VPC landing zone architecture for Power Virtual Server
The Power Virtual Server with VPC landing zone makes use of Terraform IBM Module - VPC Landing Zone.
As part of the automation an override json preset is passed to this module. The JSON preset defines which VPC components are created.
Resource Type | Optional | Description |
---|---|---|
VPC | Edge VPC: ACL, SGs, SSH Key and 4 Subnets | |
Intel VSI | Jump box with 2 cores, 4GB memory running RHEL 9.4 with floating IP attached | |
Intel VSI | Network Services running RHEL 9.4 configured as squid proxy, NTP and DNS servers(using Ansible Galaxy collection roles IBM Power Linux for SAP). Also configured as central ansible execution node. Default size is 2 cores and 4 GB memory. Can be customized. | |
Intel VSI | Yes | Monitoring Host running SLES 15SP5 to collect metrics and forward it to IBM Monitoring Instance |
Virtual Private Endpoint Gateway | A Virtual Private Endpoint Gateway to reach the Cloud Object Storage bucket | |
Flow Logs for VPC | Flow Logs for VPC enables the collection, storage, and presentation of information about the Internet Protocol (IP) traffic going to and from network interfaces within your VPC |
Resource Type | Optional | Description |
---|---|---|
Key Protect | Key Protect provides key management by integrating the IBM Key Protect for IBM Cloud service. These key management services help you create, manage, and use encryption keys to protect your sensitive data | |
Transit Gateway | Global or local Transit Gateway to interconnect VPC and Power Virtual Server workspace | |
Cloud Object Storage | Cloud Object Storage instance, buckets and credentials are created |
ACL
The ACL rules for the Edge VPC allow all traffic.
Inbound rules
Priority | Allow or deny | Protocol | Source | Destination |
---|---|---|---|---|
1 | Allow | ALL | ANY IP | ANY IP |
Outbound rules
Priority | Allow or deny | Protocol | Source | Destination |
---|---|---|---|---|
1 | Allow | ALL | ANY IP | ANY IP |
Security Groups
The security groups are created and attached to correct subnets/VPE/VPN. For the management security group, 25 Schematics IP addresses are added to inbound rules. This is required to allow ssh login access from schematics to the intel VSIs to perform OS configuration using ansible playbooks.
Security Group Rules
Name | Source | Protocol: Value | Attached resources |
---|---|---|---|
management-sg |
|
|
prefix-jump-box-001 VSI |
network-services-sg |
|
|
prefix-network-services-001 VSI, load balancer, mount share targets |
vpe-sg |
|
|
Cloud Object storage |
Private networks
The following table lists the private networks that are created in Edge VPC that are created by the deployment automation with corresponding default values.
Subnet Name | Private network | IP address ranges |
---|---|---|
prefix-edge-vpn-zone-1 | Private network for VPN server | 10.30.10.0/24 |
prefix-edge-vsi-management-zone-1 | Management network for Bastion virtual server instance | 10.30.20.0/24 |
prefix-edge-vpe-zone-1 | Private network for Cloud Object storage VPE | 10.30.30.0/24 |
prefix-edge-vsi-edge-zone-1 | Private network for Network services VSI. This subnet has public gateway enabled. | 10.30.40.0/24 |
Additional Resources
The following table provides an overview over cloud services which are created in addition to those handled by the VPC landing zone module.
Resource Type | Optional | Description |
---|---|---|
IBM Cloud Monitoring | Yes | Monitoring collects metrics to provide a web UI to monitor the performance and overall system health of the deployment. Interconnects with IBM Cloud Security and Compliance Center Workload Protection if used. |
IBM Cloud Security and Compliance Center Workload Protection | Yes | Workload Protection can be used to find and prioritize software vulnerabilities, detect and respond to threats, manage configurations, permissions, and compliance from source to run. Interconnects with Monitoring if used. |
Client to site VPN Server, Secrets Manager |
Yes | Client to site VPN Server provides client-to-site connectivity, which allows remote devices to securely connect to the VPC network using an OpenVPN software client. Secrets Manager Instance is deployed along with VPN to store the VPN Certificate |
File storage share, Application load balancer |
Yes | NFS as a Service Application Load Balancer is deployed along with File storage share to access the share IP from Power Virtual Server |