Reserved IP addresses and DNS

On DigitalOcean, we have few Reserved IP addresses (aka "floating IP addresses"):

• 45.55.126.172 always points to a Load Balancer server (LB). Used to hot-switch Load Balancer servers.
• 167.172.0.228 production-domain-park: host and manage parked domains (mainly our redirects from other domains/sub-domains). Reserved IP is probably not needed for it.
• 45.55.99.78 points to information-architecture.org DNS name. Used to hot-switch staging servers (e.g. dev DB dump uses information-architecture.org name)

Why DNS A records point to the droplet's real IP, not the Reserved IP

DNS A records for ixdf.org, www.ixdf.org, etc. point to the LB droplet's real public IP (159.89.35.233), not to the Reserved/Floating IP (45.55.126.172).

This is because DigitalOcean's Reserved IPs use NAT at the hypervisor level. When traffic arrives at a Reserved IP, DO's infrastructure performs Network Address Translation before forwarding it to the droplet. This NAT replaces the original client's source IP with a DO internal gateway IP.

Consequence for UFW/firewall: UFW on the droplet never sees the real client IP for traffic arriving via the Reserved IP — it sees DO's gateway IP instead. This means UFW deny rules for specific client IPs do not work for web traffic routed through the Reserved IP, while direct connections (like SSH to the droplet's real IP) are blocked correctly.

By pointing DNS to the droplet's real IP, client traffic arrives directly without NAT, preserving the original source IP. This allows UFW firewall deny rules (managed via Forge API by ForgeIpAddressBlocker) to work correctly for blocking malicious IPs.

The Reserved IP (45.55.126.172) is kept solely for hot-switching — if the LB droplet needs to be replaced, the Reserved IP can be reassigned to a new droplet instantly without waiting for DNS propagation.