IBM Cloud Docs
Public frontend and private backend in a Virtual Private Cloud

Public frontend and private backend in a Virtual Private Cloud

This tutorial may incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage.

This tutorial walks you through creating your own IBM Cloud® Virtual Private Cloud (VPC) with multiple subnets and a virtual server instance (VSI) in each subnet. A VPC is your own, private cloud on shared cloud infrastructure with logical isolation from other virtual networks.

A subnet is an IP address range. It is bound to a single zone and cannot span multiple zones or regions. For the purposes of VPC, the important characteristic of a subnet is the fact that subnets can be isolated from one another, as well as being interconnected in the usual way. Subnet isolation can be accomplished by Security Groups that act as firewalls to control inbound and outbound traffic for one or more virtual server instances.

A good practice is to have a subnet used for resources that must be exposed to the outside world. Resources with restricted access that should never be directly accessed from the outside world are placed within a different subnet. Instances on such a subnet could be your backend database or some secret store that you do not want to be publicly accessible. You will define Security Groups to allow or deny traffic to the VSIs.

In short, using VPC you can:

  • create a software-defined network (SDN),
  • isolate workloads,
  • have fine control of inbound and outbound traffic.

Objectives

  • Understand the infrastructure objects available for virtual private clouds
  • Learn how to create a virtual private cloud, subnets and server instances
  • Know how to apply security groups to secure access to the servers

Architecture
Architecture diagram of the tutorial

  1. The admin (DevOps) sets up the required infrastructure (VPC, subnets, security groups with rules, VSIs) on the cloud.
  2. The internet user makes an HTTP/HTTPS request to the web server on the frontend.
  3. The frontend requests private resources from the secured backend and serves results to the user.

Before you begin

  • Check for user permissions. Be sure that your user account has sufficient permissions to create and manage VPC resources. See the list of required permissions for VPC.
  • You need an SSH key to connect to the virtual servers. If you don't have an SSH key, see the instructions for creating a key for VPC.

Create a Virtual Private Cloud and subnets

To tighten the security of your servers, it is recommended to only allow connections to the ports required by the applications deployed on the servers. In this tutorial, the application will be a web server, thus it will only need to allow inbound connections on port 80.

To perform maintenance tasks on these servers such as installing software, performing operating system upgrades, you will go through a bastion host. A bastion host is an instance that is provisioned with a public IP address and can be accessed via SSH. Once set up, the bastion host acts as a jump server allowing a secure connection to instances provisioned in the VPC.

In this section, you will create the VPC and the bastion host.

This tutorial also comes with companion shell scripts and a Terraform template, that can be used to generate the resources that you will create using the UI below. They are available in this Github repository.

  1. Navigate to the Virtual Private Clouds page and click on Create.
  2. Under New Virtual Private Cloud section:
    1. Enter vpc-pubpriv as name for your VPC.
    2. Select a Resource group.
    3. Optionally, add Tags to organize your resources.
  3. Uncheck Allow SSH and Allow ping from the Default security group. SSH access will later be added to the maintenance security group. The maintenance security group must be added to an instance to allow SSH access from the bastion server. Ping access is not required for this tutorial.
  4. Under Subnets change the name of the Zone 1 subnet. Click the pencil icon:
    • Enter vpc-secure-bastion-subnet as your subnet's unique name.
    • Select the same Resource group as the VPC resource group.
    • Leave the defaults in the other values.
    • Click Save
  5. Under Subnets change the name of the Zone 2 subnet. Click the pencil icon:
    • Enter vpc-pubpriv-backend-subnet as your subnet's unique name.
    • Select the same Resource group as the VPC resource group.
    • Leave the defaults in the other values.
    • Click Save
  6. Under Subnets change the name of the Zone 3 subnet. Click the pencil icon:
    • Enter vpc-pubpriv-frontend-subnet as your subnet's unique name.
    • Select the same Resource group as the VPC resource group.
    • Leave the defaults in the other values.
    • Click Save
  7. Click Create virtual private cloud.

To confirm the creation of the subnet, go to the Subnets page and wait until the status changes to Available.

Create and configure bastion security group

Follow the steps described in this section of the bastion tutorial to create a security group and configure inbound rules for the bastion virtual server instance.

Create a bastion instance

Follow the steps described in this section of the bastion tutorial to create the bastion virtual server instance.

Configure a security group with maintenance access rules

Follow the steps described in this section of the bastion tutorial to create the security group vpc-secure-maintenance-sg. This security group will be used when performing maintenance tasks on virtual server instances, such as installing software or updating the operating system.

