Suppose my app is hosted on multiple servers, within the same data center (say in AWS or DigitalOcean). To secure communication between these servers, I use iptable to whitelist each other's IP.
Question: is whitelisting IP secure enough to ensure the identity of the request? Or is it actually possible for a hacker server within the same data center to spoof IP, thus fooling me thinking it's one of my own servers.