Proposal: have new rule types in the DO cloud firewall. The most useful rule I can think of right now is the ability to limit both connections and traffic transfer per source IP.
Right now, these rules need to be implemented by you (e.g.: using iptables or if you use nginx you can add rules there too). If you start using Kubernetes and load balancers, then it gets more complicated. With load balancers, the source IP is lost. You have some ways to recover the source IP, such as using the PROXY protocol. But, having this capacity at the cloud firewall would achieve:
- Simplicity for the DO users, little room for errors and easier to monitor how these rules are being used
- Cloud level rules, and not only node/pod (although you can do a per node rule right now)
- Filtering bad traffic early on, without having an application to handle the traffic, even if you use load balancers (for instance, you can't do it at the iptables level in your node/pod without resolving the source IP through PROXY protocol, can you?)
Feel free to expand on this idea and/or add suggestions!
Thanks in advance