How I should rethink my network when moving my protected LAN to a Datacenter ?
-
My current network topology is as follows:
I have 30 port forwarding in pfSense for internet services, and those services depend on databases hosted in the LAN. Besides that we have a couple a Test Servers only accessible in the LAN.
After running peacefully (pfSensefully ) this setup in a closet on the company premises, I have now the duty to move all of this to a datacenter. ( 4 servers with 30 some VMs)
Is it a good idea to keep the private LAN in a datacenter ? Or should I try to give public IP adresses to all servers and do only firewalling with pfSense ?
-
I think there are many ways to consider all of this. It is a topic that I will run into in the future more, I just keep hiding from it because I haven't been tasked with it.
Here is my first thought, and two cents:
It really depends on the services that you provide. Generally speaking if most of the services are intended for internal use only, I would consider a VPN tunnel from say, a main office, to the datacenter. It can help narrow down entry points into your network(s) and may be easier to manage from a security standpoint.
Opening up all of your services to the public net introduces more challenges and work.
I tried to keep my response as simple as possible here. I am sure there are much more sophisticated ones.
Good luck.
My current network topology is as follows:
I have 30 port forwarding in pfSense for internet services, and those services depend on databases hosted in the LAN. Besides that we have a couple a Test Servers only accessible in the LAN.
After running peacefully (pfSensefully ) this setup in a closet on the company premises, I have now the duty to move all of this to a datacenter. ( 4 servers with 30 some VMs)
Is it a good idea to keep the private LAN in a datacenter ? Or should I try to give public IP adresses to all servers and do only firewalling with pfSense ?
-
The more I am thinking of this, the more I am thinking I will keep the same network with the internal LAN and setup a VPN to work there from remote ( yes much easier to have a single entry point to monitor)