What is private networking?

Private networking is an isolated network layer that lets your cloud resources communicate over private IP addresses instead of the public internet.

Can I create private networks?

Yes, you can create private network routers for any networking need, from basic to advanced architectures.

What are the data transfer costs?

We offer unlimited, untracked bandwidth with no inbound or outbound charges. The only exception is suspicious or abusive usage.

Is DDoS protection included?

Yes, we provide always-on, free DDoS protection for all customers.

Public vs Private Traffic Guide

Introduction

Private networking in cloud infrastructure is the practice of keeping selected traffic on isolated internal network paths instead of sending everything over the public internet. For teams deploying on Raff, this directly impacts security, latency, and how safely your architecture scales.

Many early deployments expose every server to the internet. While this may work for simple setups, it becomes risky as soon as you introduce databases, internal services, or multiple environments. In production systems, only a small portion of your infrastructure should be publicly accessible.

In this guide, you will learn the difference between public and private traffic, when to use each, and how to design a secure, scalable architecture using proper network segmentation.

What Public and Private Traffic Mean

Public traffic refers to communication that travels over internet-accessible endpoints using public IP addresses. This includes users visiting your website, mobile apps calling your API, or third-party services sending webhooks.

Private traffic refers to communication that stays inside an isolated internal network using private IP addresses. This is typically used for communication between application servers, databases, caches, and internal services.

Another useful way to think about this is:

North-south traffic: Traffic entering or leaving your system, such as user requests or outbound API calls
East-west traffic: Traffic moving between services inside your own infrastructure, such as an application server querying a database

In modern cloud architecture, north-south traffic is usually controlled at the edge, while east-west traffic should remain private wherever possible.

Why This Distinction Matters

The separation between public and private traffic is not just a networking preference. It affects security, performance, and operational clarity.

If every service is public, your attack surface grows immediately. Databases, internal APIs, admin panels, and background services become easier to discover, probe, and misuse. That increases the chance of misconfiguration, unauthorized access, and unnecessary exposure.

Private traffic reduces this risk by limiting which systems can communicate and how. It also improves architecture discipline. When you intentionally separate public endpoints from internal components, your infrastructure becomes easier to reason about, secure, and scale.

There is also a performance benefit. Internal communication over a private network is often simpler and more predictable than routing traffic through public paths. This matters for applications that rely on frequent service-to-service calls, database queries, or cache access.

When to Use Public Traffic

Public traffic is the right choice when a service must be reachable by users or external systems over the internet.

Public websites and web applications

If users need to access your site through a browser, the frontend or entry point must be public. This usually means a reverse proxy, load balancer, or web server is exposed on ports like 80 and 443.

Public APIs

If your application provides an API for mobile apps, browser clients, or third-party integrations, that API must be reachable publicly. Even so, only the API layer should be exposed. Internal services behind it should remain private.

Webhook receivers

Services that receive webhooks from platforms like GitHub, Stripe, or Slack must also expose a public endpoint. The receiving endpoint can be public, while downstream processing stays private.

Limited remote administration

In smaller setups, teams sometimes use public SSH access for server administration. This can be acceptable temporarily, but it should be tightly restricted with SSH keys, firewall rules, and source IP controls. Public admin access should not be the long-term default for every server.

When to Use Private Traffic

Private traffic should be the default for internal communication between services.

Databases

Databases such as MySQL and PostgreSQL should almost always remain private. End users do not need direct access to them. Only trusted application servers and operational tools should be able to connect.

Application-to-application communication

If you run multiple services, such as an API, a worker process, a queue consumer, and an internal dashboard, their communication should stay on private addresses. This reduces exposure and keeps the internal architecture clean.

Caches and message queues

Redis, Memcached, RabbitMQ, and similar services are internal components. They should not be exposed publicly unless there is an exceptional and well-controlled reason.

Internal admin tools

Monitoring systems, dashboards, CI/CD runners, package registries, and other operational services are strong candidates for private networking. These tools are important, but they usually do not need internet-wide access.

Environment separation

Development, staging, and production should not sit on one flat public network. Private segmentation helps prevent mistakes such as a staging service talking to a production database or a test environment becoming publicly reachable.

A Simple Decision Framework

A good default rule is this:

If only your own infrastructure needs to reach it, keep it private.

Use the following table as a quick reference:

Component	Public Traffic	Private Traffic	Recommended Default
Website frontend	Yes	Optional	Public edge
Load balancer / reverse proxy	Yes	Yes	Public + private backend
Application server	Sometimes	Yes	Prefer private
Database server	Rarely	Yes	Private only
Redis / cache	No	Yes	Private only
Internal admin panel	Sometimes	Yes	Prefer private
CI/CD runner	No	Yes	Private only
Monitoring stack	Sometimes	Yes	Mostly private
Webhook receiver	Yes	Optional	Public entry only
Bastion host	Yes, restricted	Yes	Public but tightly controlled

This model keeps your public attack surface small while preserving flexibility.

Common Architecture Patterns

Public edge, private backend

This is the most common production setup. A public-facing load balancer or Nginx server receives traffic from users. It forwards requests to application servers on private IPs. Those application servers connect to private databases and caches.

This pattern works well because users can reach the application, but the core services remain hidden from the internet.

Bastion-based administration

Instead of exposing SSH on every server, expose one hardened bastion host. Administrators connect to that host first, then reach internal systems over private networking.

This reduces the number of public entry points and makes access control easier to manage.

Segmented environments

Create separate private networks or subnets for development, staging, and production. This helps prevent accidental cross-environment access and keeps production isolated from lower-trust systems.

Private data plane

Expose only the minimum public layer required for users or integrations. Keep databases, workers, caches, and internal service communication entirely private. This is often the cleanest long-term approach.

Security Benefits of Private Traffic

Private networking reduces exposure, but its real value comes from layered defense.

When services communicate privately, you can control access more precisely with firewalls, security groups, and subnet policies. A database can accept connections only from the application layer. A cache can be limited to specific nodes. An internal admin dashboard can stay unreachable from the public internet.

This does not eliminate the need for good credentials, patching, or application security. It does, however, reduce the number of things that can go wrong at the network edge.

In practical terms, private networking helps you:

Reduce accidental exposure
Limit lateral movement between systems
Apply least-privilege access rules
Separate environments more cleanly
Keep sensitive services away from public scanning and probing

Performance and Reliability Benefits

Private traffic can also make systems more predictable.

Applications often rely on repeated internal requests between services. If that communication happens over private paths, there are fewer unnecessary dependencies on public routing, public DNS, or internet-facing configuration. This leads to cleaner architecture and often better latency consistency.

For database-heavy applications, internal APIs, and service meshes, keeping communication private reduces complexity and makes performance easier to troubleshoot.

It also improves reliability. If internal services depend on public endpoints to talk to each other, a firewall mistake, DNS issue, or public path misconfiguration can break the application in ways that are hard to diagnose. Private networking reduces that fragility.

Best Practices

Expose only the edge

Your users should connect to a small number of public endpoints, not directly to every server. Reverse proxies, API gateways, and load balancers are the right public-facing layers.

Keep stateful services private

Databases, caches, storage services, and queues should stay private by default. They hold data or support internal application logic and rarely need public exposure.

Separate admin access from user traffic

Your operators and your end users should not use the same access paths. Administrative entry points should be controlled differently and more strictly.

Segment by role and environment

The web tier, application tier, database tier, and operations layer should not all share the same unrestricted network space. Development and staging should also remain separate from production.

Apply least privilege

Only allow the exact ports and source systems that a service requires. If a service only needs traffic from one application server, do not allow access from the whole network.

Plan early

A public-first architecture is easy to start with but harder to correct later. It is better to decide early which parts of the system are public and which stay private.

Raff-Specific Context

This model fits Raff well because Raff offers private cloud networking alongside core infrastructure features such as Linux VMs, firewalls, snapshots, backups, private networking, DDoS protection, and scalable VM tiers.

A practical Raff deployment might look like this:

A public Nginx reverse proxy receives traffic from users
Application servers run on private IPs
A database server accepts traffic only from the application layer
Internal monitoring and CI runners stay on private paths
Firewall policies restrict access between tiers

This design is safer than exposing every system publicly and scales more cleanly as your environment grows. It also aligns well with common production patterns used by startups, agencies, and small DevOps teams.

Because Raff also supports hourly billing, instant resize, and additional infrastructure services, teams can start with a simple deployment and evolve toward a more segmented architecture without changing platforms.

Public vs Private Traffic Decision Matrix

Use this matrix when deciding how a component should communicate:

Decision Factor	Use Public Traffic When	Use Private Traffic When
Audience	End users or external systems must access it directly	Only internal systems need access
Data sensitivity	The service exposes low-risk public content	The service handles credentials, customer data, or internal logic
Traffic direction	It is primarily north-south traffic	It is primarily east-west traffic
Operational need	A public endpoint is necessary for the product to function	A private path is enough for the service to do its job
Security posture	Exposure is acceptable and tightly controlled	Exposure creates unnecessary risk

Conclusion

Public and private traffic serve different purposes in cloud infrastructure. Public traffic is necessary for the parts of your system that users or external services must reach. Private traffic is the better default for internal communication between application servers, databases, caches, and operational tools.

The safest and most scalable approach is to keep your public surface narrow and your internal communication private. That reduces exposure, improves segmentation, and creates a cleaner architecture as your system grows.

If you are building on Raff, private networking gives you a straightforward way to separate your public edge from your internal systems. Combined with firewalls, snapshots, backups, and flexible VM sizing, it helps you move from a basic deployment to a more production-ready architecture without unnecessary complexity.

Private Networking in Cloud: Public vs Private Traffic

Key Takeaways