Networking Best Practices

This guide provides architectural guidance and recommended practices for designing secure, scalable, and maintainable networks on CloudRaya.

Unlike feature-specific documentation, this page focuses on how networking components work together and how to design your environment correctly from the start.

When Should You Read This Page?

You should review this guide if you are:

Designing a new environment on CloudRaya
Deploying multiple Virtual Machines or services
Using Public IPs, VPN, and Load Balancers together
Planning to expose applications securely to the internet
Experiencing networking complexity or security concerns

Core Networking Principles in CloudRaya

These principles apply across all CloudRaya networking features.

Prefer Private Networking by Default

Place workloads inside a VPC and private subnet
Use private IPs for inter-service communication
Avoid exposing backend services directly to the internet

Minimize Public IP Usage

Public IPs should be used only when necessary
Typical use cases:
- Load Balancer
- VPN access
Backend Virtual Machines should not require Public IPs

Separate Access Path and Traffic Path

User traffic should flow through a Load Balancer
Administrative access should flow through VPN
Avoid mixing operational access (SSH, RDP) with public application traffic

Assign One Responsibility per Component

Load Balancer: traffic distribution
VPN: secure private access
VPC: network isolation
Virtual Machines: application workloads

Clear separation improves security, scalability, and troubleshooting.

Recommended Reference Architecture

A common and recommended design pattern on CloudRaya:

Internet traffic → Load Balancer (Public IP) → Private Virtual Machines
Administrator access → VPN (Public IP) → Private Virtual Machines
Backend VMs:
- Use private IP only
- Are not directly exposed to the internet

This approach:

Reduces attack surface
Centralizes access control
Simplifies scaling and maintenance

Common Networking Anti-Patterns

Avoid the following patterns, which often lead to security and operational issues:

Exposing All Virtual Machines with Public IPs

Increases attack surface
Makes access control harder to manage
Bypasses centralized traffic management

Direct SSH / RDP Access from the Internet

Higher risk of brute-force attacks
Difficult to audit and control
VPN provides a safer alternative

Using Load Balancer While Backend Remains Public

Defeats the purpose of traffic abstraction
Creates redundant exposure points

Creating VPN but Not Using It Operationally

VPN should be the primary administrative access path
If VPN exists, backend access should rely on it

Security and Operational Recommendations

Use VPN for all administrative access
Restrict Public IP usage to Load Balancer and VPN only
Assign backend VMs using private IPs
Regularly review unused Public IPs
Keep networking design simple and intentional

Where to Go Next

To implement these best practices, refer to the following guides:

VPC Overview – Design isolated private networks
Public IP Address – Manage public exposure responsibly
Load Balancer Overview – Distribute traffic securely
VPN Overview – Enable private access to your resources

Deep-Dive Architecture Guides

If you want to go deeper into specific networking design areas, CloudRaya provides focused guidance pages:

Learn how to design VPCs with proper isolation, subnet strategy, and security boundaries.
📄 Designing Secure VPCs
Identify frequent design mistakes and how to avoid them in real deployments.
📄 Common Networking Misconfigurations

Summary

Networking best practices focus on design decisions, not UI steps
Proper architecture reduces security risk and operational complexity
CloudRaya networking features are designed to work together
Start with private networking, expose only what is necessary

Design your network intentionally, and CloudRaya will scale with you.

Networking Best Practices

On this page