Skip to content

Latest commit

 

History

History
112 lines (71 loc) · 10.6 KB

deployment-single.md

File metadata and controls

112 lines (71 loc) · 10.6 KB
Raw
copyright lastupdated subcollection keywords
years
2024
2024-10-16
pattern-network-vrf-only

{{site.data.keyword.attribute-definition-list}}

Deploying Classic Infrastructure in a Single Region

{: #introduction}

This guide outlines deploying a Classic edge gateway architecture in a single region configuration, the Classic Edge gateway pattern allows on-premise traffic to flow into a set of firewalls prior to routing traffic to IBM Cloud’s PowerVS and Virtual Private Cloud (VPC) environments. It is used to integrate on-premises access with classic infrastructure and Power Virtual Server workloads within the IBM Cloud. The deployment is based on existing deployable architecture modules, as well as a series of manual customizations to tailor the setup to the specific requirements for your environment.

This is designed for customers who need a scalable, single region infrastructure with the flexibility of manual customizations post initial deployment of the base Deployable Architecture. It allows for adapting various components, such as networking and security, to better suit individual business needs after the foundational architecture has been established.

This deployment guide uses IBM Cloud catalog, Terraform IBM modules (TIM), and manual configuration to achieve deployment. It assumes that the landing zone prerequisites have been completed including IBM Cloud account setup, IAM permissions, access roles, and SSH keys. Please follow instructions for setting up your environment for deployable architecture.

Illustrates a detailed network and component architecture for a single Classic Data Center solution architecture{: caption="Single Region View" caption-side="bottom"}

Before you begin

{: #begin}

You need the following items to deploy and configure this reference architecture:

Provision Architecture

{: #provision}

Direct Link Connect

{: #directlink}

  1. Review the list of Direct Link Connect providers and locations to select a provider.
  2. Review partner-specific instructions.
  3. Order primary Direct Link Connect to xcr01
  4. Order secondary Direct Link Connect to xcr02 for resiliency.

This deployment guide assumes the remote side of this connection is already integrated with the exchange provider’s network. If not, please contact the provider to establish this connection.{: note}

Alternative: Two Direct Link Dedicated connections can be ordered.

Classic Infrastructure

{: #classic}

  1. Create Security groups and rules either by the IBM cloud portal or by using the IBM cloud terraform provider resource ibm_security_group{: external} and ibm_security_group_rule{: external}.

  2. Create SSH Keys in the IBM Cloud portal or by using the IBM cloud terraform provider resource ibm_compute_ssh_key{: external}.

  3. Provision the gateway appliance of choice:

    1. Juniper vSRX{: external}.
    2. Virtual Router Appliance (vRA){: external}, select ATT vRouter for vendor or TIMs module ibm_network_gateway{: external}.
    3. FortiGate FSA 10 Gbps{: external}.
    4. FortiGate vFSA{: external}, select Fortinet for vendor.
    5. Bring your own Gateway Appliance (BYOG){: external}, and select other for vendor.

  4. Establish a GRE tunnel (GREa) from the gateway of choice to the client on-premise device.

    Configure BGP to peer your IBM Cloud Classic Gateway with the on-premise device for route exchange over the GRE tunnel (use the GRE tunnel IP addresses as the BGP neighbours). {: tip}

  5. Create VLANs and subnets for compute resources that need to be deployed in Classic using the portal subnets{: external} and VLANS{: external} or terraform ibm_network_vlan{: external} and ibm_network_vlan_spanning{: external}.

  6. Create Cloud service instances as required. Reference Service Endpoints for additional details.

  7. Create Virtual Server Instance to be used as the Bastion Host either by the portal{: external} or terraform ibm_compute_vm_instance{: external}.

    Alternative: Bare metal can be deployed using the portal{: external} or terraform ibm_compute_bare_metal{: external}.

  8. Create Virtual Server Instance to be used as the proxy server either by the portal{: external} or terraform ibm_compute_vm_instance{: external}.

    Alternative: Bare metal can be deployed using the portal{: external} or terraform ibm_compute_bare_metal{: external}.

  9. Create Virtual Server Instance to be used as the Custom Domain Name System (DNS) server either by the portal{: external} or terraform ibm_compute_vm_instance{: external}.

    Alternative: Bare metal can be deployed using the portal{: external} or terraform ibm_compute_bare_metal{: external}.

  10. Optionally Provision the IBM Cloud Load Balancer using the portal{: external} or Terraform ibm_lb{: external}.

    Alternative: Citrix VPX can be deployed using the portal{: external} or Terraform ibm_lb_vpx{: external}.

Power Virtual Server

{: #PVS}

  1. Create the power virtual server workspace in the IBM cloud portal{: external}, or the terraform ibm_pi_workspace{: external}, or by using the Terraform IBM Module{: external}.
  2. Create the power virtual server instance in the IBM cloud portal{: external}, or the terraform ibm_pi_instance{: external}, or by using the Terraform IBM Module{: external}.

Cloud Internet Services (CIS)

{: #internet-services}

  1. Configure IBM Cloud Internet Services using the portal{: external}, or the Terraform IBM Module{: external}.

Connecting Power Virtual Server to Classic

{: #cloud-connect}

  1. Provision (2) 5 Gbps Power Virtual Server Cloud Connections with GRE enabled.

    Specify a GRE subnet to be used for GRE communication between Power and Classic. The Cloud Connection automation will assign the first IP of the specified subnet to the Power Gateway IP and the first IP of the second half of the subnet as the local GRE Tunnel IP in Power. {: note}

    As an example, Assigning 192.168.10.0/29 as the GRE subnet allows 8 available IPs. Automation would assign the Power Gateway IP as 192.168.10.1 and the PowerVS GRE tunnel IP as 192.168.10.5 (the first IP of the second half of the subnet). The next IP (192.168.10.6) is used as the local GRE tunnel IP on the Gateway device in the Classic infrastructure.

    GRE “Keepalives” are enabled on the PowerVS side of the tunnel. The Classic Gateway must have this feature enabled to successfully establish the GRE tunnel. {: important}

  2. Establish GREc from the classic gateway of choice to power virtual server workspace. View a GRE configuration example for reference.

    Configure BGP to peer your IBM Cloud Classic Gateway with PowerVS for route exchange over the GRE tunnel. Use the GRE tunnel IP addresses as the BGP neighbours.{: tip}