
Introducing Private Networking - Goranek
https://www.digitalocean.com/blog_posts/introducing-private-networking
======
arscan
> This address is only accessible from other other servers in the NYC2 region
> that have private networking enabled.

Probably a really stupid question: is that interface only accessible from
other servers in the same Digital Ocean account (in the NYC2 region w/priv
networking enabled), or to every machine across all DO accounts (in the NYC2
region w/private networking enabled)?

~~~
zagi
All machines in NYC2 region are accessible via this private network.

~~~
arscan
It might be worth noting that in the tutorial. While this has a lot of great
benefits for people that move a lot of data around between their servers, it
doesn't really improve security at all.

~~~
film42
But it is a lot cheaper as it doesn't count against your monthly bandwidth. I
read this as "cost savings plus added security."

~~~
larrys
"plus added security"

In one sense the security is "added". But in another sense it's a false sense
of security. Because if someone wants to get at you the simply have to get a
DO server in the same place and potentially exploit the fact that people have
their guard down. (The closest example I can think of is people who have
firewall and don't spend as much time locking down the machines behind the
firewall because they think they are covered.)

~~~
windexh8er
The real security this provides is that now your access polices for firewall
are much simplified. You can maintain a very reasonable back end network of
hosts that aren't exposed to the public Internet and spin up a droplet to be
your jump/bastion box, run certificates and lock SSH down to a sane source to
an individual host (only the jump/bastion and not public).

Beyond that it adds no functional security - in fact port scanning on the
inside will be much more fruitful with regard to services that default to
starting on 0.0.0.0. With that in mind - make sure you're not exposing things
that you don't mean to be on the backend.

------
spindritf
They also seem to have fixed the routing issues in Europe:

    
    
        $ ping -n -c 4 speedtest-ams1.digitalocean.com 
        PING speedtest-ams1.digitalocean.com (198.211.119.108) 56(84) bytes of data.
        64 bytes from 198.211.119.108: icmp_req=1 ttl=55 time=35.2 ms
        64 bytes from 198.211.119.108: icmp_req=2 ttl=55 time=36.2 ms
        64 bytes from 198.211.119.108: icmp_req=3 ttl=55 time=35.1 ms
        64 bytes from 198.211.119.108: icmp_req=4 ttl=55 time=33.8 ms
    
        --- speedtest-ams1.digitalocean.com ping statistics ---
        4 packets transmitted, 4 received, 0% packet loss, time 3004ms
        rtt min/avg/max/mdev = 33.854/35.095/36.208/0.845 ms
    

It used to be over 100ms, almost as much as to NYC2.

~~~
osiemens
According to Digitalocean the routing issue wasn't on their side. From what I
could see, the cause of the latency was asymmetric routing. Some of my
Amsterdam -> Amsterdam traffic had its return traffic sent via NY. This was
resolved when they got more bandwidth and were able to disconnect Cogent some
time last week.

------
IgorPartola
When will they introduce IPv6? They could then allocate a /64 to each customer
and the customer can then firewall off their own little corner. 2013 is not a
year when IPv6 is optional.

~~~
napcae
They started it but no ETA yet:

[http://digitalocean.uservoice.com/forums/136585-digital-
ocea...](http://digitalocean.uservoice.com/forums/136585-digital-
ocean/suggestions/2639897-ipv6-addresses)

~~~
IgorPartola
That ticket is going to be a year old soon.

~~~
alepper
There's a recent, more promising reply, though:

"Once the initial rollout of [private networking to] the first region is
finished we'll be moving to get IPv6 enabled in our NY2 region first and are
targeting an October ETA for the first public beta!"

------
Goranek
I was at first skeptic about DigitalOcean, and thought they wouldn't survive,
but here they are and constantly upgrading.

I remember days when Linode lovers where bashing on IRC..oh they were so wrong

Overall, nice job Digital Ocean!

~~~
larrys
"and thought they wouldn't survive, but here they are and constantly
upgrading."

I wish them well and they seem to be doing a good job as you are saying. But
don't confuse being able to "survive" for 2 years approx (founded 6/2011) as a
result of raising over 3 million dollars (ref: crunchbase) with long term
survival.

One of the first things I learned back in the mid 90's was the expression "the
great provider today can be the shit provider tomorrow" (that was in reference
to bandwidth providers btw.)

[http://www.crunchbase.com/company/digitalocean](http://www.crunchbase.com/company/digitalocean)

------
iand675
I was getting really close to switching to another cloud hosting provider due
to the lack of private networks. Great to see that Digital Ocean is staying a
step ahead.

~~~
Goranek
isn't DO technically a VPS and not cloud provider?

~~~
ksec
I dont normally count Host with Per Minute billing and Storage in SAN a VPS.

~~~
Goranek
I think disks are local

~~~
Goranek
Can you please provide a reference? Thanks

------
Ellipsis753
Out of interest what do people use this for?

~~~
derengel
hmm... are we still in hacker news?

