VPC reference architecture for IBM Cloud for Financial Services

Virtual Servers for VPC

Virtual Servers for VPC is an infrastructure-as-a-service (IaaS) offering that gives you access to all of the benefits of VPC, including network isolation, security, and flexibility. You can quickly provision instances with high network performance. When you provision an instance, you select a profile that matches the amount of memory and compute power that you need for the application that you plan to run on the instance. Instances are available on the x86 architecture.

Dedicated hosts for VPC (optional)

You can optionally use dedicated hosts for VPC. You can create a dedicated host to carve out a single-tenant compute node, free from users outside of your organization. Within that dedicated space, you can create virtual server instances according to your needs. Additionally, you can create dedicated host groups that contain dedicated hosts for a specific purpose. Because a dedicated host is a single-tenant space, only users within your account that have the required permissions can create instances on the host.

Dedicated hosts are highly recommended when you use virtual servers -- particularly for any parts of your application that process regulated data and keep it in memory.

IBM Cloud Auto Scale for VPC (optional)

With Auto Scale for VPC, you can improve performance and costs by dynamically creating virtual server instances to meet the demands of your environment. Auto Scale for VPC is highly recommended if you are using virtual servers. You set scaling policies that define your desired average utilization for metrics like CPU, memory, and network usage. The policies that you define determine when virtual server instances are added or removed from your instance group. Auto Scale for VPC is highly recommended if you are using virtual servers.

Red Hat OpenShift on IBM Cloud

Red Hat OpenShift on IBM Cloud is a managed offering to create your own Red Hat OpenShift on IBM Cloud cluster of compute hosts to deploy and manage containerized apps on IBM Cloud. Red Hat OpenShift on IBM Cloud provides intelligent scheduling, self-healing, horizontal scaling, service discovery and load balancing, automated rollouts and rollbacks, and secret and configuration management for your apps. Combined with an intuitive user experience, built-in security and isolation, and advanced tools to secure, manage, and monitor your cluster workloads, you can rapidly deliver highly available and secure containerized apps in the public cloud.

In practice, when you choose Red Hat OpenShift on IBM Cloud for your primary compute, you might also need one or more instances of Virtual Servers for VPC for other parts of the reference architecture.

IBM Cloud Container Registry

Container Registry provides a multi-tenant, highly available, scalable, and encrypted private image registry that is hosted and managed by IBM®. When you push images to Container Registry, you benefit from the built-in Vulnerability Advisor features that scan for potential security issues and vulnerabilities.

IBM Cloud Application Load Balancer for VPC

Use Application Load Balancer for VPC (ALB) to distribute traffic among multiple server instances within the same region of your VPC. You can create a public or private ALB.

Network Load Balancer for VPC (NLB) is also IBM Cloud for Financial Services Validated, but does not span zones. So, NLBs are not typically used in applications where high availability is needed.

IBM Cloud Virtual Private Network (VPN) for VPC

Use the VPN for VPC service to securely connect your VPC to another private network. Use a static, route-based VPN or a policy-based VPN to set up an IPsec site-to-site tunnel between your VPC and your on-premises private network, or another VPC.

VPN for VPC is required to connect to the management VPC if not using Direct Link.

IBM Cloud DNS Services

DNS Services provides private DNS to VPC users. Private DNS zones are resolvable only on IBM Cloud, and only from explicitly permitted networks in an account.

IBM Cloud Virtual Private Endpoint (VPE) for VPC

With IBM Cloud Virtual Private Endpoint (VPE) for VPC you can connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, which is allocated from a subnet within your VPC.

VPE is an evolution of the private connectivity to IBM Cloud services. VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis (depending on the service operation model). The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. VPE for VPC gives you the experience of controlling all the private addressing within your cloud.

IBM Cloud Direct Link

Use Direct Link to seamlessly connect your on-premises resources to your cloud resources. The speed and reliability of Direct Link extends your organization’s data center network and offers more consistent, higher-throughput connectivity, keeping traffic within the IBM Cloud network. Direct Link is the most secure way to enable connectivity from on-premises environments to IBM Cloud.

Direct Link is required if not using Virtual Private Network (VPN) for VPC (see next section).

