Consumer connectivity to workload VPC
Previously, we saw how administrative access to the workload VPC can be accomplished from the bastion host in the management VPC. Now, we look at how consumers can connect to the workload VPC to access your service offering.
Consumer in same organization as application provider
If the consumer is in the same organization that you are (such as the same financial institution), then the connection options are much the same as they are when you connect to the management VPC. That is, the consumer can connect to the workload VPC with either Direct Link or VPN for VPC. This is shown in the diagram below.
Direct Link
Direct Link is the most secure way to enable connectivity from the consumer's on-premises environment to the workload VPC. The speed and reliability of Direct Link extends your organization’s data center network and offers more consistent, higher-throughput connectivity, keeping traffic within the IBM Cloud network. When using Direct Link, a private Application Load Balancer for VPC (ALB) is used to distribute traffic among multiple server instances within the same region of your VPC.
The following diagram shows the Direct Link connection pattern.
For more information, see:
VPN for VPC
An alternative connectivity pattern requires using the VPN for VPC service to securely connect from your private network to the management VPC. VPN for VPC can be used as a static, route-based VPN or a policy-based VPN to set up an IPsec site-to-site tunnel between your VPC and your on-premises private network, or another VPC.
The following diagram shows the VPN for VPC connection pattern.
For more information, see:
Consumer in different organization than application provider
Connecting from public internet
There are many valid cases where you might want to allow consumers to access your service through the public internet. The base architecture can be adapted to securely enable this type of access as shown in the following diagram which introduces a new edge VPC. The request from the consumer gets routed through a global load balancer outside of the edge VPC, through a web application firewall (WAF) in the edge VPC, and then to the public application load balancer within the workload VPC. This is shown in the following diagram.
Global load balancer
One option for global load balancing outside of the edge VPC is IBM Cloud® Internet Services (CIS), powered with Cloudflare. CIS provides a fast, highly performant, reliable, and secure internet service for customers running their business on IBM Cloud.
CIS is not Financial Services Validated. Because of this, TLS connections must not be terminated in CIS and should be configured only for pass-through connections. CIS global load balancers must be configured with the proxy configuration setting value of off. CIS Range applications should be used to provide DDoS protection in front of global load balancers.
For more information, see the following resources:
Edge VPC with web application firewall
The edge VPC is used to enhance boundary protection for both the management VPC and the workload VPC. For public internet access to the workload VPC, a WAF in the edge VPC is use to protect web applications by filtering and monitoring internet web traffic. A WAF can prevent attacks exploiting a web application's known vulnerabilities.
IBM does not currently offer a Financial Services Validated solution for WAF. So, you need to install and manage your own WAF within your edge VPC. One option for WAF is to use F5 BIG-IP. See the tutorial Setup WAF with F5 BIG-IP for more details.
For management VPC connectivity, your operators can connect to the environment from your on-premises network (with Direct Link or VPN for VPC) or through a full-tunnel client-to-site VPN. In practice, all three zones in the edge VPC would be the same, but for illustrative purposes, each zone in the edge VPC box depicts one of the three scenarios for operator connectivity:
- Zone 1 - Connectivity with Direct Link, so neither a full-tunnel client-to-site VPN nor VPN for VPC is needed.
- Zone 2 - Connectivity from the application provider is with VPN for VPC, so a full-tunnel client-to-site VPN is not needed.
- Zone 3 - Connectivity from the application provider is through a full-tunnel client-to-site VPN, so VPN for VPC is not needed.
Finally, the bastion can be put either in the edge VPC or the management VPC. If you place it in the edge VPC, then the management VPC becomes optional if you are not deploying any other management tools.
Application load balancer in workload VPC
Use IBM Cloud® Application Load Balancer for VPC (ALB) to distribute traffic among multiple server instances within the same region of your VPC. For more information, see the following resources: