I've been trying to find some info on how linode deals with internal IPs.

I'm used to dealing with EC2, where instances do not have public IPs unles given them explicitly, and I find that works very nicely (particularly with their NAT-style instance DNS naming meaning you can still connect directly to nodes without a public IP). Is it reasonable to use this approach with linode too? For example I have no need for database servers (or web servers behind proxies) to be directly visible to the outside world, so rather than futzing with firewalls, just not having a public IP is much simpler. I can have a public node act as an SSH gateway to allow me to connect to private IPs for admin purposes.

Is traffic between linode instances belonging to a single account contained by some kind of vlan so the traffic is not visible to any other instances, or do I need to implement a local vpn or similar security layer between instances?

Is there some kind of meta-firewall, like EC2's security groups?

I've been rummaging in here, the library and wiki but not found anything on these.

All private network traffic is treated like all linodes in a datacenter are just on a big LAN; nobody else can hear your directed traffic, but you'll pick up broadcasts. If you need secure traffic between linodes beyond what standard switches can provide, you can use encrypted tunnels. Normally, since nobody can enter promiscuous mode, simply using firewall rules to prevent LAN access to anything but your own linodes is sufficient, with the VPN solution being available if you need full security.

To avoid having a public IP, you can simply unbind it from the virtual network card (as in change the config file to not assign the IP to an interface).

Thanks for the info.