Infrastructure Network Security

Started by Michelangelos, Jun 27, 2022, 11:06 AM

Previous topic - Next topic

MichelangelosTopic starter

By the end of March, our SaaS will be launched while relying on OVH as our infrastructure provider. They suggested a complicated infrastructure plan including separate servers for DB, application, and a Network firewall. Our stack is composed of .net core for backend, Typescript for front end, and mySQL for DB. For development testing, we are currently using a single server with a Windows-based machine that has IIS for hosting both the API and front end.

We have a few questions regarding our setup: 1) Since OVH offers an effective Anti-DDOS protection, do we need a third-party DDOS protection,
 2) Is a network firewall necessary or will the OS-based firewall and security groups suffice for now, and 3) Though we currently find it more efficient to have the DB on the same server, would it be better to have a separate server for the database? This would require setting up a private network and Vrack, which may require the assistance of a dedicated infrastructure expert. At the moment, we anticipate fewer than 50 users using our application.
    The following users thanked this post: kotowicz


1. OVH provides effective Anti-DDOS protection, but for layer 7 attacks it's recommended to have third-party protection.
2. Based on your initial period needs, a network firewall may not be necessary. A software firewall and security group should suffice.
3. It's actually better to have separate servers for the application and database. This will enhance performance.

Please note that this requires setting up a private network, Vrack, and several configurations which may necessitate the input of an infrastructure specialist. You can allow DB connection from the application server or use VPN tunnelling to connect the two servers.


For a production money-making operation, it's crucial to start with a highly available and decoupled system. It's advised to utilize a third-party for DDoS protection and to avoid relying on only one hosting provider. Running your SaaS out of multiple physical locations is vital, so ensure your platform can run from a minimum of three locations.

Separate your database servers, making them privately accessible while setting up VPN if necessary. Your primary database server should send data to at least two replicas in each of the other locations. Make sure your application server is scalable, allowing you to scale up or down by adding more instances in various locations. Your API servers should also be independently scalable. Create a monitoring cluster accessible internally, where you can view dashboards, reports, and see your SIEM.

Establish a backup cluster to store backups regularly and archived logs. Consider a hybrid approach to gain the benefits of the cloud, enabling better scalability and saving costs by paying only for what's used. Finally, use a service to keep backups offsite and offline, ensuring only privileged admins can access them during emergencies.


Regarding your questions:

1) If OVH offers effective Anti-DDOS protection, it is generally not necessary to have a third-party DDOS protection. However, it's always a good idea to evaluate the specific features and capabilities of OVH's DDOS protection to ensure it meets your needs.

2) A network firewall can provide an additional layer of security for your infrastructure. While OS-based firewalls and security groups can provide some level of protection, a dedicated network firewall can offer more advanced features and customization options. It is advisable to assess the specific requirements and potential risks of your application before deciding whether a network firewall is necessary at this stage.

3) Having a separate server for the database can provide benefits in terms of scalability, performance, and separation of concerns. By setting up a private network and Vrack, you can enhance the security and isolation of your database server. While having the DB on the same server may be efficient for development testing, it is recommended to consider separating them in a production environment, especially if you anticipate growth in the number of users. Engaging a dedicated infrastructure expert can help ensure a smooth setup and configuration of the separate server and private network.


Infrastructure network security involves safeguarding the foundational components of a network to prevent unauthorized access, data breaches, and cyberattacks. It encompasses implementing firewalls, intrusion detection systems, and encryption protocols to protect network traffic and sensitive data. Regular security audits and vulnerability assessments are crucial to identify and address potential weaknesses in the infrastructure. Network segmentation, strong authentication methods, and access controls contribute to minimizing security risks. Overall, a robust infrastructure network security strategy is essential to ensure the confidentiality, integrity, and availability of network resources.