Consumer connectivity to workload VPC
Previously, we saw how administrative access to the workload VPC can be accomplished from the bastion host in the management VPC. Now, we look at how consumers can connect to the workload VPC to access your service offering.
Consumer in same organization as application provider
If the consumer is in the same organization that you are (such as the same financial institution), then the connection options are much the same as they are when you connect to the management VPC. That is, the consumer can connect to the workload VPC with either Direct Link or VPN for VPC. This is shown in the diagram below.
Direct Link
Direct Link is the most secure way to enable connectivity from the consumer's on-premises environment to the workload VPC. The speed and reliability of Direct Link extends your organization’s data center network and offers more consistent, higher-throughput connectivity, keeping traffic within the IBM Cloud network. When using Direct Link, a private Application Load Balancer for VPC (ALB) is used to distribute traffic among multiple server instances within the same region of your VPC.
The following diagram shows the Direct Link connection pattern.
For more information, see:
VPN for VPC
An alternative connectivity pattern requires using the VPN for VPC service to securely connect from your private network to the management VPC. VPN for VPC can be used as a static, route-based VPN or a policy-based VPN to set up an IPsec site-to-site tunnel between your VPC and your on-premises private network, or another VPC.
The following diagram shows the VPN for VPC connection pattern.
For more information, see:
Consumer in different organization than application provider
Connecting from public internet
There are many valid cases where you might want to allow consumers to access your service through the public internet. The base architecture can be adapted to securely enable this type of access as shown in the following diagram which introduces a new edge VPC. The request from the consumer gets routed through Cloud Internet Service's global load balancer, through a public load balancer in the edge VPC, and then to the private load balancer within the workload VPC. This is shown in the following diagram.
Global load balancer
One option for global load balancing outside of the edge VPC is IBM Cloud® Internet Services (CIS), powered with Cloudflare. CIS provides a fast, highly performant, reliable, and secure internet service for customers running their business on IBM Cloud.
For more information, see the following resources:
Edge VPC with web application firewall
The edge VPC is used to enhance boundary protection for both the management VPC and the workload VPC. For public internet access to the workload VPC, a WAF in the (CIS)](/docs/cis?topic=cis-getting-started) is used to protect web applications by filtering and monitoring internet web traffic. A WAF can prevent attacks exploiting a web application's known vulnerabilities.
For management VPC connectivity, your operators can connect to the environment from your on-premises network (with Direct Link or VPN for VPC). In practice, all three zones in the edge VPC would be the same, but for illustrative purposes, each of the first and second zone in the edge VPC box depicts one of the two scenarios for operator connectivity:
- Zone 1 - Connectivity with Direct Link, so a VPN for VPC is not needed.
- Zone 2 - Connectivity from the application provider is with VPN for VPC, so a Direct Link is not needed.
Finally, the bastion can be put either in the edge VPC or the management VPC. If you place it in the edge VPC, then the management VPC becomes optional if you are not deploying any other management tools.
Application load balancer in workload VPC
Use IBM Cloud® Application Load Balancer for VPC (ALB) to distribute traffic among multiple server instances within the same region of your VPC. For more information, see the following resources: