patternterraformMinor
Is it possible to run a droplet on Digital Ocean without a public IP?
Viewed 0 times
dropletwithoutpublicdigitalpossiblerunocean
Problem
I am provisioning droplets on Digital Ocean with Terraform. I would like some of those droplets to be blocked from the internet, except for the Shared Private Network, and their appropriate gateway on that Network.
Is it possible to do this with Terraform?
Is it possible to do this with Terraform?
Solution
I would like some of those droplets to be blocked from the internet
The only way to do this on Digital Ocean is with the appropriate firewall rules
The only way to do this (Terraform or otherwise) is to create the firewall rules and associate them to the droplets. The droplets are always assigned a public IP address by Digital Ocean, and the network firewall can be used to manage access via that endpoint.
However, internal configuration of the machine can be done to configure the droplets to use a custom preconfigured gateway and not use the public interface as a gateway.
Digital Ocean has a writeup on how they suggest this, using IP Tables and cloud-init:
The only way to do this on Digital Ocean is with the appropriate firewall rules
The only way to do this (Terraform or otherwise) is to create the firewall rules and associate them to the droplets. The droplets are always assigned a public IP address by Digital Ocean, and the network firewall can be used to manage access via that endpoint.
However, internal configuration of the machine can be done to configure the droplets to use a custom preconfigured gateway and not use the public interface as a gateway.
Digital Ocean has a writeup on how they suggest this, using IP Tables and cloud-init:
- set up gateway server as NAT router
sysctl -w net.ipv4.ip_forward=1
- change default route to your NAT gateway:
ip route change default via
Context
StackExchange DevOps Q#17027, answer score: 1
Revisions (0)
No revisions yet.