VSI on VPC landing zone - QuickStart variation
The QuickStart variation of the VSI on VPC landing zone deployable architecture creates a fully customizable Virtual Private Cloud (VPC) environment in a single region. The solution provides virtual servers in a secure VPC for your workloads. The QuickStart variation is designed to deploy quickly for demonstration and development.
Architecture diagram
Design requirements
Components
VPC architecture decisions
Requirement | Component | Reasons for choice | Alternative choice |
---|---|---|---|
|
Management VPC service | Create a separate VPC service where SSH connectivity from outside is allowed | |
|
Workload VPC service | Create a separate VPC service as an isolated environment, without direct public internet connectivity and without direct SSH access | |
Create a virtual server instance to support hosted applications | Workload virtual server instance | Create a VPC virtual server instance that can act as a workload server to support hosted applications. Configure ACL and security group rules allow access to IBM Cloud services, Workload and Management VPC's | |
Create a virtual server instance as the only management access point to the environment | Jump box host VPC instance | Create a Linux VPC instance that acts as a jump box host. Configure ACL and security group rules to allow SSH connectivity (port 22). Add a public IP address to the VPC instance. | |
|
Secure landing zone components | Create a minimum set of required components for a secure landing zone | Create a modified set of required components for a secure landing zone in preset |
Network security architecture decisions
Requirement | Component | Reasons for choice | Alternative choice |
---|---|---|---|
|
ACL and security group rules in management VPC | Open following ports by default: 22 (for limited number of IPs) All ports to other VPCs are open |
More ports might be opened in preset or added manually after deployment |
|
ACL and security group rules in workload VPC | Allow connectivity for IBM Cloud services, Workload VPC and Management VPC | More ports might be opened in preset or added manually after deployment |
Enable floating IP on jump box host | Floating IPs on jump box host in management VPC | Use floating IP on jump box host for administration access |
Key and password management architecture decisions
Requirement | Component | Reasons for choice | Alternative choice |
---|---|---|---|
|
Public SSH key provided by customer | Ask customer to specify the key. Accept the input as secure parameter. |