Exposed Services#
Building a robust network of services includes exposing some applications to the internet. Establishing a pattern to accomplish this in a secure and flexible way will pave the way for a well designed system.
External DNS for hosted services is managed through Cloudflare, allowing all inbound traffic to proxy through the company's global network.
Only traffic sourcing from Cloudflare's IP ranges is passed thoughby OPNsense, creating a boundary layer between the hosted services and the internet.
Connections are load balanced internally through Traefik to the back-end application. Let's Encrypt certificates are managed and renewed automatically by the application proxy, providing end-to-end TLS encryption.
Architecture Diagram#
