Cloud foundation for VPC - Standard (Integrated setup with configurable services)

The Cloud foundation for VPC deployable architecture sets up a foundational IBM Cloud Virtual Private Cloud (VPC) environment with full configurability and flexibility. This deployable architecture provides complete control over VPC configuration, including subnets, network ACLs, security groups, public gateways, VPN gateways, and VPE gateways. Unlike pre-configured variations, this solution allows you to customize every aspect of your VPC infrastructure to meet specific requirements.

This deployable architecture strengthens applications by built-in enterprise-grade security, observability, and compliance features. It has default integration with encryption service via Key Protect, storage through Cloud Object Storage, observability tools such as Cloud Logs, Cloud Monitoring, and Activity Tracker, and compliance support from the Security and Compliance Center Workload Protection. Together, these services ensure robust protection, comprehensive monitoring, and regulatory compliance for your VPC infrastructure. This architecture lays the groundwork for adding Virtual Server Instances (VSI), Red Hat OpenShift clusters, and other advanced resources. It can be used as a base deployable architecture for many other solutions or as a standalone VPC infrastructure deployment.

Architecture diagram

Design requirements

Components

VPC architecture decisions

VPC architecture decisions
Requirement	Component	Reasons for choice	Alternative choice
Provide flexible VPC infrastructure foundation Support diverse workload requirements Enable customization for specific use cases	Standard VPC	Offers complete control over VPC configuration including subnets, zones, and networking components	Use pre-configured VPC patterns with limited customization options
Create isolated network segments Support multi-zone deployments Enable proper subnet planning	Configurable subnets	Create one to three zones with customizable subnet configurations in each zone	Use default subnet configurations
Control network traffic at subnet level Implement security policies Meet compliance requirements	Network ACLs	Create network ACLs with multiple customizable rules (up to 25 rules per ACL)	Use default VPC ACL rules
Manage instance-level security Control application traffic Implement fine-grained access control	Security groups	Configurable security group rules for precise traffic control	Use default security group settings

Network connectivity architecture decisions

Network connectivity architecture decisions
Requirement	Component	Reasons for choice	Alternative choice
Enable internet access for VPC resources Support hybrid cloud architectures Provide controlled external connectivity	Public gateways	Optionally create public gateways in each zone for internet access	Deploy without public gateways for private-only environments
Establish secure connections to on-premises Support hybrid cloud deployments Enable encrypted site-to-site connectivity	VPN gateways	Create VPN gateways with configurable connections for secure hybrid connectivity	Use IBM Cloud Direct Link or other connectivity options
Access IBM Cloud services privately Avoid public internet traffic Improve security and performance	VPE gateways	Create Virtual Private Endpoints for private access to IBM Cloud services	Access services over public internet
Support advanced DNS scenarios Enable cross-VPC communication Implement hub-and-spoke topologies	DNS configuration	Configurable hub and spoke DNS-sharing model with custom resolvers	Use default VPC DNS settings

Flexibility and customization architecture decisions

Flexibility and customization architecture decisions
Requirement	Component	Reasons for choice	Alternative choice
Support various deployment patterns Enable integration with existing infrastructure Provide deployment flexibility	Existing VPC support	Option to deploy into existing VPC infrastructure	Always create new VPC
Meet diverse addressing requirements Support different network topologies Enable custom IP planning	Address prefix management	Configurable address prefixes with manual or automatic management	Use only automatic address prefix assignment
Support different compliance requirements Enable various security configurations Provide deployment options	Clean default configurations	Option to clean default security group and ACL rules	Keep default rules
Enable resource organization Support governance requirements Implement resource management	Resource groups and tagging	Configurable resource groups and comprehensive tagging support	Use default resource organization

Key features

The Standard - Integrated setup with configurable services variation provides comprehensive control over:

Core VPC Infrastructure

VPC creation and configuration: Complete control over VPC settings including classic access and DNS configuration
Multi-zone deployment: Support for deployments across multiple availability zones
Address prefix management: Flexible address prefix configuration for custom IP planning

Networking Components

Subnets: Create and configure subnets across zones with custom CIDR blocks
Network ACLs: Define custom network access control rules for subnet-level security
Security groups: Configure instance-level firewall rules for application security
Public gateways: Optional internet access configuration per zone

Advanced Connectivity

VPN gateways: Establish secure site-to-site connections to on-premises environments
VPE gateways: Private connectivity to IBM Cloud services without internet traversal
DNS configuration: Advanced DNS settings including hub-and-spoke DNS sharing

Enterprise Features

Resource management: Comprehensive resource group and tagging capabilities
Compliance support: Configurable security settings to meet various compliance requirements
Integration ready: Designed as a foundation for additional IBM Cloud services and workloads