Architecture decisions for networking
Network Architecture decisions
The following are networking architecture decisions for the Red Hat OpenShift on VPC pattern.
| Architecture decision | Requirement | Alternative | Decision | Rationale |
|---|---|---|---|---|
| Connectivity for remote management of environments | Provide secure and encrypted connectivity to the cloud’s private network for management purposes. |
|
Client VPN for VPC | Client VPN for VPC provides client-to-site connectivity, which allows remote devices to securely connect to the VPC network that uses an OpenVPN software client. |
| Network Segmentation and Isolation: Web App |
|
|
VPCs, subnets, Security Groups (SGs) and ACLs | VPCs provide secure, virtual networks for web apps, which are logically isolated from other public cloud tenants. Subnets provide a range of private IP addresses for each web app tier within a zone. Security Groups and ACLs are used as firewalls to limit access to virtual servers and web app tiers. |
| Connectivity to Cloud Services | Provide secure connection to Cloud Services |
|
Virtual Private Endpoints (VPE) | VPC Gateway and Virtual Private Endpoints enable connectivity to IBM Cloud services by using private IP addresses allocated from a VPC subnet. |
| VPC to VPC Connectivity | Connect two or more VPCs over a private network |
|
Local Transit Gateway (TGW) | The Local Transit Gateway enables connectivity between the Management and Workload VPCs. |
| Application Load Balancer | Route web user http/https requests |
|
VPC ALB |
VPC ALB is recommended for web-based workloads.
|
| Public DNS | Provide DNS resolution to support the use of hostnames instead of IP addresses for applications |
|
IBM Cloud Internet Services (CIS) | IBM Cloud Internet Services support provisioning and configuring DNS records for public DNS resolution and can be integrated with the public VPC ALBs for the web tier. |
| Global Load balancer | Load balancing static content at IBM POP/CDN locations |
|
IBM Cloud Internet Services (CIS) | IBM Cloud Internet Services support global load balancing and can act as perimeter security for the internet facing workloads. |
| Exposing services, Routing & Load Balancing in Red Hat Openshift | Load balancing and routing across multiple instances of services in Red Hat Openshift |
|
Routes in Red Hat OpenShift | Routes are integrated into the Red Hat OpenShift platform and are managed through Red Hat OpenShift API. It provides both hostname-name and path-based routing. They work seamlessly with other Red Hat OpenShift components. |
| Separation of concern traffic management and distribution across microservices | Fine grained control over traffic distribution and intelligent load balancing for application microservices |
|
Red Hat OpenShift Service Mesh | Red Hat OpenShift Service Mesh provides advanced traffic management, service mesh features, security, and layer 7 load balancing. |
| Segment and control communication between the pods within the Red Hat Openshift cluster | Define communication rules between pods for a more secure and controlled environment |
|
Red Hat OpenShift SDN | Red Hat OpenShift Software-defined Networking (SDN) is the underlying network infrastructure that facilitates the implementation of Network policies. Network policies use the Red Hat OpenShift SDN to enforce rules. |
| Environment isolation | Isolate production and nonproduction environments |
|
Separate VPC for production and nonproduction | Different environments are hosted in different Virtual Private Cloud (VPC). The production environment is deployed separately in a VPC from environments with fine-grained Network Access Control Lists (NACLs). |