Creating and connecting the management and workload VPCs

After completing the work for account setup and management, you can now create the management and workload VPCs from the VPC reference architecture and connect them using Transit Gateway.

Create two VPCs in a multizone region, one for the management VPC and another for the workload VPC. See Create a VPC for more details. For now, you should not follow the instructions in any of the other sections in that reference.

Do not create default address prefixes when you create the VPCs. You can specify manual for the --address-prefix-management argument in the ibmcloud is vpc-create command, such as in ibmcloud is vpc-create my-vpc --address-prefix-management manual.
Review Designing an addressing plan for a VPC to get guidance how to plan for addressing within your VPC. VPC uses Classless Inter-Domain Routing (CIDR) notation for specifying addresses.
Create the address prefix for each zone in both VPCs based on the plan that you developed in the previous step. See ibmcloud is vpc-address-prefix-create for details.
Create the subnets for the three zones by using the CIDRs. For more information, see Create a subnet.

You need to specify zones. For us-south, the three zones are us-south-1, us-south-2, us-south-3. For us-east, the three zones are us-east-1, us-east-2, us-east-3. See multizone regions for more information, including the zone identifiers for other multizone regions.
Create security groups to define inbound and outbound traffic that's allowed for virtual server instances. For more information, see Using security groups and Overview of network security options.
Configure ACLs for your subnets that do not contain virtual servers or Red Hat OpenShift on IBM Cloud clusters (for example, subnets that contain a VPN Gateway or VPEs). For more information, see Set up network ACLs.

Even though we recommend security groups where possible, there are subnets without virtual servers or Red Hat OpenShift on IBM Cloud clusters that require ACLs. In our example, we're referring to the subnets that contain virtual private endpoints (VPEs) only or VPN for VPC.

For more information, see:
- Configuring ACLs and security groups for use with VPN
Order Transit Gateway.

For additional consideration, see the following resources:

Table 1. Related controls in IBM Cloud Framework for Financial Services
Family	Control
Access Control (AC)	AC-20 Use of External Information Systems
Security Assessment and Authorization (CA)	CA-3 System Interconnections
System and Communications Protection (SC)	SC-2 Application Partitioning SC-3 Security Function Isolation SC-5 Denial of Service Protection SC-7 Boundary Protection SC-7(4) Boundary Protection \| External Telecommunications Services SC-7 (5) Boundary Protection \| Deny By Default - Allow By Exception SC-7 (10) Boundary Protection \| Prevent Exfiltration SC-8 Transmission Confidentiality and Integrity SC-8 (1) Transmission Confidentiality and Integrity \| Cryptographic Protection SC-11 Trusted Path

Next steps

Application provider connectivity to management VPC

Creating and connecting the management and workload VPCs

Related controls in IBM Cloud Framework for Financial Services

Next steps