NGCS Tutorial | Separating Services and Locking It Down | [Part 1]

Part 1 of the Lock It Down series. Go to Part 2

So I’ve decided to start a tutorial of sorts that will focus on a number of aspects or goals. 1&1’s NGCS, like most cloud server providers, gives us customers the ability to create an infrastructure that meets our every needs to build an IT infrastructure that use to be only found in high end companies. Our goal is to do it for a great price and have our services on separate servers, keep the servers as small as possible (Cloud S/M), and lock it down so that we leverage as much resources available on the “Hardware” side before it ever gets to the Software.

This first post will detail the end goal we’re looking for and talk about the resources we’re going to need and use. We’ll leverage the Private Networking to connect our servers to the Database, prevent outsiders from accessing the servers SSH/MySQL, and utilize the VPN to grant us access to the server’s privileged functions.

End Goal Design:

1 – Private Networking

1 – Private VPN

1 – Web Servers that only host web files, no dbs

  • Only HTTP, and HTTPS allowed
  • SSH only allowed via VPN
  • Connect to Database via Private Network
  • Use Plesk

1 – Database Server

  • Only available via Private Network
  • SSH only via VPN

1 – LoadBalancer (to be provisioned for later use)

1 – Mail Server  [Will focus on later as Plesk will be an obstacle]

  • SSH only via VPN
  • Connect to DB via Private Network

Limitations:

Unfortunately, before I can get into building a pretty awesome setup, I do have to mention a few limitations and it actually involves two selling points: “Free Load Balancer” and “Free Private Networking“. You see, the load balancer is currently configured to balance incoming outside traffic to the Public network interfaces of the configured servers. This gives us the ability to then create mirrored servers at the smallest configurations we’re comfortable with and handle an increased amount of traffic. The limitation though is in the design of the Private Network and the fact that the Load Balancer is only designed for the Public Network Interfaces.

In the simplest description, the Private Network allows you to create a network and subnet to connect your servers. When you hit the create button, it then automatically create a new Virtual Network Interface for you to set up, without this, you wouldn’t be able to listen/communicate privately. This service does NOT create a virtual DHCP server though, so IPs are assign statically by you, which makes the network/subnetting irrevelant. Are you really going to manage a Class B of IPs to use (65,000 Hosts)? It’s pretty much redundent without a DHCP server.

After you get the Private Networking setup, you unfortunately still run into the problem where if a server goes down or gets over used, your service is doomed. Ideally, we’d want to attach a load balancer to the Private network, give it a Private IP, and then we’d just connect our services to that. Unfortunately that’s not possible, but you better believe it’s a request I’m making! I’ll drive 1&1 all nuts with Requests, Bugs, and Suggestions because I believe in our product, and thus far, they appear to be a hell of a team that listens. *thumbs up*

 

Part 1 of the Lock It Down series. Go to Part 2

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

One thought on “NGCS Tutorial | Separating Services and Locking It Down | [Part 1]”