I would like to ask if it is a common practice to run your BP nodes only on private LAN or is everyone running all the nodes on public IPs and using only FW rules to filter the traffic and secure the nodes?
My thinking is as follows (have not tested it yet):
- I would have a public and a private IP on 2 interfaces on the relay nodes
- I would have a private IP only on the BP nodes
- I would run the relay nodes on 0.0.0.0
- I would run the BP node on 127.0.0.1 (callback to the private IP only)
- Relay topology would be linking to public relays and the private IP of my BP node
- BP topology would be linking only to the private IP of the relays
Is anyone running it this way and/or is this achievable?
EDIT: I am assuming, that all the nodes are hosted by the same VPS provider, so no problem running a private IPv4 LAN between the nodes.
This looks more complicated than it needs to be.
The block producer does not need a public IP and the relay does not need a private one. You also don’t need any firewall rules if you only expose the relay’s port on the public IP.
In the simplest case both relay and block producer can even run on the same virtual machine. The BP binds to 127.0.0.1 and has the relay’s public IP (and only that) in its topology file. The relay binds to the public IP and has the BP with 127.0.0.1 in its topology file plus some other relays.
If you want to use each node on a separate VPS you can use an address on the local network instead of 127.0.0.1. If both VPSs are hosted in the same data center, they might however end up living on the same physical machine anyway.
To answer your question: running both relay and blockproducing node in a private LAN is possible. The important point is to route traffic coming from WAN correctly to your relay node(s). Remember, in ideal case, the block producing node should be isolated from WAN - so that the only connection your block producing node has, is to your relay node(s) - and nothing else.
Some thoughts regarding private LAN:
- By isolating your nodes from WAN you protect them against SSH intrusion attacks.
- I guess you are running a seperate hardware firewall node which protects your private LAN? If so, maybe this article has some helpful ideas for you. A seperate hardware firewall applies firewall rules to all your cardano traffic seperately on a different server. This could help make things easier (especially in large environments) because one central nodes manages all firewall rules for WAN traffic.
thanks. Great article. I am trying to achieve almost the exact same thing, so you guessed it kinda right, except I am not going to run a HW firewall, instead it will be another virtual machine acting as a gateway of some sort. I.e. it will be serving as a VPN server + firewall router for routing between my cardano VLAN and WAN.