IBM Cloud Transit Gateway

As the number of your VPCs grow, you need an easy way to manage the interconnection between these resources across multiple regions. Transit Gateway is designed specifically for this purpose, and is the means for connecting your management VPC to your workload VPC.

Block Storage for VPC

Block Storage for VPC provides hypervisor-mounted, high-performance data storage for your virtual server instances that you can provision within a VPC. The VPC infrastructure provides rapid scaling across zones and extra performance and security.

Block Storage for VPC is used for both primary boot volumes and secondary data volumes. Boot volumes are automatically created and attached during instance provisioning. Data volumes can be created and attached during instance provisioning as well, or as stand-alone volumes that you can later attach to an instance. To protect your data, you should use KYOK encryption with Hyper Protect Crypto Services.

IBM Cloud Object Storage

Object Storage stores encrypted and dispersed data across multiple geographic locations. Object Storage is available with three types of resiliency: Cross Region, Regional, and Single Data Center. Cross Region provides higher durability and availability than using a single region at the cost of slightly higher latency. Regional service reverses those tradeoffs, and distributes objects across multiple availability zones within a single region. If a given region or availability zone is unavailable, the object store continues to function without impediment. Single Data Center distributes objects across multiple machines within the same physical location.

Users of Object Storage refer to their binary data, such as files, images, media, archives, or even entire databases as objects. Objects are stored in a bucket, the container for their unstructured data. Buckets contain both inherent and user-defined metadata. Finally, objects are defined by a globally unique combination of the bucket name and the object key, or name.

IBM Cloud Hyper Protect Crypto Services

Hyper Protect Crypto Services is a dedicated key management service and hardware security module (HSM) based on IBM Cloud. This service allows you to take the ownership of the cloud HSM to fully manage your encryption keys and to perform cryptographic operations using Keep Your Own Key (KYOK). Hyper Protect Crypto Services is also the only service in the cloud industry that is built on FIPS 140-2 Level 4-certified hardware.

IBM Cloud App ID (optional)

App ID helps developers to easily add authentication to their web and mobile apps with few lines of code, and secure their cloud-native applications and services on IBM Cloud.

IBM Cloud Activity Tracker Event Routing

Activity Tracker Event Routing is used to collect auditable platform events that are generated by services in your IBM Cloud account. These events allow you to monitor the activity of your IBM Cloud account so that you can investigate abnormal activity and critical actions.

Activity Tracker Event Routing provides for either event routing or hosted event search. However, only the event routing features of Activity Tracker Event Routing are Financial Services Validated. In regions where it's available, you must configure Activity Tracker Event Routing to send events to Object Storage, where they must be encrypted with KYOK.

Activity Tracker Event Routing is only available in some regions (see Locations for Activity Tracker Event Routing event routing for more details). For regions where it's not available, you must use Activity Tracker Event Routing hosted event search until Activity Tracker Event Routing is available. When event routing becomes available in those regions, you must switch to use event routing. For more information and possible exceptions, see Use only services that are IBM Cloud for Financial Services Validated.

IBM Cloud® Security and Compliance Center

With Security and Compliance Center you can embed security checks into your every day workflows to help monitor for security and compliance. By monitoring for risks, you can identify security vulnerabilities and quickly work to mitigate the impact and fix the issue. By using Security and Compliance Center along with external integrations (such as, OpenShift Compliance Operator (OSCO), Tanium, NeuVector, and so on), you can build a robust approach for monitoring for security and compliance issues.

IBM Cloud Application Load Balancer for VPC

Flow Logs for VPC enables the collection, storage, and presentation of information about the Internet Protocol (IP) traffic flowing to and from network interfaces within your VPC.

Flow Logs for VPC can help with a number of tasks, including:

• Troubleshooting why specific traffic isn't reaching an instance, which helps to diagnose restrictive security group rules
• Recording the metadata of network traffic that is reaching your instance
• Determining source and destination traffic from the network interfaces
• Adhering to compliance regulations
• Assisting with root cause analysis

IBM Event Streams for IBM Cloud (optional)

Event Streams is a high-throughput message bus built with Apache Kafka. It is optimized for event ingestion into IBM Cloud and event stream distribution between your services and applications.

You can use Event Streams to complete the following tasks:

• Offload work to back-end worker applications.
• Connect event streams to streaming analytics to realize powerful insights.
• Publish event data to multiple applications to react in real time.