How to ensure traffic is only routed internally

Knowledge Base Network
1

The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.

Summary

How can I bind ASD to localhost on a box to ensure that node is not exposed to the internet. Will the following configuration work?

network {
        service {
                address any
                port 3000
                reuse-address
                network-interface-name lo
        }

Resolution

The solution to the problem will be as follows.

network {
        service {
            address 127.0.0.1
            port 3000
            reuse-address
            access-address x.x.x.x virtual #(replace x.x.x.x with an appropriate virtual address)
}
...

(if you are only trying single node cluster you can say ‘access-address 127.0.0.1 virtual’)

To go further into details:

  1. network-interface-name is used to generate nodeid as well as pick the IP address which is used for heartbeats in case of mesh (obviously this is not used in multicast). Note: this IP is not used to publish as service address to the node’s neighbors.

    Configuration Reference : network-interface-name

  2. access-address is what you want to advertise as service address to your neighbors (and indirectly to your clients). Should say ‘virtual’ if it’s a virtual address (Note: 127.0.0.1 is virtual).

    Configuration Reference: access-address

  3. address is used to listen on a particular IP. “any” means all interfaces. This is the way to limit listening on a single interface. when anything other than ‘any’ is used, it is used as “access-address” automatically

    Configuration Reference: address

    We cannot allow 127.0.0.1 as access address because this address is published to the clients (indirectly via cluster discovery logic). If this is allowed, clients will use the 127.0.0.1 address and connect to themselves instead of connecting to the intended node.

    Note:

    It is not advised to use “lo” as the “network-interface-name”. If there are bunch of nodes, all listening on the same port (say default 3000), it will generate the same nodeid for all the nodes in the cluster. Then everything will go for a toss as the internal algorithms are based on the uniqueness of the nodeid.