Placing a load-balancing reverse proxy in front of the cluster?


Nov 4, 2019
Hi all,

Currently spun up a 4-node cluster and assigned each HV a public IP. Not very comfortable with exposing the management interface to the internet so pondering alternatives.

Wondering if it's a good idea to remove the public facing IPs of the proxmox HVs and placing them on a private management subnet that is exposed to the public via a single load balancing GUI with a public IP.

Looking at either HAProxy (plain load balancer) or pfSense (firewall capabilities). Any issues with not having a public facing IP at all on the HVs? Will it affect VM/CT ability to access public traffic?

The other alternative would be to place a strict deny all iptables ruleset on the HVs and only allow selected traffic through but I feel like this results in a lot of points of attack for a large cluster?

Thoughts and opinions and general practices appreciated.

We have a separate management interface with private on its own vlan
That one can only be reached via VPN.

However some customers need access to console via 8006. We have a nginx proxy running on other HV and public IP NAT to that through firewall. And firewall also has rule to allow access from proxy to the 8006 on the other HV


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!