VPC reference architecture for IBM Cloud for Financial Services

IBM Cloud® Virtual Private Cloud (VPC) is a public cloud offering that lets an enterprise establish its own private cloud-like computing environment on shared public cloud infrastructure. A VPC gives an enterprise the ability to define and control a virtual network that is logically isolated from all other public cloud tenants, creating a private, secure place on the public cloud. The VPC reference architecture for the IBM Cloud for Financial Services is designed to provide a framework for building a VPC-based offering according to the best practices and requirements of the IBM Cloud Framework for Financial Services. We detail this architecture and provide guidance for deploying, configuring, and managing it.

Architecture diagram

Figure 1. High-level VPC reference architecture for IBM Cloud for Financial Services

Central to the architecture are two VPCs, which provide for separation of concerns between provider management functionality and consumer workloads.

Management VPC: Provides compute, storage, and network services to enable the application application provider's administrators to monitor, operate, and maintain the environment.
Workload VPC: Provides compute, storage, and network services to support hosted applications and operations that deliver services to the consumer.

Other key features to note:

Supports a single tenant.
Resides in one or more multizone regions.
Gives two options for compute that can be mixed and matched: IBM Cloud® Virtual Servers for Virtual Private Cloud and Red Hat® OpenShift® on IBM Cloud®.
Enables access to the management VPC from the application provider's enterprise environment through IBM Cloud® Direct Link or IBM Cloud Virtual Private Network (VPN) for VPC.
Provides connectivity from the consumer's enterprise environment to the workload VPC through Direct Link or VPN for VPC.
Connects management VPC and workload VPC by using IBM Cloud® Transit Gateway.
Allows connectivity to IBM Cloud services that use IBM Cloud Virtual Private Endpoint (VPE) for VPC.
Encrypts data by using IBM Cloud Hyper Protect Crypto Services, which enables keep your own key (KYOK) functionality which provides technical assurance that IBM cannot access your keys.

Variation with edge or transit VPC for public internet access

The architecture in the previous section is the most secure way of enabling consumers to access the applications that are running in a workload VPC. However, there might be valid cases where it is desirable to allow consumers to access your service through the public internet. The same base architecture can be adapted to securely enable this type of access.

High-level VPC reference architecture with edge VPC for the IBM Cloud for Financial Services — Figure 2. High-level VPC reference architecture with edge/transit VPC

The revised architecture adds:

IBM Cloud® Internet Services (CIS) to provide global load balancing and layer 3/4 protection against distributed denial-of-service (DDoS) attacks.
Virtual network firewall software in the workload VPC to provide web application firewall (WAF) protection and layer 7 protection against denial-of-service (DoS) attacks.

See VPC architecture with virtual servers for more details on this variation.

Financial Services Validated services

Deploying the reference architecture depends upon VPC infrastructure and PaaS services that are IBM Cloud for Financial Services Validated. This means that they have evidenced compliance to the controls of the IBM Cloud Framework for Financial Services. Financial Services Validated services are designed to help address the requirements of financial institutions for regulatory compliance, security, and resiliency. When properly configured and managed, services that are Financial Services Validated work together so you can deliver a solution that conforms to the best practices of the IBM Cloud Framework for Financial Services.

Generally speaking, you should strive to use only services which are Financial Services Validated in your solutions. However, depending on your circumstance there may be exceptions. See the best practice Use only services that are IBM Cloud for Financial Services Validated for more details and potential exceptions.

