We often spin up a load balancer to use for administrative access to private resources. For example, Rackspace does not expose Cloud Databases to any public scope. To manage a Cloud Database outside the Rackspace private network, a load balancer must be spun up for MySQL, port 3306 with the DB added as a Node.
While exposing internal service to the public makes administration easier, it is a practice which is far from secure. Harden your external Rackspace by allowing connections from a single address or IP block.
In this example, my home office is at IP 220.127.116.11. A load balancer is configured for the MySQL:3306 protocol:port and a Cloud Database is added as an External Node.
Add an Access Rule to Allow connections from <IPMakingConnections>/32, in this example, 18.104.22.168/32. CIDR notation is used. To Add a single IP, use /32 subnet. If your local office has a block of IPs given from your ISP, use that subnet.
Add a block rule for the rest of the internet, Block 0.0.0.0/0
Rackspace Access Lists allow fine-grained network access controls. Items configured with the “Allow” type always take precedence over itens with the “Deny” type. Reject all traffic except those with the allow type, add a network access rul with address 0.0.0/0 and a “Deny” type.