There could scenarios where you would want to isolate traffic on network interfaces for specific layers of applications. Example, one interface attached to an application machine can act as a receiving endpoint for application-bound traffic and another network interface can act as a communication interface with the database / data layer. This scenario can be visualised as :
Now, lets see how this can be implemented. I am going to use Azure for demonstration.
In Azure, private networks are referred to as 'Virtual Networks' and sub-networks as 'Subnets’
Our virtual network's address space is : 10.0.16.0/22.
Here, as you can see we have our application linux machine (also referred to as Virtual Machine aka VM) in a virtual network. The VM has two network interfaces. One is in first subnet (lets call it app-subnet) and the other one is in the other subnet (lets call is db-interface-subnet). Yes, in this scenario, we have a machine with network interfaces in two different subnets!
In this scenario, application receives front-end traffic on eth0 ( IP address 1 => 10.0.16.4) and the code simply makes an outbound call to the database using connection string.
As per our requirement, the outbound call should happen from the network interface eth1. This is made possible through implementing a custom route in linux using the 'route add' command. Let's see the current status of the route table.
To see the route table, the command is 'ip route show' or 'route -n' :
Before we add a route for database connectivity through eth1 interface, I'd like to call out that I am using a database which is not part of the network as the application machine & its network interfaces. The database is in different virtual network and I have established private connectivity between the two virtual networks. On Azure, there are multiple ways to establish private connectivity between two virtual networks or between two workloads/services.
In my scenario, I am using Azure's SQL database-as-a-service and I have configured a 'Private Link'. Through this feature, I am able to access the database through a representative IP address which establishes a link between my virtual network and the database.
The IP which represents database is : 10.0.17.5
Now, lets add a route which states that traffic bound towards the database IP should travel over network interface eth1. We use the 'route add dev ' command format. Here we use :
route add 10.0.17.5 dev eth1
Now, lets see our updated route table :
On the database side, I have added a firewall rule to allow traffic only from eth1 (i.e IP address 10.0.17.4) and hence any traffic originating from eth0 (i.e IP address 10.0.16.4) is thus rejected.
Note : While the database-related IP and the second network interface happen to be in the same subnet, the same approach should work in the subnets are different.
Follow me on Twitter, LinkedIn
Disclaimer: The views expressed in this article are of the author's and do not represent views/opinions of his employer
Top comments (0)