Create a backend security group and VSI

In this section, you will create a security group and a virtual server instance for the backend.

Create a backend security group

The backend security group controls the inbound and outbound connections for the backend servers.

To create a new security group for the backend:

  1. Select Security groups under Network, then click Create.
  2. Enter vpc-pubpriv-backend-sg as name and select the VPC you created earlier.
  3. Select a resource group same as your VPC.
  4. Click Create security group.

You will later edit the security group to add the inbound and outbound rules.

Create a backend virtual server instance

To create a virtual server instance in the newly created subnet:

  1. Click on the backend subnet under Subnets.
  2. Click Attached resources, under Attached instances click Create.
  3. To configure the instance:
    1. Pick a Location and make sure to later use the same location again.
    2. Set the name to vpc-pubpriv-backend-vsi.
    3. Select the resource group as earlier.
    4. Under Image click on Change image. Use the search field to select Ubuntu Linux as your Operating system. You can pick any version of the image.
    5. Click Change profile, select Compute as category and pick cx2-2x4 (2 vCPUs and 4 GB RAM) as your profile.
    6. Set SSH keys to the SSH key you created earlier.
    7. Under Advanced options set User data to
      #!/bin/bash
      apt-get update
      apt-get install -y nginx
      echo "I'm the backend server" > /var/www/html/index.html
      service nginx start
      
      This will install a simple web server into the instance.
  4. Under Networking, select the VPC your created.
  5. Make sure that Virtual network interface is selected and vpc-pubpriv-backend-subnet is listed as subnet. Click the edit icon for that subnet.
    1. First, under Network attachment and virtual network interface details, verify that vpc-pubpriv-backend-subnet is selected. Click Next.
    2. Uncheck the default security group and check vpc-pubpriv-backend-sg and vpc-secure-maintenance-sg.
    3. In the IP configuration dialog leave everything as is and click Next.
    4. Last, review everything and finish by clicking Save.
  6. Click Create virtual server instance.

Create a frontend security group and VSI

Similar to the backend, you will create a frontend virtual server instance and a security group.

Create a frontend security group

To create a new security group for the frontend:

  1. Click Security groups under Network, then click Create.
  2. Enter vpc-pubpriv-frontend-sg as name and select the VPC you created earlier.
  3. Select a resource group same as your VPC.
  4. Click Create security group.

Create a frontend virtual server instance

To create a virtual server instance in the newly created subnet:

  1. Click on the frontend subnet under Subnets.
  2. Click Attached resources, under Attached instances click Create.
  3. To configure the instance:
    1. Pick a Location and make sure to later use the same location again.
    2. Set the name to vpc-pubpriv-frontend-vsi.
    3. Select the resource group as earlier.
    4. Under Image click on Change image. Use the search field to select Ubuntu Linux as your Operating system. You can pick any version of the image.
    5. Click Change profile, select Compute as category and pick cx2-2x4 (2 vCPUs and 4 GB RAM) as your profile.
    6. Set SSH keys to the the SSH key you created earlier.
    7. Under Advanced options set User data to
      #!/bin/bash
      apt-get update
      apt-get install -y nginx
      echo "I'm the frontend server" > /var/www/html/index.html
      service nginx start
      
      This will install a simple web server into the instance.
  4. Under Networking, select the VPC your created.
  5. Make sure that Virtual network interface is selected and vpc-pubpriv-frontend-subnet is listed as subnet. Click the edit icon for that subnet.
    1. First, under Network attachment and virtual network interface details, verify that vpc-pubpriv-frontend-subnet is selected. Click Next.
    2. Uncheck the default security group and check vpc-pubpriv-frontend-sg and vpc-secure-maintenance-sg.
    3. In the IP configuration dialog leave everything as is and click Next.
    4. Last, review everything and finish by clicking Save.
  6. Click Create virtual server instance.

Once the instance is up and running, select the frontend VSI vpc-pubpriv-frontend-vsi, scroll to Network attachments with Virtual network interface and select Edit floating IPs from the three dot menu for eth0. Click Attach, then Reserve new floating IP and use vpc-pubpriv-frontend-vsi-ip as name. After finishing with Reserve, you may have to refresh the page to see the newly attached IP.

Set up connectivity between frontend and backend

With all servers running, in this section you will set up the connectivity to allow regular operations between the frontend and backend servers.

Configure the frontend security group

The frontend instance has its software installed, but it cannot yet be reached due to the configuration.

  1. To confirm the web server can not yet be accessed, open a web browser pointing to http://<floating-ip-address-of-the-frontend-vsi> or use:

    curl -v -m 30 http://<floating-ip-address-of-the-frontend-vsi>
    

    The connection should time out eventually.