Table 1. Required and optional services for VPC reference architecture
Category	Required services	Optional services
Compute ^[1]	IBM Cloud® Virtual Servers for Virtual Private Cloud	Dedicated hosts for VPC ^[2] IBM Cloud Auto Scale for VPC ^[3]
Containers ^[4]	Red Hat® OpenShift® on IBM Cloud® IBM Cloud® Container Registry
Networking - VPC infrastructure	IBM Cloud® Virtual Private Cloud IBM Cloud® Application Load Balancer for VPC IBM Cloud® Virtual Private Network (VPN) for VPC ^[5] IBM Cloud® DNS Services IBM Cloud Virtual Private Endpoint (VPE) for VPC
Networking - interconnectivity	IBM Cloud® Direct Link (2.0)^[6] IBM Cloud® Transit Gateway
Storage	IBM® Cloud Block Storage for Virtual Private Cloud IBM Cloud® Object Storage
Security	IBM Cloud® Hyper Protect Crypto Services	IBM Cloud® Secrets Manager IBM Cloud® App ID
Logging and monitoring	IBM Cloud Activity Tracker Event Routing ^[7] IBM Cloud Security and Compliance Center IBM Cloud® Flow Logs for VPC ^[8]
Integration		IBM® Event Streams for IBM Cloud®
Developer tools		IBM Cloud® Continuous Delivery

The remainder of this section goes into more detail about how these services fit into the reference architecture.

Compute

Virtual Servers for VPC

Virtual Servers for VPC is an infrastructure-as-a-service (IaaS) offering that gives you access to all of the benefits of VPC, including network isolation, security, and flexibility. You can quickly provision instances with high network performance. When you provision an instance, you select a profile that matches the amount of memory and compute power that you need for the application that you plan to run on the instance. Instances are available on the x86 architecture.

Dedicated hosts for VPC (optional)

You can optionally use dedicated hosts for VPC. You can create a dedicated host to carve out a single-tenant compute node, free from users outside of your organization. Within that dedicated space, you can create virtual server instances according to your needs. Additionally, you can create dedicated host groups that contain dedicated hosts for a specific purpose. Because a dedicated host is a single-tenant space, only users within your account that have the required permissions can create instances on the host.

Dedicated hosts are highly recommended when you use virtual servers -- particularly for any parts of your application that process regulated data and keep it in memory.

IBM Cloud Auto Scale for VPC (optional)

With Auto Scale for VPC, you can improve performance and costs by dynamically creating virtual server instances to meet the demands of your environment. Auto Scale for VPC is highly recommended if you are using virtual servers. You set scaling policies that define your desired average utilization for metrics like CPU, memory, and network usage. The policies that you define determine when virtual server instances are added or removed from your instance group. Auto Scale for VPC is highly recommended if you are using virtual servers.

Containers

Red Hat OpenShift on IBM Cloud

Red Hat OpenShift on IBM Cloud is a managed offering to create your own Red Hat OpenShift on IBM Cloud cluster of compute hosts to deploy and manage containerized apps on IBM Cloud. Red Hat OpenShift on IBM Cloud provides intelligent scheduling, self-healing, horizontal scaling, service discovery and load balancing, automated rollouts and rollbacks, and secret and configuration management for your apps. Combined with an intuitive user experience, built-in security and isolation, and advanced tools to secure, manage, and monitor your cluster workloads, you can rapidly deliver highly available and secure containerized apps in the public cloud.

In practice, when you choose Red Hat OpenShift on IBM Cloud for your primary compute, you might also need one or more instances of Virtual Servers for VPC for other parts of the reference architecture.

IBM Cloud Container Registry

Container Registry provides a multi-tenant, highly available, scalable, and encrypted private image registry that is hosted and managed by IBM®. When you push images to Container Registry, you benefit from the built-in Vulnerability Advisor features that scan for potential security issues and vulnerabilities.

Networking - VPC infrastructure

IBM Cloud Application Load Balancer for VPC

Use Application Load Balancer for VPC (ALB) to distribute traffic among multiple server instances within the same region of your VPC. You can create a public or private ALB.

Network Load Balancer for VPC (NLB) is also IBM Cloud for Financial Services Validated, but does not span zones. So, NLBs are not typically used in applications where high availability is needed.

IBM Cloud Virtual Private Network (VPN) for VPC

Use the VPN for VPC service to securely connect your VPC to another private network. Use a static, route-based VPN or a policy-based VPN to set up an IPsec site-to-site tunnel between your VPC and your on-premises private network, or another VPC.

VPN for VPC is required to connect to the management VPC if not using Direct Link.

IBM Cloud DNS Services

DNS Services provides private DNS to VPC users. Private DNS zones are resolvable only on IBM Cloud, and only from explicitly permitted networks in an account.

IBM Cloud Virtual Private Endpoint (VPE) for VPC

With IBM Cloud Virtual Private Endpoint (VPE) for VPC you can connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, which is allocated from a subnet within your VPC.

VPE is an evolution of the private connectivity to IBM Cloud services. VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis (depending on the service operation model). The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. VPE for VPC gives you the experience of controlling all the private addressing within your cloud.

Networking - Interconnectivity

IBM Cloud Direct Link

Use Direct Link to seamlessly connect your on-premises resources to your cloud resources. The speed and reliability of Direct Link extends your organization’s data center network and offers more consistent, higher-throughput connectivity, keeping traffic within the IBM Cloud network. Direct Link is the most secure way to enable connectivity from on-premises environments to IBM Cloud.

Direct Link is required if not using Virtual Private Network (VPN) for VPC (see next section).

IBM Cloud Transit Gateway

As the number of your VPCs grow, you need an easy way to manage the interconnection between these resources across multiple regions. Transit Gateway is designed specifically for this purpose, and is the means for connecting your management VPC to your workload VPC.

Storage

Block Storage for VPC

Block Storage for VPC provides hypervisor-mounted, high-performance data storage for your virtual server instances that you can provision within a VPC. The VPC infrastructure provides rapid scaling across zones and extra performance and security.

Block Storage for VPC is used for both primary boot volumes and secondary data volumes. Boot volumes are automatically created and attached during instance provisioning. Data volumes can be created and attached during instance provisioning as well, or as stand-alone volumes that you can later attach to an instance. To protect your data, you should use KYOK encryption with Hyper Protect Crypto Services.

IBM Cloud Object Storage

Object Storage stores encrypted and dispersed data across multiple geographic locations. Object Storage is available with three types of resiliency: Cross Region, Regional, and Single Data Center. Cross Region provides higher durability and availability than using a single region at the cost of slightly higher latency. Regional service reverses those tradeoffs, and distributes objects across multiple availability zones within a single region. If a given region or availability zone is unavailable, the object store continues to function without impediment. Single Data Center distributes objects across multiple machines within the same physical location.

Users of Object Storage refer to their binary data, such as files, images, media, archives, or even entire databases as objects. Objects are stored in a bucket, the container for their unstructured data. Buckets contain both inherent and user-defined metadata. Finally, objects are defined by a globally unique combination of the bucket name and the object key, or name.

Security

IBM Cloud Hyper Protect Crypto Services

Hyper Protect Crypto Services is a dedicated key management service and hardware security module (HSM) based on IBM Cloud. This service allows you to take the ownership of the cloud HSM to fully manage your encryption keys and to perform cryptographic operations using Keep Your Own Key (KYOK). Hyper Protect Crypto Services is also the only service in the cloud industry that is built on FIPS 140-2 Level 4-certified hardware.

IBM Cloud App ID (optional)

App ID helps developers to easily add authentication to their web and mobile apps with few lines of code, and secure their cloud-native applications and services on IBM Cloud.

Logging and monitoring

IBM Cloud Activity Tracker Event Routing

Activity Tracker Event Routing is used to collect auditable platform events that are generated by services in your IBM Cloud account. These events allow you to monitor the activity of your IBM Cloud account so that you can investigate abnormal activity and critical actions.

Activity Tracker Event Routing provides for either event routing or hosted event search. However, only the event routing features of Activity Tracker Event Routing are Financial Services Validated. In regions where it's available, you must configure Activity Tracker Event Routing to send events to Object Storage, where they must be encrypted with KYOK.

Activity Tracker Event Routing is only available in some regions (see Locations for Activity Tracker Event Routing event routing for more details). For regions where it's not available, you must use Activity Tracker Event Routing hosted event search until Activity Tracker Event Routing is available. When event routing becomes available in those regions, you must switch to use event routing. For more information and possible exceptions, see Use only services that are IBM Cloud for Financial Services Validated.

IBM Cloud® Security and Compliance Center

With Security and Compliance Center you can embed security checks into your every day workflows to help monitor for security and compliance. By monitoring for risks, you can identify security vulnerabilities and quickly work to mitigate the impact and fix the issue. By using Security and Compliance Center along with external integrations (such as, OpenShift Compliance Operator (OSCO), Tanium, NeuVector, and so on), you can build a robust approach for monitoring for security and compliance issues.

IBM Cloud Application Load Balancer for VPC

Flow Logs for VPC enables the collection, storage, and presentation of information about the Internet Protocol (IP) traffic flowing to and from network interfaces within your VPC.

Flow Logs for VPC can help with a number of tasks, including:

Troubleshooting why specific traffic isn't reaching an instance, which helps to diagnose restrictive security group rules
Recording the metadata of network traffic that is reaching your instance
Determining source and destination traffic from the network interfaces
Adhering to compliance regulations
Assisting with root cause analysis

Integration

IBM Event Streams for IBM Cloud (optional)

Event Streams is a high-throughput message bus built with Apache Kafka. It is optimized for event ingestion into IBM Cloud and event stream distribution between your services and applications.

You can use Event Streams to complete the following tasks:

Offload work to back-end worker applications.
Connect event streams to streaming analytics to realize powerful insights.
Publish event data to multiple applications to react in real time.

Reference architecture components

The following table provides a summary of the main features of the VPC reference architecture and associated IBM Cloud services.

Table 2. Services needed for different parts of the VPC reference architecture
Architectural component	Technology
Compute	Virtual Servers for VPC Dedicated hosts for VPC
Containers ^[9]	Red Hat OpenShift on IBM Cloud Container Registry
Inbound connectivity to management VPC	Direct Link or VPN for VPC
Inbound connectivity to workload VPC	Direct Link or VPN for VPC
Virtual network firewall	Install your own software ^[10]
Connectivity between VPCs	Transit Gateway
Connectivity to IBM Cloud services	VPE for VPC
Load balancing	Application Load Balancer for VPC
DNS	DNS Services
Bastion host	Install your own software
Scaling compute	Auto Scale for VPC
Web app authentication in workload VPC	App ID
Secrets management	Secrets Manager or Install your own software
IBM Cloud platform audit logging	Activity Tracker Event Routing ^[11]
Application provider audit logging	Install your own software for SIEM
Application provider operational logging	Install your own software
Application provider operational monitoring	Install your own software
Compliance monitoring	Security and Compliance Center
Flow/traffic logging	Flow Logs for VPC
Encryption at rest	Hyper Protect Crypto Services
Encryption in transit (TLS offload)	Hyper Protect Crypto Services
Cross-zone high availability	Multizone region
Cross-region high availability	Deploy in multiple regions
Backup and recovery	Install your own software
Developer tools	Continuous Delivery or Install your own software
Endpoint protection	Install your own software
Event queues	Event Streams or Install your own software
Databases	Install your own software

Next steps

Learn about some important VPC concepts.
Explore more detailed views of the VPC reference architecture based on compute type:
- Virtual Servers for VPC
- Red Hat OpenShift on IBM Cloud

Only required if using virtual servers instead of or in addition to Red Hat OpenShift on IBM Cloud. ↩︎
Highly recommended if using virtual servers instead of or in addition to Red Hat OpenShift on IBM Cloud. ↩︎
Highly recommended if using virtual servers instead of or in addition to Red Hat OpenShift on IBM Cloud. ↩︎
Only required if using containers instead of or in addition to virtual servers. ↩︎
Only choose one of Direct Link and VPN for VPC. ↩︎
Only choose one of Direct Link and VPN for VPC. ↩︎
Only the event routing features of Activity Tracker have been Financial Services Validated. ↩︎
Only required if using virtual servers instead of or in addition to Red Hat OpenShift on IBM Cloud. ↩︎
Only required if using containers instead of or in addition to virtual servers. ↩︎
Installing your own software is recommended when there is not yet an IBM Cloud service that is Financial Services Validated. However, when installing your own software you are still responsible for the controls of the IBM Cloud Framework for Financial Services if you are seeking your own Financial Services Validated designation. ↩︎
Only the event routing features of Activity Tracker have been Financial Services Validated. ↩︎