I'm not holding my breath on this one, but I think it would be nice.

It would be cool if all of the nodes on my account, within a single data center, could have a "private" private network. Meaning they can all talk to each other, but no other incoming traffic (other than node balancers on my account) would be allowed.

Right now I'm building the deployment scripts to configure iptables to do something like this; however, it's a bit of a pain. If I have, say, 9 nodes, and I want to add a 10th node, I need to update the iptables config on all 10 nodes to make this work. Similarly, dropping a single node requires touching every server.

Thinking about this some more...as a less-awesome-but-ok alternative would be if I could be guaranteed that all of my nodes will come up with a private IP on my own subnet, in which case I could make a single rule that's shared among all the nodes. I confess I don't know if this is an option; I'll fire off a ticket to support to see.

IPv6 pools get you your own subnet, and they work just like private IPs. Drop anything not from or to your IPv6 Pool subnet, and you're good, no?

-Chris

You know, clearly I need to get smarter about IPv6, as all roads seem to lead there. That does seem like a reasonable solution.

I do wonder if all of our code can deal with parsing an IPv6 address at the moment...guess I should try it.

Thanks!