Isolate Your CloudHub Worker Instances Using VPN
A discussion of MuleSoft's Anypoint VPC (virtual private cloud) and how it allows development teams and IT admins to set up secure environments.
Join the DZone community and get the full member experience.Join For Free
MuleSoft CloudHub is a multi-tenant integration platform as a service. Applications hosted on CloudHub workers or instances are balanced by a shared load balancer provided by MuleSoft.
At any given point in time, your MuleSoft API deployed on CloudHub might want to interact with on-premise resources and, for that, we need to have a secured connection tunnel that is not exposed on the public cloud.
Anypoint VPC (Virtual Private Cloud)
Anypoint VPC (Virtual Private Cloud) allows you to create a private, coherent, and secluded network to host your Mule applications. VPC allows you to connect CloudHub workers to your corporate data center using the below techniques:
- IPSec Tunneling (Secure VPN Tunnel)
- AWS Peering
- AWS Direct Connect
Let's take a look at the advantages, characteristics, and configurations of Anypoint VPCs.
Advantages of MuleSoft Anypoint VPC
- Connect CloudHub to any private cloud or on-premise data center.
- Create a mesh of secure virtual networks within CloudHub.
- Secure your worker instances.
Points to Remember While Configuring Anypoint VPC
- Ensure you create the VPC in the same region or near your data center or AWS region (VPC Peering).
- Generally, the setup has one isolated network for your production environment and another for non-production environments like dev, test, and UAT.
- Multiple deployment environments can be mapped to the same VPCs.
- Always create the VPC in the parent business group and share it amongst sub-business groups.
Creating a VPC
Creating a VPC is not a difficult process and can be done in a couple of minutes.
You need to provide the values of four parameters:
- CIDR block
- Business groups
VPC regions are selected from a cluster of available regions. However, MuleSoft’s recommendation to choose a region may vary depending upon how the connectivity follows your Anypoint VPC.
If the connection is made via private AWS peering, you need to create your Anypoint VPC in the same region as AWS. However, if it connects to your on-premises data center, you might have to pick a VPC region closest to your data center.
The most important part of the configuration CIDR (Classless Inter-Domain Routing) block can be calculated by exponential notation, i.e. 2N ranging from 28 – 216.
/24 is the smallest network subnet block that can be assigned for Anypoint VPC (provides a total of 256 IP addresses). On the other hand, the largest subnet can be /16 (provides 65,536 IP addresses). It is important to make your VPC large enough to accumulate enough IP addresses to support zero application downtime.
While choosing an IP range, consult your Data Center Infra team to ensure these is no conflict with the address space being used at the Data Center.
Considering two IPs for each worker instance to support zero-downtime deployments? MuleSoft recommends that sizing be up to 10x your maximum number of expected apps per environment in the VPC.
You can choose multiple environments for each VPC, while the configuration is based upon the type of deployment. e.g., SIT, UAT, and test can be pointed to one VPC and PROD can be pointed to another VPC.
If an environment is not selected, all applications deployed to the selected region will be associated with this Anypoint VPC.
Note: Don’t associate Anypoint VPC with a design environment. Apps can be deployed to the design environment only from Design Center and not from Runtime Manager.
Incorporating Business Groups Within VPC
A VPC can be shared amongst various business groups within your organization. Therefore, MuleSoft recommends VPC should be created in the parent organization.
Anypoint VPCs are only vertically shared, i.e., a VPC can be shared to one of its business groups or can be shared from a business group to one of its child business groups.
Once shared, the reconfiguration of VPC, like changing the region or the environment, can be done by admins of associated business groups. In this case, the previous configuration is overwritten by the newly requested VPC configuration.
Creating Firewall Rules
When the Anypoint VPC is created, by default, four firewall rules are set. The practices can be reviewed and modified as per your requirements.
8081 and 8082 are listening to inbound traffic from anywhere to the VPC network. These are the default incoming HTTP and HTTPS ports for requests to reach the CloudHub workers. They are by default configured while VPC uses MuleSoft’s shared load balancer, although they can be depreciated if you do not want isolated workers to be reached by public IPs.
8091 and 8092 ports are reserved by default for inbound connections within your local Anypoint VPCs. All within the organization and even CloudHub-dedicated LB allows you to access your workers using these IP's HTTP private port (8091) and HTTPS private port (8092).
You can open additional ports using firewall rules within your VPC, by clicking Add New Rule.
This article gives you insights to kick-off the configuration of your Anypoint VPC for safeguarding your CloudHub worker instances by creating the required firewall rules and giving flexibility to connecting to on-premises or cloud assets.
Published at DZone with permission of Anubhav Mangla. See the original article here.
Opinions expressed by DZone contributors are their own.