Should servers have public IP addresses, private IP addresses, or a mix of both?
I decided to blog this interesting topic that was brought up by a friend some time ago. How do you manage servers on the cloud? A simple decision such as using either public or private IP addresses could end in a disaster if not well managed.
For the past decade, the use of private IP addresses have been increasingly popular as public IP addresses in IPv4 are running out. It has also become a common security requirement to have servers in a “private” subnet sitting behind a firewall.
That sounds pretty OK for maybe 5, 10, even up till 50 servers. But what happens when you have 1000 servers?
Sure, you have VPNs from California to your headquarters in New York, and another VPN from your branch office in Singapore and Malaysia to a regional HQ in Hong Kong, and then a huge VPN from NY to Hong Kong carrying all trans-atlantic traffic. Oh, we’ll also need some monitoring systems in Hong Kong to monitor those in the SEA region, and another bunch in NY for USA. We’ll also need to get some servers in Germany to monitor our public services because we have quite a bit of customers there, and it costs too much for us to put a Point of Presence (POP) in Europe.
As your network grows, the VPN mess grows, so does monitoring and management. You have private IP addresses assigned by all sorts of systems integrators all over the world, some use 10.0.0.0/8, some use 172.16.0.0/12, some 192.168.0.0/16.
One day the Singapore office calls up. They can’t hook up to a server California. Oh where did that 10.23.55.0/24 route go?
Let’s face it. VPNs are a mess. They carry IP in a tunnel, encrypted or not, in an existing IP payload. Nevermind the overhead, but that also means routing is done TWICE. Why pay thousands on one, no, TWO (for redundancy, heh) Cisco routers to handle routing for all that VPN traffic within your internal networks when the job of getting the packet across the globe has already been done by a huge router sitting in the ISP?
Why even pay thousands for one, no, I beg your pardon, TWO firewalls with lots of RAM to hold NAT state tables for your public-facing servers?
Costs aside, these additional equipments also contribute to environmental factors such as power consumption.
So if you are a new startup venturing into the “cloud”, make a conscious decision to have all servers run public IP address. When time comes for management, monitoring, or even an IPv6 migration, you will be on the right path.
On a final note, IPv6 needs more support, especially from the government; imagine the day we could all throw out that Linksys sitting in our bedroom and have a public IP address on each computer. No more NAT, no more port forwarding, no more DMZ bullshit. Finally, UDP could realize its full potential. Cut the overheads from VPNs; seriously, somebody should do a research paper on how much encryped VPN payload could be saved by IPv6.
THIS ARTICLE IS PARTIALLY COMPLETE, I WILL CONTINUE TO EDIT IT…