Suppose my app is hosted on multiple servers, within the same data center (say in AWS or DigitalOcean). To secure communication between these servers, I use iptable to whitelist each other's IP.
Question: is whitelisting IP secure enough to ensure the identity of the request? Or is it actually possible for a hacker server within the same data center to spoof IP, thus fooling me thinking it's one of my own servers.
Most of the providers are actually pretty good in securing their networks, but IP whitelists are still not a way to "secure communication". Though they can be an additional security measure, you'll still have to roll encryption and authentication to secure the connection.
However, most of the cloud providers allow you to set up private networks. This will give you an IP space that is guaranteed to be "yours" and is not routed to the public internet. If you want "internal" communication between servers you should very much use that, instead of messing around with iptables and public IP addresses.
IP spoofing can be used to launch denial of service attacks, which could overload your server or, at least, rack up your AWS bill.
Also, if you're traffic is not encrypted (e.g. with HTTPS), then the data in transit is prone to man-in-the-middle attacks. Your data to and from the server can be read and modified.
Using a VPC (virtual private cloud) may simplify server to server communication.