  2. To enable inbound connection to the web server installed on the frontend instance, you need to open the port where the web server is listening on.

  3. Navigate to Security groups in the Network section, then click on vpc-pubpriv-frontend-sg.

  4. Click on the Rules tab and under the Inbound rules click on Create. Add the rules from the table below, they allow incoming HTTP requests and Ping (ICMP). .

    Inbound rules
    Protocol Source type Source Value Description
    TCP Any 0.0.0.0/0 Ports 80-80 This rule allows connections from any IP address to the frontend web server.
    ICMP Any 0.0.0.0/0 Type: 8,Code: Leave empty This rule allows the frontend server to be pinged by any host.
  5. Next, add the outbound rule. The port of the backend depends on the software you are installing on the virtual server. This tutorial uses a web server listening on port 80. See the table Outbound rules below for values.

    Outbound rules
    Protocol Destination type Destination Value Description
    TCP Security group vpc-pubpriv-backend-sg Ports 80-80 This rule allows the frontend server to communicate with the backend server.
  6. Access the frontend instance again at http://<floating-ip-address-of-the-frontend-vsi> to view the welcome page of the web server.

Test the connectivity between the frontend and the backend

The backend server is running the same web server software as the frontend server. It could be considered as a microservice exposing an HTTP interface that the frontend would be calling. In this section, you will attempt to connect to the backend from the frontend server instance.

  1. In the Virtual Server Instances list, retrieve the floating IP address of the bastion server host (vpc-secure-bastion) and the private IP addresses of the frontend (vpc-pubpriv-frontend-vsi) and backend (vpc-pubpriv-backend-vsi) server instances.

  2. Use ssh to connect to the frontend virtual server:

    ssh -J root@<floating-ip-address-of-the-bastion-vsi> root@<private-ip-address-of-the-frontend-vsi>
    

    SSH to the frontend is only be possible through the bastion and only when the vpc-secure-maintenance-sg has been attached to the frontend instance.

  3. Call the backend web server:

    curl -v -m 30 http://<private-ip-address-of-the-backend-vsi>
    

    After 30 seconds, the call should time out. Indeed, the security group for the backend server has not yet been configured and is not allowing any inbound connection.

Configure the backend security group

To allow inbound connections to the backend server, you need to configure the associated security group.

  1. Navigate to Security groups in the Network section, then click on vpc-pubpriv-backend-sg.

  2. Click on the Rules tab and under the Inbound rules click on Create. Add the following rule.

    Inbound rules
    Protocol Source type Source Value Description
    TCP Security group vpc-pubpriv-frontend-sg Ports 80-80 This rule allows incoming connections on port 80 from the frontend server to the backend server.

Confirm the connectivity

  1. Call the backend web server from the frontend server again:
    curl -v -m 30 http://<private-ip-address-of-the-backend-vsi>
    
  2. The request returns quickly and outputs the message I'm the backend server from the backend web server. This completes the configuration of the connectivity between the servers.

Complete the maintenance

With the frontend and backend server software properly installed and working, the servers can be removed from the maintenance security group.

  1. Navigate to Security groups in the Network section, then click on vpc-secure-maintenance-sg.
  2. Select Attached resources.
  3. Click Edit interfaces, expand and uncheck the vpc-pubpriv-frontend-vsi and vpc-pubpriv-backend-vsi interfaces.
  4. Save the configuration.
  5. Access the frontend instance again at http://<floating-ip-address-of-the-frontend-vsi> to confirm it is still working as expected.

Once the servers are removed from the maintenance group, they can no longer be accessed with ssh. They will only allow traffic to their web servers.

In this tutorial, you deployed two tiers of an application, one frontend server visible from the public Internet and one backend server only accessible within the VPC by the frontend server. You configured security group rules to ensure traffic would be allowed only the specific ports required by the application.

Remove resources

  1. In the VPC Infrastructure console, click on Floating IPs under Network, then on the IP address for your VSIs, then in the action menu select Release. Confirm that you want to release the IP address.
  2. Next, switch to Virtual server instances, Stop and Delete your instances by clicking on the respective action menu.
  3. Once the VSIs are gone, switch to Subnets. If the subnet has an attached public gateway, then click on the subnet name. In the subnet details, detach the public gateway. Subnets without public gateway can be deleted from the overview page. Delete your subnets.
  4. After the subnets have been deleted, switch to VPCs tab and delete your VPC.

When using the console, you may need to refresh your browser to see updated status information after deleting a resource.