Deployable architectures on IBM Cloud: Exploring the IaC aspect of a VPC landing zone

In an ever-evolving cloud infrastructure environment, creating a customizable and secure Virtual Private Cloud (VPC) environment within a single region has become a necessity for many organizations. The VPC Landing Zone Deployable Architecture provides a solution to these requirements through a set of getting started templates that can be quickly adjusted to fit your specific needs.

The VPC Landing Zone deployable architecture leverages Infrastructure as Code (IaC) principles, which allow you to define infrastructure as code and automate deployment. This approach not only improves consistency across deployments, but also makes it easier to manage and update your VPC environment.

One of the key features of a VPC landing zone is flexibility. You can easily customize the launch template to fit your organization’s specific needs. This may include adjusting network configuration and security settings, adding additional resources such as load balancers or additional block volumes.

The following patterns are starter templates that you can use to quickly get started with Landing Zone.

1. VPC pattern: Deploy a simple IBM Cloud® VPC infrastructure without compute resources such as VSI or Red Hat OpenShift clusters.
2. QuickStart Virtual Server Instance (VSI) Pattern: Deploy an edge VPC with one VSI in the management VPC and one jump server VSI.
3. Quick Start ROKS Pattern: Deploy one ROKS cluster in a workload VPC with two worker nodes.
4. Virtual Server (VSI) Pattern: Deploy identical virtual servers across VSI subnet tiers in each VPC.
5. Red Hat® OpenShift® Patterns: The Red Hat OpenShift Kubernetes (ROKS) pattern deploys identical clusters across the VSI subnet hierarchy in each VPC.

Patterns that follow best practices

• Create resource groups to configure and manage cloud services and VPCs.
• Set up a Cloud Object Storage instance to store flow logs and Activity Tracker data. This allows long-term storage and analysis of flow log and Activity Tracker data. Store your encryption keys in a Key Protect or Hyper Protect Crypto Services instance. This provides a secure, centralized location to manage your encryption keys.
• Create a management VPC to manage and control network traffic and a workload VPC to run applications and services. Connect your management and workload VPCs using a transit gateway.
• Set up a flow log collector in each VPC to collect and analyze network traffic data. This gives you visibility and insight into network traffic patterns and performance.
• Implement the necessary networking rules to allow communication between your VPC, instances, and services. This includes security groups, network ACLs, and routing tables.
• Set up a VPE for Cloud Object Storage in each VPC. This provides secure, private access to Cloud Object Storage within each VPC.
• Set up a VPN gateway in your management VPC. This provides a secure, encrypted connection between your management VPC and your on-premises network.

landing zone pattern

Let’s take a look at the landing zone pattern to gain a comprehensive understanding of the basic concepts and applications.

1. VPC pattern

The VPC pattern architecture stands out as a modular solution that provides a strong foundation for building or deploying compute resources as needed. Whether you want to enhance your cloud environment using VSI, Red Hat OpenShift clusters, or other compute resources, this architecture provides the flexibility to do so. This approach not only simplifies the deployment process, but also ensures that the cloud infrastructure remains adaptable and secure to meet the changing needs of the project.

2. Quickstart VSI pattern

Quickstart VSI pattern The pattern involves deploying an edge VPC with one VSI in one of three subnets and a load balancer in the edge VPC. Additionally, a jump server VSI is included in the management VPC that exposes a public floating IP address. Although this pattern is useful for getting started quickly, it is important to note that it does not guarantee high availability or validation within the IBM Cloudfor Financial Services® framework.

3. QuickStart ROKS Pattern

Quickstart ROKS Pattern The pattern consists of a management VPC with one subnet, an Allow All ACL, and a security group. The workload VPC has two subnets in two different availability zones and also has an Allow All ACL and security group. Transit Gateway is used to connect management and workload VPCs. The workload VPC also has one ROKS cluster deployed, consisting of two worker nodes with public endpoints enabled. For added security, Key Protect is used to encrypt cluster keys, and a Cloud Object Storage instance is set up as a required component of a ROKS cluster.

4. Virtual server pattern

The VSI pattern architecture in question supports creating a VSI in a VPC landing zone within an IBM Cloud environment. The VPC landing zone itself is a critical component of IBM Cloud’s secure infrastructure services designed to provide a secure foundation for deploying and managing workloads. The VSI on VPC landing zone architecture is specifically tailored to create a secure infrastructure with virtual servers to run workloads in a VPC network.

5. Red Hat OpenShift Pattern

The ROKS pattern architecture supports the creation and deployment of Red Hat OpenShift Container Platform within a VPC landing zone in a single-region configuration on IBM Cloud. It allows you to manage and run container applications within an isolated, secure environment that provides the resources and services necessary to support their functions. The single-region architecture simplifies setup and management of the OpenShift platform while ensuring that all components are located within the same geographic region, helping reduce latency and improve performance for applications deployed within this environment. IBM Cloud’s VPC landing zone makes it easy for organizations to set up and manage container infrastructure, allowing them to quickly and efficiently deploy and manage container applications within a secure and scalable environment.

IBM Cloud Deployable Architecture Assessment

When choosing a VPC landing zone pattern, it is important to consider the pros and cons of each option, as each option has its own unique pros and cons. The most appropriate pattern will depend on the unique needs and goals of your organization or project. To make an informed decision, evaluate key factors such as scalability, security, cost, and manageability. By carefully evaluating these factors and understanding your project’s requirements, you can ensure the success of your project by choosing the VPC landing zone pattern that best suits your needs.

For detailed guidance on how to choose the right VPC landing zone pattern, read our article, which provides valuable insights and practical tips to help you make the best choice for your specific use case.

IBM Cloud’s pre-built, deployable architecture provides a solid foundation for most use cases, but there may be situations where customization or extensions are needed. In these situations, refer to this tutorial to learn more about the customization process. To accelerate development, start by leveraging the IBM Cloud deployable architecture and adapting it to your unique needs.