VSI on VPC landing zone - Standard variation
The Standard variation of the VSI on VPC landing zone deployable architecture is based on the IBM Cloud for Financial Services reference architecture. The architecture creates a customizable and secure infrastructure, with virtual servers, to run your workloads with a Virtual Private Cloud (VPC) in multizone regions.
Architecture diagram
Design requirements
Components
VPC architecture decisions
Requirement | Component | Reasons for choice | Alternative choice |
---|---|---|---|
|
Management VPC service | Create a separate VPC service for management and maintenance of workload resources and access through a site-to-site VPN | |
|
Workload VPC service | Create a separate VPC service as an isolated environment to support hosted applications | |
Create virtual server instances to support management | Management virtual server instances | Create a VPC virtual server instance that can be used for management and maintenance of your hosted application. Configure ACL and security group rules to allow access to IBM Cloud services, and workload and management VPCs. | |
Create virtual server instances to support hosted applications | Workload virtual server instances | Create a VPC virtual server instance that can act as a workload server to support hosted applications. Configure ACL and security group rules to allow access to IBM Cloud services, workload and management VPCs. | |
|
Secure landing zone components | Create a minimum set of required components for a secure landing zone | Create a modified set of required components for a secure landing zone in preset |
Network security architecture decisions
Requirement | Component | Reasons for choice | Alternative choice |
---|---|---|---|
|
ACL and security group rules in management VPC |
Isolate environment for access through site-to-site VPN
|
More ports might be opened in preset or added manually after deployment |
|
ACL and security group rules in workload VPC | All ports to other VPCs are open | More ports might be opened in preset or added manually after deployment |
Load VPN configuration to simplify VPN setup | VPNs | VPN configuration is the responsibility of the customer | |
Collect and store Internet Protocol (IP) traffic information with Activity Tracker and Flow Logs | Activity Tracker | ||
Securely connect to multiple networks with a site-to-site virtual private network |
Key and password management architecture decisions
Requirement | Component | Reasons for choice | Alternative choice |
---|---|---|---|
|
Public SSH key provided by customer | Ask customer to specify the key. Accept the input as secure parameter. |
Next steps
Read about IBM Cloud for Financial Services