Power Virtual Server with VPC landing zone - 'Standard Variation'
The Standard deployment of the Power Virtual Server with VPC landing zone creates VPC services and a Power Virtual Server workspace and interconnects them.
A proxy service for public internet access from the PowerVS workspace is configured. You can optionally configure some management components on VPC (such as an NFS service, NTP forwarder, and DNS forwarder).
Architecture diagram
Design requirements
IBM Cloud® Power Virtual Servers (PowerVS) is a public cloud offering that an enterprise can use to establish its own private IBM Power computing environment on shared public cloud infrastructure. PowerVS is logically isolated from all other public cloud tenants and infrastructure components, creating a private, secure place on the public cloud. This deployable architecture provides a framework to build a PowerVS offering according to the best practices and requirements from the IBM Cloud.
Components
VPC architecture decisions
Requirement | Component | Choice | Alternative choice |
---|---|---|---|
|
Edge VPC service with network services security group. | Create a separate security group service where public internet connectivity is allowed to be configured | |
|
Edge VPC service with management security group. | Create a separate security group where SSH connectivity from outside is allowed | |
|
Client to site VPN, NFS as a service(NFSaaS) and security groups | Create a client to site VPN and VPE full strict security groups rules without direct public internet connectivity and without direct SSH access | |
|
Linux operating system | Red Hat Enterprise Linux (RHEL) | |
|
Bastion host VPC instance | Create a Linux VPC instance that acts as a bastion host. Configure ACL and security group rules to allow SSH connectivity (port 22). Add a public IP address to the VPC instance. Allow connectivity from a restricted and limited number of public IP addresses. Allow connectivity from IP addresses of the Schematics engine nodes | |
|
Network services VPC instance | Create a Linux VPC instance that can host management components. Preconfigure ACL and security group rules to allow traffic over private networks only. | Configure application load balancer to act as proxy server manually, Modify number of virtual server instances and allowed ports in preset or perform the modifications manually |
|
Secure landing zone components | Create a minimum set of required components for a secure landing zone | Create a modified set of required components for a secure landing zone in preset |
PowerVS workspace architecture decisions
Requirement | Component | Choice | Alternative choice |
---|---|---|---|
|
Transit gateway | Set up a local transit gateway | |
|
Management network | Configure private network with default configurations | |
|
Backup network | Configure separate private network with default configurations. Network characteristics might be adapted by the users manually (for example to improve throughput) | |
|
Preloaded OS images | Preload Stock catalog OS images. | Modify the input parameter that specifies the list of preloaded OS images. |
|
Custom OS images | Import up to three images from COS into the PowerVS workspace. | Modify the optional input parameters that specify the list of custom OS images and the COS configuration and credentials . |
|
Preloaded SSH public key | Preload customer specified SSH public key |
PowerVS management services architecture decisions
Requirement | Component | Choice | Alternative choice |
---|---|---|---|
|
SQUID proxy | Set up SQUID proxy software on Linux virtual server instance that is running in edge VPC | |
|
File storage shares in VPC | Use the files storage share service running in VPC. Disk size is specified by the user. | |
|
NTP forwarder | Synchronize time by using public NTP servers. Set up time synchronization on Linux virtual server instance that is running in workload VPC. | By using time synchronization servers directly reachable from PowerVS workspace, NTP forwarder is not required. |
|
DNS forwarder | Configure DNS forwarder on Linux virtual server instance that is running in edge VPC | By using default IBM Cloud DNS service, DNS forwarder is not needed. Direct domain name resolution is possible. |
Network security architecture decisions
Requirement | Component | Choice | Alternative choice |
---|---|---|---|
|
VPNs | VPN configuration is the responsibility of the customer. Automation creates a client to site VPN server | |
|
Floating IPs on bastion host in management VPC | Use floating IP on bastion host from IBM Schematics to complete deployment | |
|
Security group rules for management VSI | Open following ports by default: 22 (for limited number of IPs). All ports to PowerVS workspace are open. All ports to other VPCs are open. |
More ports might be opened in preset or added manually after deployment |
|
Security group rules in edge VPC | Separate security groups are created for each component and only certain IPs or Ports are allowed. | More ports might be opened in preset or added manually after deployment |
Key and password management architecture decisions
Requirement | Component | Choice | Alternative choice |
---|---|---|---|
|
Public SSH key - provided by customer. Private SSH key - provided by customer. | Ask customer to specify the keys. Accept the input as secure parameter or as reference to the key stored in IBM Cloud Secure Storage Manager. Do not print SSH keys in any log files. Do not persist private SSH key. | |
|
Public SSH key - provided by customer. Private SSH key - provided by customer. | Ask customer to specify the keys. Accept the input as secure parameter or as reference to the key stored in IBM Cloud Secure Storage Manager. Do not print SSH keys in any log files. Do not persist private SSH key. |
Compliance
This reference architecture is certified for SAP deployments.
Next steps
Install the SAP on Power deployable architecture on this infrastructure.