Hi all,
Currently spun up a 4-node cluster and assigned each HV a public IP. Not very comfortable with exposing the management interface to the internet so pondering alternatives.
Wondering if it's a good idea to remove the public facing IPs of the proxmox HVs and placing them on a private management subnet that is exposed to the public via a single load balancing GUI with a public IP.
Looking at either HAProxy (plain load balancer) or pfSense (firewall capabilities). Any issues with not having a public facing IP at all on the HVs? Will it affect VM/CT ability to access public traffic?
The other alternative would be to place a strict deny all iptables ruleset on the HVs and only allow selected traffic through but I feel like this results in a lot of points of attack for a large cluster?
Thoughts and opinions and general practices appreciated.
Thanks!
Currently spun up a 4-node cluster and assigned each HV a public IP. Not very comfortable with exposing the management interface to the internet so pondering alternatives.
Wondering if it's a good idea to remove the public facing IPs of the proxmox HVs and placing them on a private management subnet that is exposed to the public via a single load balancing GUI with a public IP.
Looking at either HAProxy (plain load balancer) or pfSense (firewall capabilities). Any issues with not having a public facing IP at all on the HVs? Will it affect VM/CT ability to access public traffic?
The other alternative would be to place a strict deny all iptables ruleset on the HVs and only allow selected traffic through but I feel like this results in a lot of points of attack for a large cluster?
Thoughts and opinions and general practices appreciated.
Thanks!