Linode Networking Guide

Linode Networking Overview

Networking on Linode is designed with the same philosophy of simplicity and transparency that characterizes the rest of the platform. While AWS, Azure, and GCP offer dozens of networking services with complex interdependencies, Linode provides a focused set of networking primitives — VPC, Cloud Firewall, NodeBalancers, DNS Manager, and private networking — that cover the vast majority of application architectures. Each service is straightforward to configure, uses predictable pricing, and integrates cleanly with the rest of the Linode ecosystem.

With Akamai's acquisition of Linode, the networking story has expanded significantly. Akamai's global backbone — one of the largest content delivery and edge computing networks in the world — now provides transit and connectivity for Linode's data centers. This means your Linode workloads benefit from Akamai's peering relationships, DDoS mitigation capabilities, and global reach even without explicitly configuring CDN services.

This guide covers every networking service available on Linode, from basic IP addressing and private networking to VPC architectures, load balancing with NodeBalancers, DNS management, and security controls with Cloud Firewall. Whether you are building a simple single-server application or a multi-region distributed system, this guide gives you the networking knowledge to build it confidently.

IP Addressing and Basic Networking

Every Linode instance receives the following network addresses automatically upon creation:

• Public IPv4: A single public IPv4 address for internet-facing communication. Additional IPv4 addresses can be requested but require technical justification due to IPv4 scarcity.
• Public IPv6 SLAAC: A single /128 IPv6 address automatically configured via SLAAC (Stateless Address Autoconfiguration).
• IPv6 Range: A routed /64 IPv6 range that you can use for containers, virtual machines, or other purposes. Larger /56 ranges are available upon request.
• Link-Local IPv4: A 169.254.x.x address used for internal Linode services like metadata and DNS resolution.

# View all IP addresses for a Linode
linode-cli linodes ips-list <linode-id>

# Request an additional public IPv4 (requires justification)
linode-cli linodes ip-add <linode-id> --type ipv4 --public true

# Add a private IPv4 address for same-datacenter communication
linode-cli linodes ip-add <linode-id> --type ipv4 --public false

Private IPv4 addresses (192.168.x.x) allow Linodes in the same data center to communicate without using the public internet. Traffic over private IPs is free and does not count against your transfer quota. However, private IP traffic is not encrypted by default and is accessible to all Linodes in the same data center (not just yours). For network isolation, use VPC.

VPC (Virtual Private Cloud)

VPC is Linode's solution for true network isolation. A VPC creates a private, isolated Layer 3 network where only your Linodes can communicate. Unlike the legacy private IP networking, VPC traffic is completely isolated from other customers and provides a familiar subnet-based networking model:

# Create a VPC
linode-cli vpcs create \
  --label prod-vpc \
  --region us-east \
  --description "Production VPC for web application" \
  --subnets '[
    {"label": "web-tier", "ipv4": "10.0.1.0/24"},
    {"label": "app-tier", "ipv4": "10.0.2.0/24"},
    {"label": "data-tier", "ipv4": "10.0.3.0/24"}
  ]'

# List VPCs
linode-cli vpcs list

# View VPC details and subnets
linode-cli vpcs view <vpc-id>
linode-cli vpcs subnets-list <vpc-id>

Assigning Linodes to VPC Subnets

Linodes are assigned to VPC subnets through their network interface configuration. A Linode can have both a public interface (for internet access) and a VPC interface (for private communication). You can configure this during Linode creation or by updating an existing Linode's configuration profile:

# Create a Linode with VPC interface
linode-cli linodes create \
  --type g6-dedicated-4 \
  --region us-east \
  --image linode/ubuntu24.04 \
  --root_pass "SecurePassword123!" \
  --label web-01 \
  --interfaces '[
    {"purpose": "public"},
    {"purpose": "vpc", "subnet_id": <web-subnet-id>, "ipv4": {"vpc": "10.0.1.10"}}
  ]'

# Update existing Linode to add VPC interface
linode-cli linodes config-update <linode-id> <config-id> \
  --interfaces '[
    {"purpose": "public"},
    {"purpose": "vpc", "subnet_id": <app-subnet-id>, "ipv4": {"vpc": "10.0.2.10"}}
  ]'

VPC Architecture Patterns

A common production architecture uses a three-tier VPC design with separate subnets for web servers, application servers, and databases. Combine VPC subnets with Cloud Firewall rules to implement defense in depth:

• Web tier (10.0.1.0/24): NodeBalancer forwards traffic to web servers. These Linodes have both public and VPC interfaces. Cloud Firewall allows only HTTP/HTTPS inbound.
• App tier (10.0.2.0/24): Application servers with VPC-only interfaces. Only accessible from web tier on specific ports. No direct internet access (use a NAT gateway or proxy for outbound).
• Data tier (10.0.3.0/24): Database servers with VPC-only interfaces. Only accessible from app tier on database ports. Backups stored in Object Storage.

NodeBalancers

NodeBalancers are Linode's managed load balancing service, providing Layer 4 (TCP) and Layer 7 (HTTP/HTTPS) load balancing with health checks, SSL termination, session stickiness, and proxy protocol support. Each NodeBalancer costs $10/month and includes a dedicated public IPv4 address:

# Create a NodeBalancer
linode-cli nodebalancers create \
  --label prod-web-lb \
  --region us-east \
  --client_conn_throttle 20

# Add an HTTPS configuration
linode-cli nodebalancers config-create <nodebalancer-id> \
  --port 443 \
  --protocol https \
  --algorithm roundrobin \
  --stickiness table \
  --check http \
  --check_path "/health" \
  --check_interval 10 \
  --check_timeout 5 \
  --check_attempts 3 \
  --ssl_cert "$(cat cert.pem)" \
  --ssl_key "$(cat key.pem)" \
  --proxy_protocol v2

# Add backend nodes
linode-cli nodebalancers node-create <nodebalancer-id> <config-id> \
  --label web-01 \
  --address "192.168.1.10:8080" \
  --weight 50 \
  --mode accept

linode-cli nodebalancers node-create <nodebalancer-id> <config-id> \
  --label web-02 \
  --address "192.168.1.11:8080" \
  --weight 50 \
  --mode accept

Load Balancing Algorithms

NodeBalancers support three load balancing algorithms:

• Round Robin: Distributes requests evenly across all healthy backend nodes in order. Best for stateless applications where all nodes are equally capable.
• Least Connections: Sends new requests to the backend node with the fewest active connections. Better for applications with variable request processing times.
• Source IP: Routes all requests from the same client IP to the same backend node. Provides session affinity without cookies but breaks when clients use multiple IPs or NAT.

Session Stickiness

For applications that require session affinity, NodeBalancers support two stickiness mechanisms:

• Table: Uses a connection table to route returning clients to the same backend. Works at Layer 4 based on source IP and port.
• HTTP Cookie: Injects a cookie (NB_SRVID) that pins the client to a specific backend. More reliable than IP-based stickiness for clients behind NAT or using mobile networks.

Health Checks

NodeBalancers monitor backend health using configurable checks. Failed health checks automatically remove unhealthy nodes from rotation, and they are re-added when they recover:

• TCP: Verifies the backend port is accepting connections. Fastest check type but does not validate application health.
• HTTP: Sends an HTTP GET request and checks for a 2xx/3xx response status. Configure the check path (e.g., /health) to test application readiness.
• HTTP Body: Like HTTP check but also validates that the response body contains a specific string. Most thorough but slightly slower.

Cloud Firewall

Linode Cloud Firewall provides stateful packet filtering that operates at the network edge, before traffic reaches your Linode's operating system. Firewalls can be shared across multiple Linodes, making it easy to apply consistent security policies to groups of instances:

# Create a firewall with inbound rules
linode-cli firewalls create \
  --label web-firewall \
  --rules.inbound '[
    {
      "label": "allow-https",
      "action": "ACCEPT",
      "protocol": "TCP",
      "ports": "443",
      "addresses": {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}
    },
    {
      "label": "allow-ssh-vpn",
      "action": "ACCEPT",
      "protocol": "TCP",
      "ports": "22",
      "addresses": {"ipv4": ["10.10.0.0/16"]}
    }
  ]' \
  --rules.inbound_policy DROP \
  --rules.outbound_policy ACCEPT

# Attach firewall to multiple Linodes
linode-cli firewalls device-create <firewall-id> --id <linode-1-id> --type linode
linode-cli firewalls device-create <firewall-id> --id <linode-2-id> --type linode

# Update firewall rules
linode-cli firewalls rules-update <firewall-id> \
  --inbound '[...]' \
  --inbound_policy DROP

Cloud Firewall rules are evaluated in order from top to bottom, with the first matching rule applied. The default policy (DROP or ACCEPT) applies to traffic that does not match any explicit rule. For security, always set the inbound default policy to DROP and explicitly allow only the traffic your application needs.

