your public-facing machines.

So my question is: am I missing some alternative to these two above?

Also: docker. I have limited experience with Docker and Kubernetes, but if I went this route it seems I would end up going to the arms of the big providers, not to mention it would still be yet-another thing to learn and take time from my application development. Is Docker Swarm something that could solve this requirement?

Solution

I am going to suggest an approach that I would not necessarily recommend, because I do not consider it a manageable, scalable solution:

SSH port forwarding.

SSH is a Swiss Army knife in terms of its features. Virtually any port can be securely forwarded to any other port on a remote machine, and indeed through a remote machine to a target machine beyond. Documentation abounds, but I really like the drawings in this answer. I use ssh across bastion hosts regularly in a manner that mirrors the diagrams at the link.

As I said, I don't think this is a good solution, but it might serve to give you some ideas and it could be one component of a larger solution.

Good luck!

Context

StackExchange DevOps Q#6874, answer score: 1

Revisions (0)

No revisions yet.