Cassandra security – private IPs with some VPN solution or public IPs and open ports


there are many different solutions to secure a cassandra cluster. One of them is to enter public IPs and open the 7000/9042 port on each sever.

Another one is to have everything in a private network with private IPs and connect the nodes with some kind of VPN solution. I have OPNsense with Wireguard for this, but I'm wondering if this makes any problems in production.

What are you guys using to prevent attacks on public ports?

Thank you so much.

Best Answer

If you care about your data, do not EVER put a database server on a public network. There is no preventing attacks on public ports. Databases are secured from most direct attacks by placing them behind firewalls, and using web servers and application servers (also protected by firewalls and load balancers) to reverse proxy user requests for information. No one should ever connect directly to a database or its server directly over the Internet. A database server or cluster, directly exposed on a public network, is begging to be hacked and its contents stolen.