IBM Cloud Docs
Virtual Servers for VPC and Power Virtual Server reference architecture for IBM Cloud for Financial Services

Virtual Servers for VPC and Power Virtual Server reference architecture for IBM Cloud for Financial Services

This solution pattern contains the design and architecture decisions for cloud native and Power Virtual Server workloads in IBM Cloud for Financial Services.

IBM Power is a family of high-performance servers that are designed for running large-scale data-driven and mission-critical workloads and are known for their scalability, reliability, sustainability, and performance. IBM® Power® Virtual Server is a Power Systems offering in IBM Cloud. As stated in the documentation, Power Virtual Server are located in the IBM data centers, distinct from the IBM Cloud servers with separate networks and direct-attached storage. The internal networks are fenced but offer connectivity options to IBM Cloud infrastructure or on-premises environments. This infrastructure design enables Power Virtual Server to maintain key enterprise software certification and support as the Power Virtual Server architecture is identical to certified on-premises infrastructure. This documentation page discusses benefits, use cases, workloads and other information on Power Virtual Server.

The IBM Cloud Framework for Financial Services provides different flavors of reference architectures to be used as the basis for meeting the security and regulatory requirements defined in the framework. This document extends the Virtual Servers for VPC based reference architecture and provides a solution design for deploying sensitive enterprise workloads on Power Virtual Server in cloud, especially for financial and regulated industries, by adopting the IBM Cloud for Financial Services Framework and follow the principals and best practices of the framework.

Architecture diagram

The diagram below represents the architecture for secure Power Virtual Server workloads in IBM Cloud and is an extension of the Virtual Servers for VPC reference architecture for IBM Cloud for Financial Services.

IBM Cloud for Financial Services reference architecture for VPC and Power Virtual Server
IBM Cloud for Financial Services reference architecture for VPC and Power Virtual Server

Central to the architecture are three VPCs, which provide segmentation for edge traffic control, management functionality, and consumer workloads.

Management VPC
Provides compute, storage, and network services to enable the client or service provider's administrators to monitor, operate, and maintain the environment.
Workload VPC
Provides compute, storage, and network services to support hosted applications and operations that deliver services to the consumer.
Edge VPC
The edge VPC is used to enhance boundary protection for the workload VPC, by allow consumers to access public facing interface through internet.

This reference architecture is an extension of the VPC reference architecture for IBM Cloud for Financial Services. Here are some key features:

  • Supports a single tenant.
  • Resides in one or more multizone regions. When resources are deployed in multiple regions for resiliency purpose, Global Transit Gateway can be used to connect traffic across regions.
  • Enables access to the management VPC from the application provider's enterprise environment through IBM Cloud® Direct Link or Virtual Private Network (VPN) for VPC.
  • Manages traffic flow from outside IBM Cloud via Edge VPC.
  • Supports multiple subnets, ACLs and Security Groups to manage traffic flow to the subnets and to the instances. Load balancers can be used.
  • Supports Bastion host to manage access to internal servers. Power Virtual Server instances should not be exposed directly to external world.
  • Allows connectivity to IBM Cloud services that use Virtual Private Endpoint (VPE) for VPC. Custom DNS server and proxy server can be used.
  • IBM Cloud® Internet Services to provide global load balancing and layer 3/4 protection against distributed denial-of-service (DDoS) attacks.
  • Virtual network firewall software in the Edge VPC to provide web application firewall (WAF) protection and layer 7 protection against denial-of-service (DoS) attacks.
  • Power Virtual Server are located in the IBM data centers, distinct from the IBM Cloud servers with separate networks and direct-attached storage. Power Edge Router (PER) (or Cloud Connections where PER is not available) provides connection between Power Virtual Servers and IBM Cloud resources.
  • Power workloads can be deployed on Power Virtual Server instances, cloud native workloads can be deployed in VPC, and Transit Gateway can be used to define and control communication between resources on the IBM Cloud network. Separates enterprise traffic and IBM Cloud internal traffic via different Transit Gateway.
  • Power workloads can be deployed on Power Virtual Server instances in different regions. Global Transit Gateway can be used in this case.
  • Hyper Protect Crypto Services or Key Protect can be integrated with Power Virtual Server.
  • IBM Cloud for Financial Services Validated services are used. Security and Compliance Center provides security and compliance support.

Design concepts

Following the Architecture Framework, this document covers the following solution aspects and domains:

heatmap
Architecture design scope

Requirements

The following table outlines the requirements that are addressed in this architecture.

