IBM Cloud Docs
VPC landing zone - Standard variation

VPC landing zone - Standard variation

The Standard variation of the VPC landing zone deployable architecture uses two Virtual Private Clouds (VPC), a Management VPC, and a Workload VPC to manage the environment and the deployed workload. Each VPC is a multi-zoned, multi-subnet implementation that keeps your workloads secure. A transit gateway connects the VPCs to each other and Virtual Private Endpoints are used connect to IBM Cloud services.

IBM Cloud Flow Logs for VPC enables the collection and storage of information about the internet protocol (IP) traffic that is going to and from network interfaces within your VPC. In addition, Activity Tracker logs events from enabled services. IBM Cloud Flow Logs for VPC and Activity Tracker are included in this deployable architecture. You can add more security services, such as Hyper Protect Crypto Services.

Architecture diagram

Architecture diagram for the Standard variation of VPC landing zone
Figure 1. Standard variation of VPC landing zone

Design requirements

Design requirements for VPC landing zone
Figure 2. Scope of the design requirements

Components

VPC architecture decisions

Table 1. Architecture decisions
Requirement Component Reasons for choice Alternative choice
  • Provide infrastructure/application administration access to monitor, operate, and maintain the environment.
  • Limit the number of infrastructure/application administration entry points to ensure security audit.
 Management VPC service
  • Provide infrastructure for service management components like backup, monitoring, IT service management, shared storage
  • Ensure you can reach all IBM Cloud and on-premises services
 Workload VPC service
  • Set up network for all created services
  • Isolate network for all created services
  • Ensure all created services are interconnected
 Secure landing zone components Create a minimum set of required components for a secure landing zone Create a modified set of required components for a secure landing zone in preset

Network security architecture decisions

Table 2. Network security architecture decisions
Requirement Component Reasons for choice Alternative choice
  • Isolate management VPC and allow only a limited number of network connections
  • All other connections from or to management VPC are forbidden
 ACL and security group rules in management VPC More ports might be opened in preset or added manually after deployment
  • Isolate workload VPC and allow only a limited number of network connections
  • All other connections from or to workload VPC are forbidden
 ACL and security group rules in workload VPC More ports might be opened in preset or added manually after deployment
Load VPN configuration to simplify VPN setup VPNs VPN configuration is the responsibility of the customer