Add further restrictions to the use of specific accounts or users or use leaf nodes as a DMZ? #4102
Replies: 1 comment
-
|
Went with the leaf node DMZ |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I intend on exposing a NATS cluster to the internet, and differentiating between external accounts which will access the cluster via the internet, and internal accounts which will only be used internally.
My first question is; is it possible to lock down the use of the accounts such that they can only be used from a specific network location (e.g. IP allow list).
Nkey authentication provides a bit more assurance surrounding the exposure of authentication token(s) itself, but it still doesn't mitigate the fact that a compromised token could be used to authenticate with the cluster from the internet in my proposed topology.
I've explored alternatives and the only thing I can think of that would mitigate this concern is using leaf nodes as a sort of DMZ. I am just wary that this adds potentially unneeded complexity, will add overhead to the processing of messages, and further the administrative burden. I'm more concerned by overhead than anything else, so it'd be great if someone could provide insight into performance cost of implementing a leaf node.
Beta Was this translation helpful? Give feedback.
All reactions