DNS Manager

Linode's DNS Manager provides free authoritative DNS hosting for your domains. It supports all standard record types (A, AAAA, CNAME, MX, TXT, SRV, CAA, NS) and provides a reliable DNS infrastructure with Linode's anycast nameservers:

# Create a DNS domain/zone
linode-cli domains create \
  --domain example.com \
  --type master \
  --soa_email admin@example.com \
  --ttl_sec 300

# Add DNS records
linode-cli domains records-create <domain-id> \
  --type A --name "" --target 192.0.2.1 --ttl_sec 300

linode-cli domains records-create <domain-id> \
  --type A --name www --target 192.0.2.1 --ttl_sec 300

linode-cli domains records-create <domain-id> \
  --type MX --name "" --target mail.example.com --priority 10

linode-cli domains records-create <domain-id> \
  --type TXT --name "" --target "v=spf1 include:_spf.google.com ~all"

linode-cli domains records-create <domain-id> \
  --type CAA --name "" --target "letsencrypt.org" --tag issue

To use Linode's DNS, update your domain's nameservers at your registrar to point to Linode's authoritative nameservers: ns1.linode.com throughns5.linode.com. DNS propagation typically completes within minutes due to Linode's anycast DNS infrastructure, though it can take up to 24-48 hours depending on TTL values and resolver caching.

Network Transfer and Bandwidth

Linode's network transfer model is one of the most straightforward in the cloud industry. Key points:

• Included transfer: Each Linode plan includes a monthly transfer allowance (e.g., 1 TB for the Nanode 1 GB, scaling up with larger plans). All transfer allowances across your account are pooled together.
• Inbound is free: All inbound traffic is free and does not count against your transfer allowance.
• Private network is free: Traffic over private IPv4 addresses and VPC interfaces is free and unlimited.
• Overage pricing: If you exceed your pooled transfer, overage is billed at $0.005/GB ($5/TB). This is competitive with or lower than most cloud providers.
• Network speed: Each Linode has a network port speed based on its plan (40 Gbps for most plans). This is the maximum burst rate, not a guaranteed sustained throughput.

IPv6 Networking

Linode provides comprehensive IPv6 support. Every Linode receives a /128 SLAAC address and a routed /64 range automatically. IPv6 is fully supported across all Linode services including NodeBalancers, Cloud Firewall, and DNS Manager:

• SLAAC address: Automatically configured on boot. Use this as your Linode's primary IPv6 address for services and DNS records.
• Routed /64 range: A block of approximately 18 quintillion IPv6 addresses routed to your Linode. Useful for containers, VMs, and services that each need unique addresses.
• /56 pool: Available upon request for accounts that need larger IPv6 allocations. A /56 provides 256 /64 subnets.

IPv6 traffic follows the same pricing model as IPv4 — inbound is free, private is free, and outbound counts against your transfer pool. Configure your applications to support dual-stack (both IPv4 and IPv6) to maximize accessibility and future-proof your services.

Akamai CDN and Edge Integration

With Linode now part of Akamai Connected Cloud, you can leverage Akamai's CDN and edge computing services alongside your Linode infrastructure. While this integration is evolving, current capabilities include:

• Akamai CDN: Cache and deliver static content from Akamai's global edge network (over 4,200 PoPs worldwide). Origin servers run on your Linodes while edge servers handle delivery close to end users.
• DDoS protection: Akamai's network provides built-in DDoS mitigation for Linode's data centers, absorbing volumetric attacks before they reach your infrastructure.
• Edge computing: Run serverless functions at Akamai edge locations using EdgeWorkers, reducing latency for compute tasks that benefit from geographic proximity to users.

This combination of Linode's origin cloud infrastructure with Akamai's global edge network gives you a complete stack for building high-performance, globally distributed applications — from compute and storage at the core to content delivery and security at the edge.

Network Security Best Practices

Implement a layered network security approach on Linode:

• Use VPC for isolation: Place all production workloads in VPC subnets. Only assign public interfaces to instances that genuinely need direct internet access (typically just load balancers and bastion hosts).
• Apply Cloud Firewall: Set default inbound policy to DROP. Whitelist only necessary ports and source IPs. Review and audit firewall rules regularly.
• Encrypt in transit: Use TLS for all application traffic, even between internal services. Let NodeBalancers handle SSL termination, or use mutual TLS for service-to-service authentication.
• Minimize public exposure: Database and application servers should not have public IP addresses. Use bastion hosts or VPN for administrative access.
• Monitor network traffic: Use Longview and OS-level tools to monitor network connections, detect anomalies, and identify unauthorized access attempts.
• Implement DNS security: Add CAA records to restrict which CAs can issue certificates for your domain. Use SPF, DKIM, and DMARC records for email authentication.

Summary

Linode's networking services provide a clean, powerful foundation for building applications of any scale. VPC delivers true network isolation, NodeBalancers handle load distribution with health-aware routing, Cloud Firewall provides edge-level security, and the DNS Manager offers free authoritative DNS hosting. Combined with Akamai's global CDN and edge network, Linode gives you the networking tools to build secure, performant, globally distributed applications — all with transparent pricing and straightforward configuration that respects your time as an engineer.