6

I am working on an application that requires a number of different services (web application + database + worker queues, XMPP server for messaging, redis, central authentication via LDAP, etc). For my first attempt at designing the thing, I am estimating that I will need ~15 instances of varying sizes: more RAM/SSD for the database, less so for web server and LDAP, more cores for the worker queues, and so on.

I don't want to use the big cloud Providers (AWS, Azure, GCP) for matters of cost. This is something I am still bootstrapping and GCP pricing calculator put this at ~$5800/month. A similar (in terms of CPU/RAM/SSD) spec in Hetzner cloud would be ~$430/month.

Of course, the difference in price also comes with some difference in features. Hetzner Cloud VM instances do not have any sort of private networking. So I am wondering how I can ensure that all those machines can be effectively protected from the public internet. Some of these services (web server, xmpp server) should also have a public IP, but ideally all other services should have all ports closed (including SSH)

I know that one of the answers is "build your own OpenVPN AS". However, (a) I never done it before and (b) I am under the impression this would mean yet more services to add to this infrastructure.

One thing I did do before was to connect machines via spiped. This does not give you a private network but at least ensures that only those with the key can connect to your public-facing machines.

So my question is: am I missing some alternative to these two above?

Also: docker. I have limited experience with Docker and Kubernetes, but if I went this route it seems I would end up going to the arms of the big providers, not to mention it would still be yet-another thing to learn and take time from my application development. Is Docker Swarm something that could solve this requirement?

lullis
  • 161
  • 1
  • I can't answer all your questions but I want to do something similar: same providers, less hosts. I will go for Kubernetes, in my tests it takes ~300MB more from the host compared to pure Docker. To secure your network you can choose one of those https://chrislovecnm.com/kubernetes/cni/choosing-a-cni-provider/ or implement wireguard. This one might be interesting too: https://romantomjak.com/posts/hetzner-private-networking.html – Marged Apr 17 '19 at 05:32

2 Answers2

1

I am going to suggest an approach that I would not necessarily recommend, because I do not consider it a manageable, scalable solution:

SSH port forwarding.

SSH is a Swiss Army knife in terms of its features. Virtually any port can be securely forwarded to any other port on a remote machine, and indeed through a remote machine to a target machine beyond. Documentation abounds, but I really like the drawings in this answer. I use ssh across bastion hosts regularly in a manner that mirrors the diagrams at the link.

As I said, I don't think this is a good solution, but it might serve to give you some ideas and it could be one component of a larger solution.

Good luck!

rriehle
  • 111
  • 2
0

Another idea: ZeroTier.

I have not used it, but a fellow DevOps nerd recommends it.

rriehle
  • 111
  • 2