Hacker News .hnnew | past | comments | ask | show | jobs | submitlogin

All machines in NYC2 region are accessible via this private network.


It might be worth noting that in the tutorial. While this has a lot of great benefits for people that move a lot of data around between their servers, it doesn't really improve security at all.


It's actually worth noting that more clearly on the main page actually. Your parent question wasn't stupid at all. Not to mention the fact that the sales page hasn't even been proofed very well part of it reads:

"Each new Droplet spun up in NYC2 can include a second interface on a network with no public internet access that is accessible from other Droplets have the private networking interface. You can enable shared private networking on your Droplet on the Droplet create screen.

Traffic sent between Droplets on across the private network"

Specifically "droplets have" and "droplets on across"

Additionally "droplets" is not an industry standard term. It's a term (afaik) that DO invented for their marketing. They might want to define that as well for anyone who lands on that page and doesn't want to explore the rest of the site. That's the type of thing that will stop people dead in their tracks when trying to understand what is going on. It's cute but I'd really rather read industry standard terms for things.


But it is a lot cheaper as it doesn't count against your monthly bandwidth. I read this as "cost savings plus added security."


"plus added security"

In one sense the security is "added". But in another sense it's a false sense of security. Because if someone wants to get at you the simply have to get a DO server in the same place and potentially exploit the fact that people have their guard down. (The closest example I can think of is people who have firewall and don't spend as much time locking down the machines behind the firewall because they think they are covered.)


The real security this provides is that now your access polices for firewall are much simplified. You can maintain a very reasonable back end network of hosts that aren't exposed to the public Internet and spin up a droplet to be your jump/bastion box, run certificates and lock SSH down to a sane source to an individual host (only the jump/bastion and not public).

Beyond that it adds no functional security - in fact port scanning on the inside will be much more fruitful with regard to services that default to starting on 0.0.0.0. With that in mind - make sure you're not exposing things that you don't mean to be on the backend.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: