IBM Cloud Docs
VSI on VPC landing zone - QuickStart variation

VSI on VPC landing zone - QuickStart variation

The QuickStart variation of the VSI on VPC landing zone deployable architecture creates a fully customizable Virtual Private Cloud (VPC) environment in a single region. The solution provides virtual servers in a secure VPC for your workloads. The QuickStart variation is designed to deploy quickly for demonstration and development.

Architecture diagram

Architecture diagram for the QuickStart variation of VSI on VPC landing zone
Figure 1. QuickStart variation of VSI on VPC landing zone

Design requirements

Design requirements for VSI on VPC landing zone
Figure 2. Scope of the design requirements

Components

VPC architecture decisions

Table 1. Architecture decisions
Requirement Component Reasons for choice Alternative choice
  • Provide infrastructure/application administration access to monitor, operate, and maintain the environment.
  • Limit the number of infrastructure/application administration entry points to ensure security audit.
Management VPC service Create a separate VPC service where SSH connectivity from outside is allowed
  • Provides compute, storage, and network services to support hosted applications and operations that deliver services to the consumer.
  • Ensure you can reach IBM Cloud services, Workload VPC and Management VPC
Workload VPC service Create a separate VPC service as an isolated environment, without direct public internet connectivity and without direct SSH access
Create a virtual server instance to support hosted applications Workload virtual server instance Create a VPC virtual server instance that can act as a workload server to support hosted applications. Configure ACL and security group rules allow access to IBM Cloud services, Workload and Management VPC's
Create a virtual server instance as the only management access point to the environment Jump box host VPC instance Create a Linux VPC instance that acts as a jump box host. Configure ACL and security group rules to allow SSH connectivity (port 22). Add a public IP address to the VPC instance.
  • Set up network for all created services
  • Isolate network for all created services
  • Ensure all created services are interconnected
Secure landing zone components Create a minimum set of required components for a secure landing zone Create a modified set of required components for a secure landing zone in preset

Network security architecture decisions

Table 2. Network security architecture decisions
Requirement Component Reasons for choice Alternative choice
  • Isolate management VPC and allow SSH network connections from public network
  • All other connections from or to management VPC are forbidden except for IBM services and VPC
ACL and security group rules in management VPC Open following ports by default: 22 (for limited number of IPs)
All ports to other VPCs are open
More ports might be opened in preset or added manually after deployment
  • Isolate workload VPC and allow only a limited number of network connections
  • All other connections from or to workload VPC are forbidden
ACL and security group rules in workload VPC Allow connectivity for IBM Cloud services, Workload VPC and Management VPC More ports might be opened in preset or added manually after deployment
Enable floating IP on jump box host Floating IPs on jump box host in management VPC Use floating IP on jump box host for administration access

Key and password management architecture decisions

Table 3. Key and passwords management architecture decisions
Requirement Component Reasons for choice Alternative choice
  • Use public SSH key to access virtual server instances by using SSH
Public SSH key provided by customer Ask customer to specify the key. Accept the input as secure parameter.