Suppose I have a little web infrastructure for serving clients that contains nginx as a frontend server, couple of backends (upstreams), a messaging system, db and so on.

This stuff is located on two dedicated servers. There are LAN between servers and also each server has at least one public IP address. And all the public addresses are in the same broadcasting network segment (connected via switch or in VLAN - doesn't matter). Latency on both this networks is the same.

And I have two choices to communicate between the parts of this system: use local IPs throughout all configs or use public IPs instead. In first case I will have a little bit more complicated infrastructure ('caused by two networks). In second case my system will be more transparent but I'm worried about the privacy of the network communications.

It there exists some rules or best practices for using one approach or another?

Ivan Velichko
  • 145
  • 2
  • 11

1 Answers1


Use a second network for internal communication. You reduce the attack surface on your public-facing interfaces, and can monitor/regulate communications much more easily. You definitely don't want to open your database ports, messaging server, or anything else to the public. In fact, don't put anything except the very front-end server (nginx) within reach of the public.

You don't want your system to be transparent to the users. You want your system to be a mysterious black box with just a little peephole to the outside world for necessary interaction.

  • 15,458
  • 1
  • 37
  • 59
  • Damn, I absolutely forgot about exposing db (and others internal components) to public network in case of using public IPs. Sorry, it's late evening here and my brain is not working well. You are definitely right, of course. – Ivan Velichko Jun 03 '15 at 17:38