IBM Cloud Docs
VSI on VPC landing zone - Standard variation

VSI on VPC landing zone - Standard variation

The Standard variation of the VSI on VPC landing zone deployable architecture is based on the IBM Cloud for Financial Services reference architecture. The architecture creates a customizable and secure infrastructure, with virtual servers, to run your workloads with a Virtual Private Cloud (VPC) in multizone regions.

Architecture diagram

Architecture diagram for the Standard variation of VSI on VPC landing zone
Figure 1. Standard variation of VSI on VPC landing zone

Design requirements

Design requirements for VSI on VPC landing zone
Figure 2. Scope of the design requirements

Components

VPC architecture decisions

Table 1. Architecture decisions
Requirement Component Reasons for choice Alternative choice
  • Provide infrastructure and administration access
  • Limit the number of infrastructure administration entry points to ensure security audit
Management VPC service Create a separate VPC service for management and maintenance of workload resources and access through a site-to-site VPN
  • Provide infrastructure for service management components like backup, monitoring, IT service management, shared storage
  • Ensure you can reach all IBM Cloud and on-premises services
Workload VPC service Create a separate VPC service as an isolated environment to support hosted applications
Create virtual server instances to support management Management virtual server instances Create a VPC virtual server instance that can be used for management and maintenance of your hosted application. Configure ACL and security group rules to allow access to IBM Cloud services, and workload and management VPCs.
Create virtual server instances to support hosted applications Workload virtual server instances Create a VPC virtual server instance that can act as a workload server to support hosted applications. Configure ACL and security group rules to allow access to IBM Cloud services, workload and management VPCs.
  • Demonstrate compliance with control requirements of the IBM Cloud Framework for Financial Services
  • Set up network for all created services
  • Isolate network for all created services
  • Ensure all created services are interconnected
Secure landing zone components Create a minimum set of required components for a secure landing zone Create a modified set of required components for a secure landing zone in preset

Network security architecture decisions

Table 2. Network security architecture decisions
Requirement Component Reasons for choice Alternative choice
  • Isolate management VPC and allow only a limited number of network connections
  • All other connections from or to management VPC are forbidden
ACL and security group rules in management VPC

Isolate environment for access through site-to-site VPN

  • All ports to other VPCs are open
More ports might be opened in preset or added manually after deployment
  • Isolate workload VPC and allow only a limited number of network connections
  • All other connections from or to workload VPC are forbidden
ACL and security group rules in workload VPC All ports to other VPCs are open More ports might be opened in preset or added manually after deployment
Load VPN configuration to simplify VPN setup VPNs VPN configuration is the responsibility of the customer
Collect and store Internet Protocol (IP) traffic information with Activity Tracker and Flow Logs Activity Tracker
Securely connect to multiple networks with a site-to-site virtual private network

Key and password management architecture decisions

Table 3. Key and password management architecture decisions
Requirement Component Reasons for choice Alternative choice
  • Use public SSH key to access virtual server instances by using SSH
Public SSH key provided by customer Ask customer to specify the key. Accept the input as secure parameter.

Next steps

Read about IBM Cloud for Financial Services