Securing database behind load balancer

Howdy folks!

I will get right to it. I have a site that has been growing strong for the past several months, and it is getting to the point where having a single database server is not quite cutting it. I need to distribute the load a bit, and I need more than a single point of failure.

I have been testing MariaDB replication with a Galera cluster, and putting the whole shebang behind a load balancer. In this case that would be a normal TCP “NodeBalancer” from Linode.

Here is my question, what would be the best way to lock down this cluster? Before I would create users within the database with user@host, but since the host will always appear to be the load balancer then anyone on the internet will be able to knock on the application door.

Is having a strong password for all user accounts going to cut it? Or is there a better way that I am missing?

Firewall. Whatever you’re using, just white list your applications IP’s, drop anything else.

Depending too on what features your provider gives you, this may be really easy too. I know digital ocean has private networking which works between droplets in the same data center. Which would keep this traffic 1) off your bandwidth quota and 2) off the public internet.

1 Like

I did a bunch of digging around today. I think I found a good solution.

The “one click” load balancers being provided are just for public-facing stuff, there is no configuration options to allow it only on the internal private networks. They did say though, their load balancers are just a fancy frontend for Haproxy, which looks pretty easy to configure.

I think that is the route I will go, and just set up my own load balancer. I shall report back with results.

As a follow up, I set up my own HAProxy server to balance traffic between the database nodes. Each node has been configured to accept connections only from the load balancer, and the load balancer is bound to the internal network port so it is not exposed to the internet.

I still need to set up some sort of failover for the HAProxy server, but that is a task for another day.