DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. Beyond the Default: A Multi-VPC Architecture

Beyond the Default: A Multi-VPC Architecture

VPCs allow you to create isolated areas, a fundamental prerequisite for building a high-security infrastructure. See how you can tune them to your needs.

Andreas Wittig user avatar by
Andreas Wittig
·
Oct. 18, 16 · Tutorial
Like (2)
Save
Tweet
Share
5.71K Views

Join the DZone community and get the full member experience.

Join For Free

I created my first AWS account on December 23, 2012. The one thing that surprised me most was the possibility to define private networks with Virtual Private Cloud (VPC). As this allowed me creating isolated areas, a fundamental prerequisite for building a high-security infrastructure.

Default VPC

Each AWS account created after December 2013 contains a Default VPC in each region. If you have not created a custom VPC you are using the Default VPC automatically when launching EC2 instances. That’s fine for a quick start on AWS, but if you are planning to run a production workload on AWS, you should read on to learn how to use isolated networks.

Isolated networks

To secure your infrastructure you need to define who is allowed to access data and services. This is typically done by creating a set of rules. For example, a firewall rule.

Defining rules is easy and less prone to error if you isolate independent parts of your infrastructure.

Typical reasons to create isolated networks:

  • Separating customers.
  • Separating applications.
  • Separating environments (development, testing, and production).

Scenario

Imagine the following scenario. Your company is hosting eCommerce applications for two customers: Yellow Shop and Blue Shop. Part of the deal with your customers is an agreement guaranteeing an isolation of their networking infrastructure. Your task is to design the networking architecture for the system consisting of three parts:

  • Load Balancer
  • Web Application
  • SQL Database

Multi-VPC Architecture

Instead of using the Default VPC for your whole infrastructure use multiple VPCs to enable isolation between your two customers. The following figure shows two VPCs. The VPC of the Yellow Shop is highlighted yellow, the VPC of the Blue Shop is highlighted blue.

Multi VPC

Each VPC defines a solid boundary. Network traffic from the Yellow Shop’s VPC is not able to reach the Blue Shop’s VPC.

The next figure shows the components of a VPC:

  • Public Subnet
    • Attached to an Internet Gateway enabling incoming and outgoing Internet traffic.
    • Contains the Load Balancer which forwards requests to the EC2 Instances running in the Private Subnet.
  • Private Subnet
    • Attached to a NAT Gateway enabling outgoing Internet traffic.
    • Contains the Web Application running on EC2 and the SQL Database (Amazon RDS).
    • Neither the Web Application nor the SQL database are accessible from the Internet.

VPC

Why should you use two subnets of each kind? Because a subnet is linked to an Availability Zone. To be able to distribute your infrastructure among two Availability Zones for high availability you need a subnet of each kind in each Availability Zone you want to use.

The VPC is isolating your networks. On top of that, you should use Network ACLs and Security Groups to control network traffic within your VPC.

CloudFormation Templates

CloudFormation is the Infrastructure as Code service offered by AWS. Using CloudFormation allows you to automate the creation of a Multi-VPC architecture. We are sharing our CloudFormation templates on GitHub. Use our CloudFormation templates for VPC to get started quickly.

Using a Multi-VPC architecture allows you to isolate different parts of your infrastructure. Following the principle of divide and conquer simplifies and improves security due to less error prone and more precise access control.

Virtual private cloud Architecture Web application Network Infrastructure AWS application Load balancing (computing) Database Infrastructure as code

Published at DZone with permission of Andreas Wittig. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Top 10 Secure Coding Practices Every Developer Should Know
  • Data Mesh vs. Data Fabric: A Tale of Two New Data Paradigms
  • The Importance of Delegation in Management Teams
  • Distributed Stateful Edge Platforms

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: