| copyright | lastupdated | subcollection | keywords | authors | version | deployment-url | docs | content-type | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
2024-10-09 |
pattern-network-vrf-only |
|
1.0 |
reference-architecture |
{{site.data.keyword.attribute-definition-list}}
{: #network-vrf-only} {: toc-content-type="reference-architecture"} {: toc-version="1.0"}
This reference architecture is used in disaster recovery scenarios where either the primary or disaster recovery site is a classic data center where {{site.data.keyword.vpc_short}} is not available. Currently, the list includes centers such as Montreal 01, San Jose 03, San Jose 04, Chennai 01, and Hong Kong S.A.R. of the PRC 02. For more information, see see {{site.data.keyword.tg_short}} locations.
This approach is referred to as classic data center because there is no VPC and Transit Gateway connectivity used. {: note}
It’s a common approach to complement classic environments with VPC services. This allows extra functionality that is only available with VPC services. The following information in this document references this approach as complementary VPC services and is highlighted in this pattern.
{: #architecture-diagram}
This architecture describes on-premises data center connectivity into {{site.data.keyword.cloud_notm}} classic, with firewall services and a {{site.data.keyword.powerSys_notm}} workspace. The diagram includes examples of where workload compute instances, proxy servers, and bastion hosts are located. The diagram contains identifying numbers indicating key components in the description.
In this diagram, Region 1 represents a classic data center where {{site.data.keyword.vpc_short}} is not available and Region 2 illustrates a classic data center in a multi-zone region where {{site.data.keyword.vpc_short}} is available.
{: caption="Multi-Region View" caption-side="bottom"}
- The optional network path is accomplished through site-to-site VPN terminated on a classic gateway.
- The client network connectivity from on-premises using {{site.data.keyword.dl_short}}.
- The gateway provides routing and security functions.
- The virtual bastion host supports remote administrative access.
- GREa tunnel allows Bring Your Own IP to be advertised between classic and on-premises. Two GRE tunnels allow for resiliency.
- GREb tunnel allows Bring Your Own IP to be advertised between classic environments in separate regions. Two GRE tunnels allow for resiliency.
- GREc tunnel allows Bring Your Own IP to be advertised between classic and PowerVS. Two GRE tunnels allow for resiliency.
- Private Cloud Service Endpoints (CSE) allow access to cloud services over the private network.
- The proxy server acts as an intermediary between on-premises and cloud services.
- Cloud Internet Services (CIS) is used to enhance the security, performance, and reliability of internet-facing applications and websites.
- {{site.data.keyword.vpe_full}} as an alternative to Cloud Service Endpoints and proxy server allow access to cloud services over the private network.
- A custom DNS resolver in classic is used for a fully qualified domain name resolution.
- DNS services on VPC as an alternative to custom DNS in classic.
- In region 2, TGW1 advertises and routes on-premises traffic to classic for gateway or firewall inspection.
- In region 2, TGW2 advertises and routes local traffic between classic, VPC, and PowerVS.
- In region 2, TGW3 advertises and routes global traffic between regions for VPC and PowerVS.
- {{site.data.keyword.loadbalancer_full}} provides local application load balancing.
{: #design-scope}
Following the {{site.data.keyword.arch_framework}}, the classic data center network pattern covers design considerations and architecture decisions for the following aspects and domains:
- Compute: Virtual Servers, Bare Metal Servers
- Networking: Enterprise Connectivity, Bring Your Own IP and Edge Gateways, Network Segmentation, Cloud Native Connectivity, Load Balancing, and DNS
- Security: Identity and Access Management (IAM)
- Resiliency: High Availability, Disaster Recovery
- Service management: Monitoring, Logging, Auditing, and Alerting
{: caption="Classic data center design scope" caption-side="bottom"}
The {{site.data.keyword.arch_framework}} provides a consistent approach to design cloud solutions by addressing requirements across a set of aspects and domains, which are technology-agnostic architectural areas that need to be considered for any enterprise solution. For more information, see Introduction to the architecture framework for more details.
{: #requirements}
The following represents a baseline set of requirements that are applicable to most clients and critical to successful classic data center network deployment. The pattern assumes that the client has a requirement of geolocation, data residency, or low latency that requires resource deployment in a data center that does not have transit gateway technology.
| Aspect | Requirement |
|---|---|
| Compute | Secure remote administrative support of all devices within the {{site.data.keyword.cloud_notm}} environment. |
| Network | Private enterprise connectivity from customer data centers to {{site.data.keyword.cloud_notm}} for access to applications, data, and services. |
| Private administrative and management connectivity | |
| Provide network isolation with the ability to separate applications based on attributes such as data classification, public versus private traffic flows, and internal application function. | |
| Provide the ability to use Bring Your Own IP (BYOIP) | |
| Security | Firewalls must be restrictively configured to provide advanced security features and prevent all traffic, both inbound and outbound, except that which is required, documented, and approved and optionally include Intrusion Protection System (IPS) and Intrusion Detection System (IDS) services. |
| Distributed Denial of Service (DDoS) and Web Application Firewall (WAF) security capabilities are required. | |
| Secure access for administration and management of the environment. | |
| Resiliency | Multi-region capability to support a disaster recovery strategy and solution that allows all production applications to be included by using cloud infrastructure disaster recovery strategies. |
| Service management | Provide health and system monitoring with ability to monitor and correlate performance metrics and events and provide alerting across applications and infrastructure |
| Ability to diagnose issues and exceptions and identify error source | |
| {: caption="Classic data center requirements" caption-side="bottom"} |
{: #components}
| Aspect | Component | How the component is used |
|---|---|---|
| Compute | Virtual Server on classic \n - Bastion host | The bastion host is deployed on a virtual server instance within classic and is used for remote administrative support. |
| Virtual Server on classic \n - Proxy server | Acts as an intermediary between the on-premises network and {{site.data.keyword.cloud_notm}} services. | |
| Networking | Virtual Private Network (VPN) | Provides a secured connection into {{site.data.keyword.cloud_notm}} over the Internet. VPN can be used for migrations, administrative access, and backup connectivity. |
| Gateway Appliance in classic \n - {{site.data.keyword.vsrx}} \n - {{site.data.keyword.vra}} \n - FortiGate FSA 10 Gbps \n - FortiGate vFSA \n - Bring Your Own Gateway (BYOG) \n Bare metal or VSI including Checkpoint, Cisco, and Palo Alto | Provides router, firewall, and VPN gateway functions for secure and reliable connectivity to cloud resources. | |
| Generic Routing Encapsulation (GRE) tunnels | Supports Bring Your Own IP (BYOIP) communication between on-premises, classic infrastructure, and {{site.data.keyword.powerSys_notm}} workspace. | |
| {{site.data.keyword.dl_short}} \n - {{site.data.keyword.dl_short}} Connect | Connect on-premises networks to the {{site.data.keyword.cloud_notm}} with physical telco connections or virtual exchange network services. | |
| Load Balancers \n - {{site.data.keyword.loadbalancer_full}} \n - {{site.data.keyword.cis_short}} | Local and global Application Load Balancing for web servers, app servers, and database servers as needed. | |
| Service Endpoints | Connect directly to cloud services without using the public network. | |
| {{site.data.keyword.cis_short}} | Public Load balancing of web server traffic across regions. | |
| Custom DNS server (VSI) \n or \n DNS Services (VPC) | The Domain Name System (DNS) to associate human-friendly domain names with IP addresses. | |
| Security | IAM | {{site.data.keyword.cloud_notm}} Identity and Access Management |
| {{site.data.keyword.cis_short}} | DDoS protection and Web Application Firewall (WAF) for public connectivity. | |
| Gateway Appliance in Classic | Advanced firewall capabilities such as Intrusion Detection System (IDS) and Intrusion Protection System (IPS) services. | |
| Bastion host | The bastion host is deployed on a virtual server instance within classic and is used for remote administrative support. | |
| Resiliency | Multi-region deployment | Allows for disaster recovery in a secondary region. |
| Multiple {{site.data.keyword.dl_short}} connections | Allows for network resiliency for failover and recovery. | |
| {{site.data.keyword.cis_full_notm}} | Allows for multi-regional load balancing over the public internet. | |
| Service management | Health dashboard | Apps and operational monitoring |
| {: caption="Classic data center solution components"} |