Virtual Servers for VPC and Power Virtual Server reference architecture for IBM Cloud for Financial Services
This solution pattern contains the design and architecture decisions for cloud native and Power Virtual Server workloads in IBM Cloud for Financial Services.
IBM Power is a family of high-performance servers that are designed for running large-scale data-driven and mission-critical workloads and are known for their scalability, reliability, sustainability, and performance. IBM® Power® Virtual Server is a Power Systems offering in IBM Cloud. As stated in the documentation, Power Virtual Server are located in the IBM data centers, distinct from the IBM Cloud servers with separate networks and direct-attached storage. The internal networks are fenced but offer connectivity options to IBM Cloud infrastructure or on-premises environments. This infrastructure design enables Power Virtual Server to maintain key enterprise software certification and support as the Power Virtual Server architecture is identical to certified on-premises infrastructure. This documentation page discusses benefits, use cases, workloads and other information on Power Virtual Server.
The IBM Cloud Framework for Financial Services provides different flavors of reference architectures to be used as the basis for meeting the security and regulatory requirements defined in the framework. This document extends the Virtual Servers for VPC based reference architecture and provides a solution design for deploying sensitive enterprise workloads on Power Virtual Server in cloud, especially for financial and regulated industries, by adopting the IBM Cloud for Financial Services Framework and follow the principals and best practices of the framework.
Architecture diagram
The diagram below represents the architecture for secure Power Virtual Server workloads in IBM Cloud and is an extension of the Virtual Servers for VPC reference architecture for IBM Cloud for Financial Services.
Central to the architecture are three VPCs, which provide segmentation for edge traffic control, management functionality, and consumer workloads.
- Management VPC
- Provides compute, storage, and network services to enable the client or service provider's administrators to monitor, operate, and maintain the environment.
- Workload VPC
- Provides compute, storage, and network services to support hosted applications and operations that deliver services to the consumer.
- Edge VPC
- The edge VPC is used to enhance boundary protection for the workload VPC, by allow consumers to access public facing interface through internet.
This reference architecture is an extension of the VPC reference architecture for IBM Cloud for Financial Services. Here are some key features:
- Supports a single tenant.
- Resides in one or more multizone regions. When resources are deployed in multiple regions for resiliency purpose, Global Transit Gateway can be used to connect traffic across regions.
- Enables access to the management VPC from the application provider's enterprise environment through IBM Cloud® Direct Link or Virtual Private Network (VPN) for VPC.
- Manages traffic flow from outside IBM Cloud via Edge VPC.
- Supports multiple subnets, ACLs and Security Groups to manage traffic flow to the subnets and to the instances. Load balancers can be used.
- Supports Bastion host to manage access to internal servers. Power Virtual Server instances should not be exposed directly to external world.
- Allows connectivity to IBM Cloud services that use Virtual Private Endpoint (VPE) for VPC. Custom DNS server and proxy server can be used.
- IBM Cloud® Internet Services to provide global load balancing and layer 3/4 protection against distributed denial-of-service (DDoS) attacks.
- Virtual network firewall software in the Edge VPC to provide web application firewall (WAF) protection and layer 7 protection against denial-of-service (DoS) attacks.
- Power Virtual Server are located in the IBM data centers, distinct from the IBM Cloud servers with separate networks and direct-attached storage. Power Edge Router (PER) (or Cloud Connections where PER is not available) provides connection between Power Virtual Servers and IBM Cloud resources.
- Power workloads can be deployed on Power Virtual Server instances, cloud native workloads can be deployed in VPC, and Transit Gateway can be used to define and control communication between resources on the IBM Cloud network. Separates enterprise traffic and IBM Cloud internal traffic via different Transit Gateway.
- Power workloads can be deployed on Power Virtual Server instances in different regions. Global Transit Gateway can be used in this case.
- Hyper Protect Crypto Services or Key Protect can be integrated with Power Virtual Server.
- IBM Cloud for Financial Services Validated services are used. Security and Compliance Center provides security and compliance support.
Design concepts
Following the Architecture Framework, this document covers the following solution aspects and domains:
Requirements
The following table outlines the requirements that are addressed in this architecture.
Aspect | Requirements |
---|---|
Compute | Provide properly isolated compute resources with adequate compute capacity for the applications. |
Storage | Provide storage that meets the application and database performance requirements. |
Networking | Deploy workloads in isolated environment and enforce information flow policies. Provide secure, encrypted connectivity to the cloud’s private network for management purposes. Distribute incoming application requests across available compute resources. |
Security | Ensure all operator actions are executed securely through a bastion host. Protect the boundaries of the application against denial-of-service and application-layer attacks. Encrypt all application data in transit and at rest to protect from unauthorized disclosure. Encrypt all security data (operational and audit logs) to protect from unauthorized disclosure. Encrypt all data using customer managed keys to meet regulatory compliance requirements for additional security and customer control. Protect secrets through their entire lifecycle and secure them using access control measures. Firewalls must be restrictively configured to prevent all traffic, both inbound and outbound, except that which is required, documented, and approved. |
DevOps | Delivering software and services at the speed the market demands requires teams to iterate and experiment rapidly. They must deploy new versions frequently, driven by feedback and data. |
Resiliency | Support application availability targets and business continuity policies. Ensure availability of the application in the event of planned and unplanned outages. Backup application data to enable recovery in the event of unplanned outages. Provide highly available storage for security data (logs) and backup data. |
Service Management | Monitor system and application health metrics and logs to detect issues that might impact the availability of the application. Generate alerts/notifications about issues that might impact the availability of applications to trigger appropriate responses to minimize down time. Monitor audit logs to track changes and detect potential security problems. Provide a mechanism to identify and send notifications about issues found in audit logs. |
Components
The following table outlines the products or services used in the architecture for each aspect.
Aspects | Architecture components | How the component is used |
---|---|---|
Application platforms | Red Hat® OpenShift® on IBM Cloud® | Deploy and secure enterprise workloads |
IBM Cloud® Code Engine | Run your application, batch job, or container on a managed serverless platform | |
IBM Cloud® Container Registry | Securely store container images and monitor their vulnerabilities in a private registry | |
Data | IBM® Event Streams for IBM Cloud® | Leverage fully managed Kafka service to build intelligent applications that react to events in real time |
Compute | IBM Cloud® Virtual Servers for Virtual Private Cloud | Virtual machines with faster provisioning, higher performance, and enhanced isolation |
Dedicated hosts for VPC | Provision single-tenant hosts that offer dedicated resources and maximum control over instance placement | |
IBM® Power® Virtual Server | Virtual Server offering on IBM Power systems | |
Storage | IBM Cloud® Object Storage | Provide flexible, cost-effective, and scalable cloud storage for unstructured data |
IBM® Cloud Block Storage for Virtual Private Cloud | Persistent storage for use as boot and data storage for Virtual Servers in a VPC network | |
Networking | IBM Cloud® Virtual Private Cloud | Fully customizable, software-defined virtual network with superior isolation |
Application Load Balancer for VPC | Distribute layer 7 and 4 traffic among server instances within the same region of your VPC and support Secure Sockets Layer (SSL) offloading | |
Network Load Balancer for VPC | Distribute layer 4 traffic among multiple server instances within the same region of your VPC | |
Virtual Private Network (VPN) for VPC | Connect your on-premises network to the IBM Cloud VPC network | |
Client VPN for VPC | Securely connect to your IBM Cloud resources from anywhere through a client-to-site VPN server | |
IBM Cloud® Internet Services | Offers capabilities to enhance your workflow | |
IBM Cloud® DNS Services | Manage hostnames and IP addresses while limiting access to the DNS records from permitted networks only | |
Virtual Private Endpoint (VPE) for VPC | Delivers private connectivity through Endpoint Gateways to IBM Cloud Services utilizing client assigned IP addresses from within the VPC | |
IBM Cloud® Direct Link | Establish and deliver connectivity to IBM Cloud | |
IBM Cloud® Transit Gateway | Creates secure connectivity between your networks within IBM Cloud | |
Security | IBM Cloud® App ID | User Authentication and User Profiles for your apps |
Hyper Protect Crypto Services | Keep Your Own Key for cloud data encryption with a dedicated key management service built on FIPS 140-2 Level 4 certified HSM | |
IBM® Key Protect | Create or manage cryptographic keys in the cloud or in Satellite to protect data at rest | |
IBM Cloud® Secrets Manager | Create, lease, and centrally manage secrets that are used in your apps and services | |
DevOps | IBM Cloud® Continuous Delivery | Support DevOps best practices by using Git, issue tracking, source code vulnerability analysis, and CI/CD pipelines in the Cloud |
Toolchain | Automates the tasks of developing and deploying your app | |
Resiliency | IBM Cloud Backup for VPC | Provides the ability to schedule VPC block storage snapshot backups and manage retention through backup policies |
Block Storage Snapshots for VPC | Back up block storage volumes to IBM Cloud Object Storage with this regional snapshot service | |
Service management | IBM Cloud Activity Tracker Event Routing | Collect auditable platform events that are generated by services in your IBM Cloud account |
IBM Cloud® Security and Compliance Center | Manage your security and compliance posture | |
Flow Logs for VPC | enable the collection, storage, and presentation of information about the Internet Protocol (IP) traffic going to and from network interfaces within your Virtual Private Cloud (VPC) |