Architecture decisions for networking

The following are the architectural decision for for watsonx VPC, Red Hat OpenShift, and Watson Assistance for Voice. The table outlines critial choices that shapes the networking design and their functionality of various components for the speech and vision recognition with RAG AI pattern.

Architecture decisions for network
Architecture decision Requirement Options Decision Rationale
Public DNS Provide DNS resolution to support the use of hostnames instead of IP addresses for applications
  • IBM Cloud Internet Services (CIS)
  • IBM Cloud DNS
 IBM Cloud Internet Services (CIS) IBM Cloud Internet Services support provisioning and configuring DNS records for public DNS resolution and can be integrated with the public VPC ALBs for the web tier.
Application Load Balancer Route web user http/https requests
  • VPC application load balancer (ALB)
  • VPC network load balancer (NLB)
  • HA proxy on a VSI (manual deployment)
 VPC ALB

VPC ALB is recommended for web-based workloads.

  • Provides layer 4 and layer 7 load-balancing
  • Supports HTTP, HTTPS, and TCP requests
  • Supports SSL offloading.
VPC to VPC Connectivity Connect two or more VPCs over a private network
  • Local Transit Gateway
  • Global Transit Gateway
 Local Transit Gateway (TGW) The Local Transit Gateway enables connectivity between the Management and Workload VPC
Connectivity to Cloud Services Provide secure connection to Cloud Services
  • Virtual Private Endpoints (VPE)
  • Public Cloud Service Endpoints
 Virtual Private Endpoints (VPE) VPC Virtual Private Endpoints enable connectivity to IBM Cloud services by using private IP addresses allocated from a VPC subnet.
Connectivity for remote management of resources Provide secure and encrypted connectivity to the cloud’s private network for management purposes.
  • Client VPN for VPC (Client-to-site)
  • VPN for VPC (Site-to-Site)
  • Direct Link
 VPN for VPC (Site-to-Site) VPN for VPC allows remote devices to securely connect to the VPC network. The management of IBM Cloud resources happens remotely through a private connection by the operations team.
Network segmentation and isolation of various workloads
  • Deploy workloads in an isolated environment based on their nature
  • Provide fine grained policies for the information flow across segments.
  • Virtual Private Clouds (VPCs) combined
  • Subnets
  • Security Groups (SGs)
  • Network Access Control Lists (ACLs)ACLs
 VPC, network ACLs, and Security Groups VPCs provide secure, virtual networks for various tiers of the application, which are logically isolated from other public cloud tenants. The fine grained information policy flow can be achieved through appropriate security groups (SG) and Access Control Lists (ACLs)
Connectivity from on-premises to IBM Cloud Provide private connectivity for the on-premises enterprise applications to be integrated seamlessly to the systems that run in IBM Cloud
  • Site-to-site VPN connection
  • Client-to-site VPN connection
  • Direct Link
 Direct Link Direct Link is a high-speed private connectivity option that enables clients to establish an always-on link between the on-premises environments and IBM Cloud.
Restricted internet access to internal systems Provide controlled access to internal resources for any updates, upgrades, and patching from the internet. All access should be funneled through a single, controlled interface.
  • Virtual Private Network (VPN)
  • Privileged Access Management (PAM) solutions
  • Identity-Aware Proxies (IAP)
  • SSH or RDP Gateways
  • Bastion hosts
 Bastion hosts A bastion host serves as an intermediary, allowing controlled access to internal resources while minimizing the attack surface. It is commonly used in cloud environments and traditional on-premises networks to provide secure access to instances in private subnets.