Cloud foundation for VPC - Standard (Financial Services edition)

The Standard (Financial Services edition) variation of the Cloud foundation for VPC deployable architecture uses two Virtual Private Clouds (VPC), a Management VPC, and a Workload VPC to manage the environment and the deployed workloads. Each VPC is a multi-zoned, multi-subnet implementation that keeps your workloads secure. This deployable architecture aligns with VPC reference architecture for IBM Cloud for Financial Services. It constitutes of the following capabilities:

Defines multiple subnets in the VPC to define IP ranges and organize resources within the network.
Includes public gateways that provide connectivity between resources in a VPC and the public internet.
Creates ACLs and define rules for allowing or denying traffic between subnets within a VPC.
Creates a transit gateway to connect the VPCs to each other and Virtual Private Endpoints are used to connect to IBM Cloud services.
Creates security groups to control inbound and outbound traffic to resources within the VPC.
Isolates and speeds traffic to the public internet by using an edge VPC in a specific location, if enabled
Adds landing zone VPC CRNs to an existing CBR (Context-based restrictions) network zone if the existing CBR zone ID is specified.
IBM Cloud Flow Logs for VPC enables the collection and storage of information about the internet protocol (IP) traffic that is going to and from network interfaces within your VPC. In addition, Activity Tracker logs events from enabled services.
Adds key management by integrating the IBM Key Protect for IBM Cloud service or the Hyper Protect Crypto Services. These key management services help you create, manage, and use encryption keys to protect your sensitive data.

For more information about the components of VPCs, see VPC concepts.

For more information on how to create custom CBR (Context-based restrictions) zones and rules, see CBR module. Refer Pre-wired CBR configuration for FS Cloud submodule to create default Financial Services compliant coarse-grained CBR rules.

Architecture diagram

Design requirements

Components

VPC architecture decisions

Architecture decisions
Requirement	Component	Reasons for choice	Alternative choice
Provide infrastructure or application administration access to monitor, operate, and maintain the environment Limit the number of infrastructure or application administration entry points to help ensure security audit.	Management VPC service
Provide infrastructure for service management components like backup, monitoring, IT service management, shared storage help ensure you can reach all IBM Cloud and on-premises services	Workload VPC service
Set up network for all created services Isolate network for all created services help ensure all created services are interconnected	Secure landing zone components	Create a minimum set of required components for a secure landing zone	Create a modified set of required components for a secure landing zone in preset

Network security architecture decisions

Network security architecture decisions
Requirement	Component	Reasons for choice	Alternative choice
Isolate management VPC and allow only a limited number of network connections All other connections from or to management VPC are forbidden	ACL and security group rules in management VPC		More ports might be opened in preset or added manually after deployment
Isolate workload VPC and allow only a limited number of network connections All other connections from or to workload VPC are forbidden	ACL and security group rules in workload VPC		More ports might be opened in preset or added manually after deployment
Load VPN configuration to simplify VPN setup	VPNs	VPN configuration is the responsibility of the customer

Next steps

To deploy this architecture, understand Deploying a landing zone deployable architecture steps.