0

I'm wanting to start my own VPS providing service. I noticed that the big companies of the domain are using public IPs for the client's VPS (the client directly accesses the VPS using a public IP that is assigned to this VPS).

Is this mandatory? Because IPv4 is expensive, even a /29. Or else, is there any way to provide the simplest access to the VPS for the client (like Bastion for SSH gateway, or something like that)?

LeRouteur
  • 388
  • 2
  • 16
  • 4
    Why would someone buy a *virtual private **server*** without a public IP address? – Esa Jokinen Mar 21 '21 at 10:26
  • @EsaJokinen I see what you mean. But, for example: if I have a reverse proxy for accessing the Web servers in backend (so the client's VPS), it works. Is this a good idea? Btw I also learned that it was a really bad idea to expose the management apps on the Internet (like SSH or SFTP). When having a public IP, those managements things are Internet-facing, so is it not a bad idea? – LeRouteur Mar 21 '21 at 10:51
  • It can sounds really dumb tho, I'm sorry for it haha – LeRouteur Mar 21 '21 at 10:52
  • But why would someone buy this VPS from you while they have their front-ends on another provider that has both the recourses and the expertise to run such services with high availability? – Esa Jokinen Mar 21 '21 at 10:56
  • That's a good point, but I actually want to do this ^^ I'm still learning IT, and making my own infrastructure would be great, and if everything works as expected, I can maybe gain a few bucks haha – LeRouteur Mar 21 '21 at 10:58
  • 3
    It's a bad idea to mix learning playgrounds with production infrastructure. It's a good idea to practice, though. – Esa Jokinen Mar 21 '21 at 11:00
  • Well, I know that I won't provide this infrastructure to really important matters though. It will only be for persons I personally know, and they know on which infrastructure they are going. But now, answering my question: is it a good idea to allow the Internet the management things? – LeRouteur Mar 21 '21 at 11:03

2 Answers2

2

The internet is the least effort way for a hosting provider to provide access to instances. No need to stand up VPNs or a jump box. Launch an instance and ssh in from wherever you are. However, IPv4 exhaustion has made this expensive. Wouldn't it be nice if there was a way to get back to the simpler scheme of addressing every host?

There is. Implement IPv6.

Use public globally routable addresses on every host. Private networks would also be in "public" address space, but with firewall rules denying access. Provide IPv4 as a service where necessary.

A /48 prefix for every customer network (VPC, if you want to call it that) is easily justifiable to your ISP or LIR. Each of those has the address space for many /64 subnets. Do some capacity estimates and come up with an address plan.

Default to IPv6 only for hosts. Acquire enough IPv4 addresses to provide necessary services: NAT64, load balancer as a service, VPN endpoints, SMTP relays, v4 to v6 proxies in general.

Ungleich hosting is perhaps the most vocal advocate for such an infrastructure.

/29 of IPv4 space is not large, and also inexpensive compared to the investment presumably required for a hosting venture. Have someone look over your business plan and check that it is viable.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • Thank you for this answer. I'll go ahead and check IPv6 with my provider, since all my equipments are able to communicate over IPv6. As a technical aspect, I'll have an internal DHCP distributing public IPs to my clients instances? – LeRouteur Mar 23 '21 at 12:07
  • Maybe DHCPv6, maybe not. IPv6 is capable of letting hosts generate their own addresses. Learn about router advertisements, SLAAC, and DHCP. Design an IPAM system that meets your requirements. – John Mahowald Mar 24 '21 at 15:06
1

Universally the customers of your VPS business will need to be able to access their VPS. As a provider you will need to provide them with that access.

Depending on what the customers of your VPS business intend to with their VPS they will need either only access for themselves (the VPS is used for internal business processes only ) or their VPS needs to be accessible from the internet.

When their VPS needs to be accessible from the internet assigning that VPS a public IP-address is the easiest technical solution, because that doesn't impose any limits on what services your customers can use their VPS for.

And also important: as the provider your only responsibility is that IP-access and not an additional service like a reverse proxy, mail relay and you don't have to solve access for other protocols...

When your customers need only access for themselves and don't run any public services, you can of course provide access to those VPS instances in a manner that doesn't require a public IP-address for every VPS.
A VPN server would be one such access method.

Bob
  • 5,805
  • 7
  • 25
  • Thank you very much for this precise answer. But, as I said in the comments of my question, I always learned that letting Internet-facing managements things is really bad practice. As I understand, letting the VPS having a public IP would do this, so isn't it a "bad idea"? – LeRouteur Mar 21 '21 at 11:07
  • Thanks for the precision in the edit. But I should provide a way to manage this server, no? If so, I can let publicly facing SSH? – LeRouteur Mar 21 '21 at 11:11
  • 3
    *"assigning that VPS a public IP-address is the **easiest technical** solution"* - not the most secure. The VPS product is usually about individual instances , once you get the more savvy and more demanding customer you get a different product, infrastructure-as-a-service and/or cloud platforms where customers can create a tiered infrastructure, virtual networks, load balancing , floating IP's , compute instances etc. There you won't assign public IP's to all instances, only a few. – Bob Mar 21 '21 at 11:18
  • Alright, I now understand. Thank you very much for the precisions :) – LeRouteur Mar 21 '21 at 11:22