~~~
shiftpgdn
Not everyone is born with intrinsic knowledge of systems administration.
Deriding someone for attempting to expand their knowledge is disgusting and
needs to stop.

------
shanelja
I spun up my first unmanaged server this morning on digitalocean and found the
experience difficult (having next to no sysadmin experience) but now I've got
it all set up it's fast and powerful.

I love the work these guys are doing and can't wait to see more from them.

~~~
raiyu
Awesome, glad to hear that the experience turned around for you. We do have a
ton of articles in our community section to help you get started as others
have mentioned:

[https://www.digitalocean.com/community](https://www.digitalocean.com/community)

------
samsnelling
Let me preface by saying: I LOVE DIGITALOCEAN... However...

For the past two days I have been evaluating a production system for my client
base (which is primarily in the North Texas and Oklahoma Area. Here are my
ServerBear results:

UnixBench score: 3453.0 I/O rate: 354.0 MB/second Bandwidth rate: 24.5
MB/second Bandwidth to Dallas: 1.4 MB/s

and

UnixBench score: 3906.2 I/O rate: 369.0 MB/second Bandwidth rate: 17.2
MB/second Bandwidth to Dallas: 4.2 MB/second

All in all, I decided to go with a managed Linode server. I'll be paying out
the ass for it... but I think the bandwidth to my client base is more
important.

EDIT: I host just about all of my other projects on DO and I love it :)

~~~
raiyu
When it comes to pure throughput there's unfortunately no way around physical
proximity, but glad to hear the rest of your projects are on DO =]

------
jlgaddis
Sounds like this is one big subnet that _all_ droplets (with the "private"
interface) will be in (i.e. a single broadcast domain).

Keep that in mind when designing security into your applications.

~~~
bmath
That's correct. DO does some filtering to prevent networks from leaking to a
different droplet's interface. However, we recommend that the users protect
both public and private interfaces with iptables filters and use encryption
where the data stored or transfered is sensitive.

------
mkhattab
Great news for the NYC2 datacenter. I'm just waiting for the SFO to have this
feature, among other things. One other critical feature I think should be
implemented is the ability deploying instances to different physical hosts in
master/slave setups, either automatically or manually[0].

[0]: [http://digitalocean.uservoice.com/forums/136585-digital-
ocea...](http://digitalocean.uservoice.com/forums/136585-digital-
ocean/suggestions/3859618-deploy-to-physically-separated-hardware)

------
thejosh
Needs VLAN support, atleast it's not on by default (yet), or someone might
have the inkling to scan all internal IPs for people who didn't secure that
networking interface.

------
arcavorago
Just signed up for DO mostly just as a layer of separation for when I am on
IRC. Very impressed with them and thinking about many other possibilities now.
Keep it up DO!

~~~
mikecsh
>> just as a layer of separation for when I am on IRC

What do you mean by this? Using your DO VM as a proxy?

~~~
arcavorago
Essentially, yes. Sometimes as a proxy and sometimes straight from shell
(irssi). My long term goal is to tailor an IRC bot to represent me virtually
while I am unavailable (at work, etc).

~~~
TazeTSchnitzel
Just get an IRC boucer. I like BIP.

~~~
arcavorago
I'm talking about AI style responses based off a dataset I provide. Not just
presence. =)

------
kbar13
archlinux template seems to not correctly bring up networking with private IP
enabled.

------
gelstudios
iperf results: 0.0-10.0 sec 1.10 GBytes 941 Mbits/sec.

Same for 20, 30, and 40 seconds.

------
corresation
Is this not bounded to a particular tenant? Meaning if I have a droplet I can
hammer/DoS/or exploit test other tenants? Obviously people should be giving
these private IPs the normal care and concern that they give their "public"
IP, but with many other vendors these are by default externally limited to
images that you own, effectively providing layers of defense.

EDIT: Note that I ask this specifically because the term _private_ networking
may be misleading to some. These are non-publicly routed, but they most
certainly aren't private.

~~~
zagi
That is correct, it's not bound by tenant.

Most other providers do not restrict private network either, I'm talking about
the big ones like RackSpace, Amazon and others.

What you're talking about is dedicated private VLAN's or private subnet's and
that is not common especially in a cloud environment.

~~~
jarito
That's not entirely true. While Rackspace does provide a shared private
network for intra-DC communication, it also provides the Cloud Networks
product that is capable of creating tenant specific networks. Think VLAN
tagging for Cloud.

On that private network, you can use your own addressing, use multi-cast, etc.
Much less limited and more secure than a shared private network. It's also
free.

Mandatory Disclosure: I work for Rack.

~~~
sgs1370
The last time I looked in the Rackspace docs, it looked like this was in the
process of being rolled out ("production ready but will be available to
customers in a phased release"). Is Cloud Networks considered fully supported
now?

~~~
jarito
Sorry for the slow reply. Yes - Cloud Networks is fully supported.

