I don't know if it's well known, but the so called 'private' interfaces DO offers aren't really private. Any other machine in the same datacenter can access your services.
So if you have a redis/mongo/... server listening in your 'private' network, I'd suggest you secure your internal services using a firewall (and droplan is a pretty simple tool to do so automatically)
Hadn't heard of ipset before, but yeah, that seems to be a cleaner way to do this. Maybe open a feature request?
From what I can tell, there are still a few minor details to be etched out in droplan (e.g. running as background service to avoid rewriting the rules every time, ...), but it seems to do its job reasonably well (been using it for roughly two months now
I'm not affiliated with the project (I only did a PR once involving the Dockerfile).
So if you have a redis/mongo/... server listening in your 'private' network, I'd suggest you secure your internal services using a firewall (and droplan is a pretty simple tool to do so automatically)