How do I create a private network to have multiple web servers connect to a single backend database server?
I have a single Linode at the moment. I want to be able to handle more requests, so I am thinking about adding 2 more Linodes to handle Web requests and one Linode act as a dedicated MySQL server. I want to have my database and web servers talk to each other on a private network with minimum latency. How do I do that?
Unless you're already using the $960 USD Linode 192GB plan, just upgrade your Linode instead.
All Linodes in the same Data Center can communicate with each other at up to 40Gbps with extremely low latency. To add a private IP address to your Linodes, simply go to the Remote Access tab of your Linode's Dashboard and next to Private IP's click Add a Private IP.
You can create a NodeBalancer which will sit in front of your web servers and distribute traffic between all of your web servers. The node balancer connects to your webserver over the private network, so your web servers do not have to be directly exposed to the Internet. They are very flexible and can use a variety of strategies to handle the request distribution. NodeBalancers allow you to add and remove backend web servers as you see fit to adjust to the size of your load. You can keep a disk image on a primary web server and clone it to new Linode whenever you need extra capacity.
Security in the private network
Here are two ways to restrict traffic to your backend servers, by /etc/hosts.allow or by firewall. In the following examples we will use these addresses. Substitute the actual private IP addresses given by the Linode Manager as necessary:
Linux lets you add entries to these to files to control access to various services on your Linode.
To allow only traffic from Web1, Web2, and Web3 to access your database, you would edit your
/etc/hosts.allow to look like:
mysqld : 192.168.12.10 mysqld : 192.168.12.11 mysqld : 192.168.12.12 mysqld : localhost
You will want to restrict all other traffic, so you can make your
/etc/hosts.deny file look like:
ALL : ALL
This will prevent any traffic unless it is specifically allowed in your
Likewise, on one of your web servers you would configure
/etc/hosts.allow to look like:
apache2 : 192.168.12.1 apache2 : 192.168.12.20
If the name of the process that is accessing your database is different that apache2, you would substitute that name in the file.
Use the command
man 5 hosts.allow or here for more details.
Alternatively you may wish to use your Linode's firewall to control access. The following guides are some firewall options and how to configure them:
Connections over private IP addresses aren't encrypted by default. However, we make sure that only the two Linodes involved in a given connection can see packets for that connection.
If you'd like to encrypt traffic over private IP addresses with a VPN you can certainly do so. I'd recommend encryption for any sensitive data for an added layer of security. We have a few guides on setting up different kinds of VPNs that may help.