Deploying critical applications with IBM Cloud MZR
This tutorial walks you through setting up a resilient environment for an n-tier application in an IBM Cloud® MZR. In this tutorial, you create your own VPC in region 1, then create subnets in two different zones of region 1, then you provision the virtual server instances. You create two availability zones and virtual server instances in each availability zone for UI, application, and db.
Objectives
- Setting up resilient VPC environment for the application
Architecture
-
Provision multiple subnets (UI, application, and db) in each availability zone
- AZ-1: Mgmt, UI, application, and db
- AZ-2: UI, application, and db
-
Provision Placement groups for ui application.
-
Provision virtual server instances
- Bastion server (jumphost) in mgmt subnet and generate an SSH Key
- Provision virtual server instances in the corresponding tiers with security groups
-
Deploy a public load balancer and a private load balancer between tiers in each of availability zones.
Before you begin
- Check permissions for VPC
- Generate SSH Keys from your workstation to connect to the bastion server
Create a VPC
To create your own IBM Cloud VPC in region 1, complete these steps:
- Go to the VPC overview page and click Get Started.
- Select Create.
- Under New virtual private cloud section:
- Enter vpc-region1 as the name for your VPC.
- Select a Resource group.
- Optionally, add Tags to organize your resources.
- The default access control list (ACL) (Allow all) is appropriate for your VPC.
- Clear Allow SSH and Allow ping from the Default security group and leave classic access cleared. You add SSH access to the maintenance security group later. The maintenance security group must be added to an instance to allow SSH access from the bastion server. Ping access is not required for this tutorial.
- Leave Create a default prefix for each zone checked.
- Under New subnet for VPC:
- Enter vpc1-region1-zone1-mgmt as your subnet's unique name.
- Select a Resource group.
- Select a location and zone 1 for example: Dallas and Dallas 1.
- Select the wanted number of IP addresses.
- Leave the access control list set to Use VPC default.
- Leave the public gateway set to Detached.
- Click Create virtual private cloud.
Create subnets in the same availability zone of region 1
Create subnets in availability zone 1
You create three extra subnets for your first availability zone (VPC-region1-zone1) and use the VPC you created in Step 1:
- vpc-region1-zone1-ui
- vpc-region1-zone1-application
- vpc-region1-zone1-db
To create the subnets:
- Click Subnet
- Click Create.
- Enter vpc-region1-zone1-ui as a unique name for your subnet.
- Select vpc-region1 as the VPC.
- Select a Resource group.
- Select a location zone 1 for example: Dallas 1.
- Select the wanted number of IP addresses.
- Leave the subnet access control list to the default selection.
- Leave the public gateway to Detached.
- Click Create subnet.
- Repeat steps 1-10 for the other two subnets and:
- Create a subnet that is called vpc-region1-zone1-app for application
- Create a subnet that is called vpc-region1-zone1-db1 for db
Create subnets for availability zone 2
Use this task to create subnets for availability zones two and three. You repeat the steps in this task multiple times to create seven subnets:
Zone | Subnet |
---|---|
vpc-region1-zone2 | vpc-region1-zone2-ui /n vpc-region1-zone2-app /n vpc-region1-zone2-db1 |
To create the subnets:
- Enter vpc-region1-zone2-ui as a unique name for your subnet.
- Select vpc-region1 as the VPC, and
- Select a Resource group.
- Select a location for zone two for example: Dallas 2
- Select the wanted number of IP addresses.
- Leave the subnet access control list set to the default selection.
- Leave the public gateway set to Detached.
- Click Create subnet.
- Repeat steps 1-8 for availability zone 2:
- Create a subnet that is called vpc-region1-zone2-app
- Create a subnet that is called vpc-region1-zone2-db1
To confirm that the subnets are created, click Subnets on the left pane and wait until the status changes to Available.
Create two security groups to allow only specific inbound traffic to the server and application
To specify which traffic to allow to the application, you deploy rules, which you add to the virtual server instances in the later steps.
