How I should rethink my network when moving my protected LAN to a Datacenter ?



  • My current network topology is as follows:

    I have 30 port forwarding in pfSense for internet services, and those services depend on databases hosted in the LAN. Besides that we have a couple a Test Servers only accessible in the LAN.

    After running peacefully (pfSensefully ) this setup in a closet on the company premises, I have now the duty to move all of this to a datacenter. ( 4 servers with 30 some VMs)

    Is it a good idea to keep the private LAN in a datacenter ? Or should I try to give public IP adresses to all servers and do only firewalling with pfSense ?



  • I think there are many ways to consider all of this.  It is a topic that I will run into in the future more, I just keep hiding from it because I haven't been tasked with it.

    Here is my first thought, and two cents:

    It really depends on the services that you provide.  Generally speaking if most of the services are intended for internal use only, I would consider a VPN tunnel from say, a main office, to the datacenter.  It can help narrow down entry points into your network(s) and may be easier to manage from a security standpoint.

    Opening up all of your services to the public net introduces more challenges and work.

    I tried to keep my response as simple as possible here.  I am sure there are much more sophisticated ones.

    Good luck.

    @marcello:

    My current network topology is as follows:

    I have 30 port forwarding in pfSense for internet services, and those services depend on databases hosted in the LAN. Besides that we have a couple a Test Servers only accessible in the LAN.

    After running peacefully (pfSensefully ) this setup in a closet on the company premises, I have now the duty to move all of this to a datacenter. ( 4 servers with 30 some VMs)

    Is it a good idea to keep the private LAN in a datacenter ? Or should I try to give public IP adresses to all servers and do only firewalling with pfSense ?



  • The more I am thinking of this, the more I am thinking I will keep the same network with the internal LAN and setup a VPN to work there from remote ( yes much easier to have a single entry point to monitor)


Log in to reply