/ Cloud Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Beyond the Default: A Multi-VPC Architecture

DZone's Guide to

Beyond the Default: A Multi-VPC Architecture

VPCs allow you to create isolated areas, a fundamental prerequisite for building a high-security infrastructure. See how you can tune them to your needs.

by
Andreas Wittig
·
Oct. 18, 16 · Cloud Zone
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Deploy and scale data-rich applications in minutes and with ease. Mesosphere DC/OS includes everything you need to elastically run containerized apps and data services in production.

I created my first AWS account on December 23, 2012. The one thing that surprised me most was the possibility to define private networks with Virtual Private Cloud (VPC). As this allowed me creating isolated areas, a fundamental prerequisite for building a high-security infrastructure.

Default VPC

Each AWS account created after December 2013 contains a Default VPC in each region. If you have not created a custom VPC you are using the Default VPC automatically when launching EC2 instances. That’s fine for a quick start on AWS, but if you are planning to run a production workload on AWS, you should read on to learn how to use isolated networks.

Isolated networks

To secure your infrastructure you need to define who is allowed to access data and services. This is typically done by creating a set of rules. For example, a firewall rule.

Defining rules is easy and less prone to error if you isolate independent parts of your infrastructure.

Typical reasons to create isolated networks:

  • Separating customers.
  • Separating applications.
  • Separating environments (development, testing, and production).

Scenario

Imagine the following scenario. Your company is hosting eCommerce applications for two customers: Yellow Shop and Blue Shop. Part of the deal with your customers is an agreement guaranteeing an isolation of their networking infrastructure. Your task is to design the networking architecture for the system consisting of three parts:

  • Load Balancer
  • Web Application
  • SQL Database

Multi-VPC Architecture

Instead of using the Default VPC for your whole infrastructure use multiple VPCs to enable isolation between your two customers. The following figure shows two VPCs. The VPC of the Yellow Shop is highlighted yellow, the VPC of the Blue Shop is highlighted blue.

Multi VPC

Each VPC defines a solid boundary. Network traffic from the Yellow Shop’s VPC is not able to reach the Blue Shop’s VPC.

The next figure shows the components of a VPC:

  • Public Subnet
    • Attached to an Internet Gateway enabling incoming and outgoing Internet traffic.
    • Contains the Load Balancer which forwards requests to the EC2 Instances running in the Private Subnet.
  • Private Subnet
    • Attached to a NAT Gateway enabling outgoing Internet traffic.
    • Contains the Web Application running on EC2 and the SQL Database (Amazon RDS).
    • Neither the Web Application nor the SQL database are accessible from the Internet.

VPC

Why should you use two subnets of each kind? Because a subnet is linked to an Availability Zone. To be able to distribute your infrastructure among two Availability Zones for high availability you need a subnet of each kind in each Availability Zone you want to use.

The VPC is isolating your networks. On top of that, you should use Network ACLs and Security Groups to control network traffic within your VPC.

CloudFormation Templates

CloudFormation is the Infrastructure as Code service offered by AWS. Using CloudFormation allows you to automate the creation of a Multi-VPC architecture. We are sharing our CloudFormation templates on GitHub. Use our CloudFormation templates for VPC to get started quickly.

Using a Multi-VPC architecture allows you to isolate different parts of your infrastructure. Following the principle of divide and conquer simplifies and improves security due to less error prone and more precise access control.

Discover new technologies simplifying running containers and data services in production with this free eBook by O'Reilly. Courtesy of Mesosphere.

Like This Article? Read More From DZone

CloudFormation Update: YAML, Cross-Stack References, and Simplified Substitution
Silos and Clouds: Design for Growth
Digging Into Mesosphere DC/OS (Part 2)

Free DZone Refcard

Getting Started With OpenStack
DOWNLOAD
Topics:
vpc ,cloud ,cloudformation ,availability

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Andreas Wittig, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Cloud Partner Resources

Introduction to Linkerd
Free eBook: Guide to Building, Deploying and Scaling Big Data Apps
Learn how to use MongoDB directly from the experts, for free. Sign up now to get started!
Get the Linkerd Kubernetes Service Mesh eBook
Free report: How Mesos is enabling the adoption of containers and big data services
Networking for Docker Containers: 3 Part Series

Cloud Partner Resources

Introduction to Linkerd
Free eBook: Guide to Building, Deploying and Scaling Big Data Apps
Learn how to use MongoDB directly from the experts, for free. Sign up now to get started!
Get the Linkerd Kubernetes Service Mesh eBook
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone