IBM Cloud Docs
Red Hat OpenShift Container Platform on VPC landing zone

Red Hat OpenShift Container Platform on VPC landing zone

Red Hat OpenShift Container Platform on VPC landing zone is a deployable architecture solution that is based on the IBM Cloud for Financial Services reference architecture. It creates secure and compliant Red Hat OpenShift Container Platform workload clusters on a Virtual Private Cloud (VPC) network.

Architecture diagram

Architecture diagram of the OpenShift Container Platform on VPC deployable architecture
Figure 1. Single region architecture diagram for Red Hat OpenShift Container Platform on VPC on IBM Cloud

Design requirements

Design requirements for Secure infrastructure on VPC for regulated industries
Figure 2. Scope of the design requirements

Components

VPC architecture decisions

Table 1. Architecture decisions
Requirement Component Reasons for choice Alternative choice
Provide access management and tooling for the workload that is deployed in the workload VPC Management VPC service Create a separate VPC service where SSH connectivity from outside is allowed
Provide compute, storage, and network services to support hosted applications and operations that deliver services to the consumer Workload VPC service Create a separate VPC service as an isolated environment, without direct public internet connectivity and without direct SSH access
  • Demonstrate compliance with control requirements of the IBM Cloud Framework for Financial Services
  • Set up network for all created services
  • Isolate network for all created services
  • Ensure all created services are interconnected
 Secure landing zone components Create a minimum set of required components for a secure landing zone Create a modified set of required components for a secure landing zone in preset

Network security architecture decisions

Table 2. Network security architecture decisions
Requirement Component Reasons for choice Alternative choice
  • Isolate management VPC and allow only a limited number of network connections
  • All other connections from or to management VPC are forbidden
 ACL and security group rules in management VPC More ports might be opened in preset or added manually after deployment
  • Isolate workload VPC and allow only a limited number of network connections
  • All other connections from or to workload VPC are forbidden
 ACL and security group rules in workload VPC Open following ports by default: 53 (DNS service)
All ports to other VPCs are open		 More ports might be opened in preset or added manually after deployment
Enable floating IP on bastion host to execute deployment Floating IPs on bastion host in management VPC Use floating IP on bastion host from IBM Schematics to complete deployment
Load VPN configuration to simplify VPN setup VPNs VPN configuration is the responsibility of the customer
Collect and store Internet Protocol (IP) traffic information with Activity Tracker and Flow Logs Activity Tracker
Securely connect to multiple networks with a site-to-site virtual private network

Next steps

If you plan to use Red Hat OpenShift on IBM Cloud, explore a more detailed view of the VPC reference architecture with Red Hat OpenShift on IBM Cloud