Requirements
Aspect Requirements
Compute Provide properly isolated compute resources with adequate compute capacity for the applications.
Storage Provide storage that meets the application and database performance requirements.
Networking Deploy workloads in isolated environment and enforce information flow policies.
Provide secure, encrypted connectivity to the cloud’s private network for management purposes.
Distribute incoming application requests across available compute resources.
Security Ensure all operator actions are executed securely through a bastion host.
Protect the boundaries of the application against denial-of-service and application-layer attacks.
Encrypt all application data in transit and at rest to protect from unauthorized disclosure.
Encrypt all security data (operational and audit logs) to protect from unauthorized disclosure.
Encrypt all data using customer managed keys to meet regulatory compliance requirements for additional security and customer control.
Protect secrets through their entire lifecycle and secure them using access control measures.
Firewalls must be restrictively configured to prevent all traffic, both inbound and outbound, except that which is required, documented, and approved.
DevOps Delivering software and services at the speed the market demands requires teams to iterate and experiment rapidly. They must deploy new versions frequently, driven by feedback and data.
Resiliency Support application availability targets and business continuity policies.
Ensure availability of the application in the event of planned and unplanned outages.
Backup application data to enable recovery in the event of unplanned outages.
Provide highly available storage for security data (logs) and backup data.
Service Management Monitor system and application health metrics and logs to detect issues that might impact the availability of the application.
Generate alerts/notifications about issues that might impact the availability of applications to trigger appropriate responses to minimize down time.
Monitor audit logs to track changes and detect potential security problems.
Provide a mechanism to identify and send notifications about issues found in audit logs.

Components

The following table outlines the products or services used in the architecture for each aspect.

Components
Aspects Architecture components How the component is used
Application platforms Red Hat® OpenShift® on IBM Cloud® Deploy and secure enterprise workloads
IBM Cloud® Code Engine Run your application, batch job, or container on a managed serverless platform
IBM Cloud® Container Registry Securely store container images and monitor their vulnerabilities in a private registry
Data IBM® Event Streams for IBM Cloud® Leverage fully managed Kafka service to build intelligent applications that react to events in real time
Compute IBM Cloud® Virtual Servers for Virtual Private Cloud Virtual machines with faster provisioning, higher performance, and enhanced isolation
Dedicated hosts for VPC Provision single-tenant hosts that offer dedicated resources and maximum control over instance placement
IBM® Power® Virtual Server Virtual Server offering on IBM Power systems
Storage IBM Cloud® Object Storage Provide flexible, cost-effective, and scalable cloud storage for unstructured data
IBM® Cloud Block Storage for Virtual Private Cloud Persistent storage for use as boot and data storage for Virtual Servers in a VPC network
Networking IBM Cloud® Virtual Private Cloud Fully customizable, software-defined virtual network with superior isolation
Application Load Balancer for VPC Distribute layer 7 and 4 traffic among server instances within the same region of your VPC and support Secure Sockets Layer (SSL) offloading
Network Load Balancer for VPC Distribute layer 4 traffic among multiple server instances within the same region of your VPC
Virtual Private Network (VPN) for VPC Connect your on-premises network to the IBM Cloud VPC network
Client VPN for VPC Securely connect to your IBM Cloud resources from anywhere through a client-to-site VPN server
IBM Cloud® Internet Services Offers capabilities to enhance your workflow
IBM Cloud® DNS Services Manage hostnames and IP addresses while limiting access to the DNS records from permitted networks only
Virtual Private Endpoint (VPE) for VPC Delivers private connectivity through Endpoint Gateways to IBM Cloud Services utilizing client assigned IP addresses from within the VPC
IBM Cloud® Direct Link Establish and deliver connectivity to IBM Cloud
IBM Cloud® Transit Gateway Creates secure connectivity between your networks within IBM Cloud
Security IBM Cloud® App ID User Authentication and User Profiles for your apps
Hyper Protect Crypto Services Keep Your Own Key for cloud data encryption with a dedicated key management service built on FIPS 140-2 Level 4 certified HSM
IBM® Key Protect Create or manage cryptographic keys in the cloud or in Satellite to protect data at rest
IBM Cloud® Secrets Manager Create, lease, and centrally manage secrets that are used in your apps and services
DevOps IBM Cloud® Continuous Delivery Support DevOps best practices by using Git, issue tracking, source code vulnerability analysis, and CI/CD pipelines in the Cloud
Toolchain Automates the tasks of developing and deploying your app
Resiliency IBM Cloud Backup for VPC Provides the ability to schedule VPC block storage snapshot backups and manage retention through backup policies
Block Storage Snapshots for VPC Back up block storage volumes to IBM Cloud Object Storage with this regional snapshot service
Service management IBM Cloud Activity Tracker Event Routing Collect auditable platform events that are generated by services in your IBM Cloud account
IBM Cloud® Security and Compliance Center Manage your security and compliance posture
Flow Logs for VPC enable the collection, storage, and presentation of information about the Internet Protocol (IP) traffic going to and from network interfaces within your Virtual Private Cloud (VPC)