How to secure database behind NodeBalancer?
I am setting up a database cluster with MariaDB and Galera. I put each of the linodes behind the NodeBalancer, and it works great.
Here is the thing though, if all traffic to the database servers appears to be coming from the load balancer then how do I secure each installation?
Normally I just disable root access and set up each database user to only be allowed from a single host, say
[email protected]. In this case though, the user would be
[email protected], which would allow anyone on the internet to attempt to connect via the load balancer IP.
I tested this myself. I created a user whose only allowable host was the IP of the NodeBalancer, and was able to authenticate just fine from my home network.
Is having sufficiently strong passwords going to be good enough for security? Or is there something I am missing?
I suppose perhaps an easier question to answer would be:
Is it possible to whitelist allowed IP addresses to connect to this service at the NodeBalancer level? Or perhaps limit this NodeBalancer to the internal Linode network only?
It's not possible to whitelist IP addresses on a Nodebalancer, though I wouldn't recommend making the database users accessible through the Nodebalancer either. Instead, I'd recommend setting up allowed IP addresses on each individual Linode, and connecting to MariaDB on each Linode individually for manual administration. That way you can be certain which back-end Linode you're connecting to MariaDB on.
If you'd like to have the ability to whitelist or blacklist IP addresses at the load balancer level I'd recommend setting up HAProxy as a load balancer on a new Linode. That way you can have more granular control over settings, and can configure firewall or HAProxy rules manually.
Hi, while I agree on the fact that whitelisting shouldn't be used that much I wonder if there is the possibility in the future (this post is already quite old) to have this feature on the Load Balancer (using a SPOF single VM with HAproxy is not an option and I suppose your LB are in some form of HA).
I'm using LKE and enabling a whitelist in nginx annotation is quite handy at least while waiting to implement some more robust form of access control.