IBM Cloud Docs
VPC landing zone architecture for Power Virtual Server

VPC landing zone architecture for Power Virtual Server

The Power Virtual Server with VPC landing zone makes use of Terraform IBM Module - VPC Landing Zone.

As part of the automation an override json preset is passed to this module. The JSON preset defines which VPC components are created.

VPC Landing Zone Components
Resource Type Optional Description
VPC Edge VPC: ACL, SGs, SSH Key and 4 Subnets
Intel VSI Jump box with 2 cores, 4GB memory running RHEL 9.4 with floating IP attached
Intel VSI Network Services running RHEL 9.4 configured as squid proxy, NTP and DNS servers(using Ansible Galaxy collection roles IBM Power Linux for SAP). Also configured as central ansible execution node. Default size is 2 cores and 4 GB memory. Can be customized.
Intel VSI Yes Monitoring Host running SLES 15SP5 to collect metrics and forward it to IBM Monitoring Instance
Virtual Private Endpoint Gateway A Virtual Private Endpoint Gateway to reach the Cloud Object Storage bucket
Flow Logs for VPC Flow Logs for VPC enables the collection, storage, and presentation of information about the Internet Protocol (IP) traffic going to and from network interfaces within your VPC
VPC Landing Zone Components
Resource Type Optional Description
Key Protect Key Protect provides key management by integrating the IBM Key Protect for IBM Cloud service. These key management services help you create, manage, and use encryption keys to protect your sensitive data
Transit Gateway Global or local Transit Gateway to interconnect VPC and Power Virtual Server workspace
Cloud Object Storage Cloud Object Storage instance, buckets and credentials are created

ACL

The ACL rules for the Edge VPC allow all traffic.

Inbound rules

Inbound ACL rules
Priority Allow or deny Protocol Source Destination
1 Allow ALL ANY IP ANY IP

Outbound rules

Outbound ACL rules
Priority Allow or deny Protocol Source Destination
1 Allow ALL ANY IP ANY IP

Security Groups

The security groups are created and attached to correct subnets/VPE/VPN. For the management security group, 25 Schematics IP addresses are added to inbound rules. This is required to allow ssh login access from schematics to the intel VSIs to perform OS configuration using ansible playbooks.

Security Group Rules

SG rules
Name Source Protocol: Value Attached resources
management-sg
  • Schematics IP addresses
  • IBM Inbound 161.26.0.0/16
  • 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • Optional user provided IP address/CIDR
  • TCP: 22
  • ALL: -
  • TCP: 22
  • TCP: 22
prefix-jump-box-001 VSI
network-services-sg
  • IBM Inbound 161.26.0.0/16
  • 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • ALL: -
  • ALL: -
prefix-network-services-001 VSI, load balancer, mount share targets
vpe-sg
  • IBM Inbound 161.26.0.0/16
  • 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • ALL: -
  • ALL: -
Cloud Object storage

Private networks

The following table lists the private networks that are created in Edge VPC that are created by the deployment automation with corresponding default values.

Private networks IP address ranges
Subnet Name Private network IP address ranges
prefix-edge-vpn-zone-1 Private network for VPN server 10.30.10.0/24
prefix-edge-vsi-management-zone-1 Management network for Bastion virtual server instance 10.30.20.0/24
prefix-edge-vpe-zone-1 Private network for Cloud Object storage VPE 10.30.30.0/24
prefix-edge-vsi-edge-zone-1 Private network for Network services VSI. This subnet has public gateway enabled. 10.30.40.0/24

Additional Resources

The following table provides an overview over cloud services which are created in addition to those handled by the VPC landing zone module.

Additional Cloud Services
Resource Type Optional Description
IBM Cloud Monitoring Yes Monitoring collects metrics to provide a web UI to monitor the performance and overall system health of the deployment. Interconnects with IBM Cloud Security and Compliance Center Workload Protection if used.
IBM Cloud Security and Compliance Center Workload Protection Yes Workload Protection can be used to find and prioritize software vulnerabilities, detect and respond to threats, manage configurations, permissions, and compliance from source to run. Interconnects with Monitoring if used.
Client to site VPN Server,
Secrets Manager
Yes Client to site VPN Server provides client-to-site connectivity, which allows remote devices to securely connect to the VPC network using an OpenVPN software client.
Secrets Manager Instance is deployed along with VPN to store the VPN Certificate
File storage share,
Application load balancer
Yes NFS as a Service
Application Load Balancer is deployed along with File storage share to access the share IP from Power Virtual Server