Anypoint VPC Connection Tutorial

Anypoint VPC

Many developers, consultants, or architects are fronted by challenging architecture designs where particular security, availability, and/or network restrictions must be considered while designing integration solutions.

Anypoint Platform, among its components, provides the Anypoint VPC: an AWS VPC (virtual private cloud) in the requested AWS region, assigned exclusively to its owning Anypoint Platform organization where only authorized users from the organization may deploy Mule applications to this Anypoint VPC [1]. Paraphrasing the above text, a VPC is a private IP space that is dedicated to the Mule workers. Is not accessible by any other systems in your network and no other company might share it. For more details about AWS VPC refer to this link.

Now, technically you know what Anypoint VPC is, but still, we can write about the basis of why/when should make use of it. I write some examples down here:

• A setup for a physical separation of your systems between environments is required.
• Your API implementations must be accessible within an on-premises private network or a subnet that does not allow public access (intranet).
• TLS mutual authentication between your API and client is required, and this is only available through a dedicated load balancer (DLB)—therefore an Anypoint VPC hosting the DLB is required.
• DNS Servers for internal resources—Provide CloudHub applications with access to internal resources that are not reachable via the public internet. The Anypoint VPC must therefore be configured for resolution of the domains using customer-supplied DNS servers.
• Specify firewall rules within the VPC to control incoming traffic to the workers.

A better panorama is visible now, let’s move forwards and go deeper into how to configure/create and size an Anypoint VPC in our Anypoint Platform organization.

Creating an Anypoint VPC

Prerequisites

• Make sure you have a CloudHub Network Administrator role or grant from the Organization admin the VPC and CloudHub permissions to your user/role. 
• Have purchased, at least Anypoint Platform base subscription; it includes 2 VPCs licenses.
• At least one VPC available
  1. To check this out: Log in to Anypoint Platform -> On the top right corner, click on your organization's name and then select Business Groups-> You now land on Access Management ->On the left-hand panel, select Runtime Manager under Subscription-> Subscription information must be shown including the available VPCs.
  2. If no Access Management was granted to you then another way to check the VPCs availability: 
     • Log in to Anypoint Platform -> Click on the top left menu -> On the displayed menu go to Runtime Manager -> On the left-hand panel, VPCs and Load Balancers tabs should be visible.
     • If the Anypoint VPC license limit is not reached, the Create VPC option must be enabled.
• Be aware of VPC sizing (below topic).

How To Size a VPC 

While it is true that self-service is provided to config our VPC, sizing is a fundamental step where no error could fit. MuleSoft provides a “How to Size my VPC” topic in their documentation however I would like to drill down this with an example and make it even more practical.

The example assumes the following:

• Your organization is already hosting 30 mule applications and 15 more are planned to be developed and deployed on CloudHub soon.
  • 35 of these applications are APIs and are using 3 workers each, the 10 left are batch processing applications running on 4 workers each.
• The owner organization has a production along with 3 nonproduction environments.
• The requirement is to have 2 VPCs, one for production and the second for lower environments.

First, to size the VPCs it is necessary to calculate the following in order to know the total IPs amount for the CIDR block:

1. Calculate the total IPs addresses for the applications, remember that each worker needs at least two IP addresses for HA and consider the number of instances to be deployed on each VPC hence in this case the calculation could be performed as below:  

   VPC name	#totalWorker (*)	#appInstances(env)	SubTotal IPs
   [Prod] VPC	145	1	145
   [LowerEnv] VPC	145	3	435

2. Now we got a fixed size for each VPC but before we go ahead, we should look into MuleSoft remarks about the sizing and remember the Rule of Thumb: Expected application instances * 10 to allow for expansion. Then the below multiplication is done:

   VPC name	Fixed Ips size (*)	Recommended	Subtotal IPs
   [Prod] VPC	145	10	1450
   [LowerEnv] VPC	435	10	4350

3. Then, add to this subtotal amount of 5 IPs addresses extra since the first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instances, these addresses are reserved. The final calculation now should be like this:

   VPC name	SubTotal IPs (+)	Reserved IPs	Total IPs
   [Prod] VPC	1450	5	1455
   [LowerEnv] VPC	4350	5	4355

4. Finally, with these suggested amounts now you are able to decide the CIDR block size of the VPCs subnets, please take advantage of any CIDR to IPv4 Conversion/Calculator to obtain the CIDR Range that has the sufficient host to meet your total IPs amount:

   VPC name	Total IPs	CIDR Range	CIDR Range Hosts
   [Prod] VPC	1455	10.0.0.0/21	2048
   [LowerEnv] VPC	4355	10.0.0.0/19	8192

Steps To Follow

Assuming you have fulfilled the above requirements, the hands-on time now begins:

1. Log in to Anypoint Platform and go to the Runtime Manager.
2. Go to the left menu and click on the VPCs tab; the “Create VPC” button is shown enabled.
   
3. Create VPC page now is displayed and we must fill in the available fields:
   
   A well-explained tutorial regarding the VPC general information for the creation is provided by MuleSoft; please refer to this link.
4. Assuming you have covered the above link documentation, you now should be able to deploy to the selected environment within the VPC. Please notice that connection to this VPC could be done through an IPsec Tunnel (network-to-network), VPC Peering (Amazon VPCs) or CloudHub Direct Connect. For more information regarding the connectivity methods please refer to this link.
5. Next steps: So far so good, the VPC is in place and the new deployments (on the VPC’s environments) will be as well. Furthermore, you can add a DLB to have a fully restricted connection to your organization environment, the purchase and configuration for this it’s offered by MuleSoft as a self-service.

Conclusion 

Anypoint VPC is a MuleSoft hosted control plane component that will definitely help whenever physical restriction needs to be set to our project, even though the term of virtual private cloud sounds difficult as the IT department needs to be involved, MuleSoft provides the capability to serve ourselves with minimal support since all the process is well documented and following an understandable sizing formula provides a secure way to correctly configure our VPC and let it ready for scalability upcoming challenges. 

Finally, whether your role plays or not the infrastructure configs, being able to comprehend these virtual assets adds valuable knowledge to your personal growth and career path.