Deployable architecture on IBM Cloud: A look at the IaC aspects of VPC landing zone
In
the
ever-evolving
landscape
of
cloud
infrastructure,
creating
a
customizable
and
secure
virtual
private
cloud
(VPC)
environment
within
a
single
region
has
become
a
necessity
for
many
organizations.
The
VPC
landing
zone
deployable
architectures
offers
a
solution
to
this
need
through
a
set
of
starting
templates
that
can
be
quickly
adapted
to
fit
your
specific
requirements.
The
VPC
Landing
Zone
deployable
architecture
leverages
Infrastructure
as
Code
(IaC)
principles,
that
allow
you
to
define
your
infrastructure
in
code
and
automate
its
deployment.
This
approach
not
only
promotes
consistency
across
deployments
but
also
makes
it
easier
to
manage
and
update
your
VPC
environment.
One
of
the
key
features
of
the
VPC
Landing
Zone
is
its
flexibility.
You
can
easily
customize
the
starting
templates
to
fit
your
organization’s
specific
needs.
This
could
include
adjusting
network
configurations
and
security
settings,
or
adding
additional
resources
like
load
balancers
or
additional
block
volumes.
The
following
patterns
are
starting
templates
that
can
be
used
to
get
started
quickly
with
Landing
Zone
-
VPC
pattern:
Deploys
a
simple
IBM
Cloud®
VPC
infrastructure
without
any
compute
resources
like
VSIs
or
Red
Hat
OpenShift
clusters. -
QuickStart
virtual
server
instances
(VSI)
pattern:
Deploys
edge
VPC
with
one
VSI
and
a
jump
server
VSI
in
the
management
VPC. -
QuickStart
ROKS
pattern:
Deploys
one
ROKS
cluster
in
workload
VPC
with
two
worker
nodes. -
Virtual
server
(VSI)
pattern:
Deploys
identical
virtual
servers
across
the
VSI
subnet
tier
in
each
VPC. -
Red
Hat®
OpenShift®
pattern:
The
Red
Hat
OpenShift
Kubernetes
(ROKS)
pattern
deploys
identical
clusters
across
the
VSI
subnet
tier
in
each
VPC.
Patterns
that
follow
the
best
practices
-
Create
a
resource
group
to
organize
and
manage
cloud
services
and
VPCs. -
Set
up
Cloud
Object
Storage
instances
to
store
flow
logs
and
Activity
Tracker
data.
This
allows
for
long-term
storage
and
analytics
of
flow
logs
and
Activity
Tracker
data.
Store
encryption
keys
in
Key
Protect
or
Hyper
Protect
Crypto
Services
instances.
This
provides
a
secure
and
centralized
location
for
managing
encryption
keys. -
Create
a
management
VPC
for
managing
and
controlling
network
traffic
and
create
a
workload
VPC
for
running
applications
and
services.
Connect
the
management
and
workload
VPCs
using
a
transit
gateway. -
Set
up
flow
log
collectors
in
each
VPC
to
collect
and
analyse
network
traffic
data.
This
provides
visibility
and
insights
into
network
traffic
patterns
and
performance. -
Implement
necessary
networking
rules
to
allow
communication
between
VPCs,
instances,
and
services.
This
includes
security
groups,
network
ACLs,
and
route
tables. -
Set
up
VPEs
for
Cloud
Object
Storage
in
each
VPC.
This
provides
secure
and
private
access
to
Cloud
Object
Storage
from
within
each
VPC. -
Set
up
a
VPN
gateway
in
the
management
VPC.
This
provides
secure
and
encrypted
connectivity
between
the
management
VPC
and
on-premises
networks.
Landing
Zone
patterns
Let’s
explore
the
Landing
Zone
patterns
to
gain
a
comprehensive
understanding
of
their
underlying
concepts
and
applications.
1.
VPC
Pattern
The
VPC
Pattern
architecture
stands
out
as
a
modular
solution
that
offers
a
robust
foundation
upon
which
to
build
or
deploy
compute
resources
as
needed.
Whether
you’re
looking
to
enhance
your
cloud
environment
with
VSIs,
Red
Hat
OpenShift
clusters,
or
any
other
compute
resources,
this
architecture
provides
the
flexibility
to
do
so.
This
approach
not
only
simplifies
the
deployment
process
but
also
ensures
that
your
cloud
infrastructure
remains
adaptable
and
secure,
meeting
the
evolving
needs
of
your
projects.
Fig:
Architecture
diagram
for
the
no
compute
pattern
on
VPC
landing
zone
2.
QuickStart
VSI
pattern
The
Quickstart
VSI
pattern
pattern
involves
deploying
an
edge
VPC
with
one
VSI
in
one
of
three
subnets
and
a
load
balancer
in
the
edge
VPC.
Additionally,
it
includes
a
jump
server
VSI
in
the
management
VPC
that
exposes
a
public
floating
IP
address.
While
this
pattern
is
useful
for
getting
started
quickly,
it
is
important
to
note
that
it
does
not
guarantee
high
availability
or
validation
within
the
IBM
Cloudfor
Financial
Services®
framework.
Fig:
Architecture
diagram
for
the
QuickStart
variation
of
VSI
on
VPC
landing
zone
3.
QuickStart
ROKS
pattern
The
Quickstart
ROKS
pattern
pattern
consists
of
a
management
VPC
with
one
subnet,
an
allow-all
ACL,
and
a
security
group.
The
Workload
VPC
has
two
subnets
in
two
different
availability
zones,
also
with
an
allow-all
ACL
and
security
group.
A
Transit
Gateway
is
used
to
connect
the
management
and
workload
VPCs.
There
is
also
one
ROKS
cluster
deployed
in
the
workload
VPC,
consisting
of
two
worker
nodes,
with
its
public
endpoint
enabled.
For
added
security,
Key
Protect
is
used
for
encryption
of
the
cluster
keys,
and
a
Cloud
Object
Storage
instance
is
set
up
as
a
required
component
for
the
ROKS
cluster.
Fig:
Architecture
diagram
for
the
QuickStart
variation
of
ROKS
on
VPC
landing
zone
4.
Virtual
server
pattern
The
VSI
pattern
architecture
in
question
supports
the
creation
of
a
VSI
on
a
VPC
landing
zone
within
the
IBM
Cloud
environment.
The
VPC
landing
zone
itself
is
a
critical
component
of
IBM
Cloud’s
secure
infrastructure
services,
designed
to
provide
a
secure
foundation
for
deploying
and
managing
workloads.
The
VSI
on
VPC
landing
zone
architecture
is
specifically
tailored
for
creating
a
secure
infrastructure
with
virtual
servers
to
run
workloads
on
a
VPC
network.
Fig:
Architecture
diagram
for
the
Standard
variation
of
VSI
on
VPC
landing
zone
5.
Red
Hat
OpenShift
pattern
The
ROKS
pattern
architecture
supports
the
creation
and
deployment
of
a
Red
Hat
OpenShift
Container
Platform
within
a
VPC
landing
zone
in
a
single-region
configuration
on
IBM
Cloud.
This
allows
for
the
management
and
execution
of
container
applications
within
an
isolated
and
secure
environment,
which
provide
the
necessary
resources
and
services
to
support
their
functionality.
The
use
of
a
single-region
architecture
helps
simplify
the
setup
and
management
of
the
OpenShift
platform
while
also
making
sure
that
all
components
are
located
within
the
same
geographical
region,
reducing
latency
and
improving
performance
for
applications
deployed
within
this
environment.
By
leveraging
IBM
Cloud’s
VPC
landing
zone,
organizations
can
easily
set
up
and
manage
their
container
infrastructure,
enabling
them
to
quickly
and
efficiently
deploy
and
manage
their
container
applications
within
a
secure
and
scalable
environment.
Fig:
Architecture
diagram
of
the
OpenShift
Container
Platform
on
VPC
deployable
architecture.
Evaluating
an
IBM
Cloud
deployable
architecture
When
choosing
a
VPC
landing
zone
pattern,
it’s
crucial
to
consider
the
advantages
and
disadvantages
of
each
option,
as
each
has
its
distinct
pros
and
cons.
The
most
suitable
pattern
will
depend
on
the
unique
needs
and
objectives
of
your
organization
or
project.
To
make
a
well-informed
decision,
assess
key
factors
such
as
scalability,
security,
cost,
and
ease
of
management.
By
thoughtfully
evaluating
these
factors
and
understanding
your
project’s
requirements,
you
can
select
the
most
suitable
VPC
landing
zone
pattern
for
your
needs,
ensuring
the
success
of
your
project.
For
more
detailed
guidance
on
selecting
the
right
VPC
landing
zone
pattern,
read
the
article,
which
provides
valuable
insights
and
practical
tips
to
help
you
make
the
best
choice
for
your
specific
use
case.
While
IBM
Cloud
pre-built
deployable
architectures
provide
a
solid
foundation
for
most
use
cases,
there
may
be
situations
where
customization
or
extension
is
necessary.
For
these
situations,
refer
to
this
tutorial
for
a
deeper
dive
into
the
customization
process.
To
accelerate
your
development,
start
by
leveraging
an
IBM
Cloud
deployable
architecture
and
adapt
it
to
meet
your
unique
requirements.
Was
this
article
helpful?
YesNo
Comments are closed.