- Enable an inbound rule for SSH traffic to jumphost
- Enable specific ports for the corresponding application of each tier. For example, if the front-end server needs HTTP and HTTPs, then a security group is needed to allow for port 80 and 443.
To create the security groups:
-
Go to Security Groups.
-
Verify that the Regions setting is correct and if not then select the correct region, for example: Dallas
-
Click Create.
-
Create the security group vpc-region1-jumphost-sg:
-
Set the VPC to vpc-region1
-
Select your Resource Group
-
Add one Inbound rule: Set Protocol to TCP, Port Min and Max to 22, and Source Type to Any.
-
Add one Outbound rule: Set Protocol to All and Destination type to Any.
-
-
Create the security group vpc-region1-ui-sg:
-
Set the VPC to vpc-region1
-
Select your Resource Group
-
Add three Inbound rules:
- Set Protocol to TCP, Port Min and Max to 22, and Source Type to Any.
- Set Protocol to TCP, Port Min and Max to 80, and Source Type to Any.
- Set Protocol to TCP, Port Min and Max to 443, and Source Type to Any.
-
Add one Outbound rule: set the Protocol to All and Destination type to Any.
-
-
Create security groups for app and db. Use these guidelines:
- Allow SSH (port 22) for bastion access.
- If web access is required, then use HTTPS (port 443) for secure communication.
- Add any additional specific ports required for the respective tiers. *Avoid allowing all. Instead, create an allow list.
Create placement groups
There are different approaches and strategies when it comes with placement groups. You can create a placement group per zone, per tier, per stack and so forth. For this example, create 2 placement groups, one placement group each for ui and application. The placement group spans the availability zones.
- Go to Placement groups.
- Click Create.
- Enter web-group1 as the placement group unique name.
- Select your Resource Group.
- Select your Region.
- Select Host spread as your Placement strategy.
- Click Create placement group.
- Repeat steps 2-7 for app-group1.
Create virtual server instances
You create multiple virtual server instances in different availability zones for ui, application, db.
Provision Bastion (jumphost) virtual server instance
Use this task to provision the Bastion virtual server instance:
- Go to Subnets.
- Verify that the vpc-region1-zone1-mgmt status is available.
- Click vpc-region1-zone1-mgmt.
- Click Attached resources
- In Attached instances, click Create.
- On the New virtual server for VPC page:
- Enter jumphost-vsi as your virtual server's unique name.
- Select the VPC your created earlier, the resource group and the Location, and the zone.
- Set the image to Ubuntu Linux and pick any version of the image.
- Select Memory with 2vCPUs and 16 GB RAM as your profile. To check other available profiles, click View all profiles.
- Under SSH keys, click the SSH key that you created earlier.
- Under Networking select the VPC that you created.
- Under Network interfaces, click the Edit icon next to the Security Groups.
- Verify region1-zone1-mgmt is selected as the subnet.
- Clear the preselected security group and choose vpc-region1-jumphost-sg.
- Click Save.
- Click Create virtual server instance.
- Go to the jumphost virtual server instance on the IBM Cloud portal and switch the public gateway to attached.
- SSH to the jumphost and create an ssh key.
- Upload the ssh key to the SSH keys for VPC to use later for ui, application, and db virtual server instances.
Provision virtual server instances for ui and application
Use this task to provision virtual server instances for all of the availability zones. You repeat this task multiple times to provision virtual server instances for ui, application, and db:
Type | Use Subnet | Create Virtual server instance | Placement group |
---|---|---|---|
ui | vpc-region1-zone1-ui | vpc-region1-zone1-ui1 /n vpc-region1-zone1-ui2 | web-group1 |
vpc-region1-zone2-ui | vpc-region1-zone2-ui1 /n vpc-region1-zone2-ui2 | web-group1 | |
application | vpc-region1-zone1-app | vpc-region1-zone1-app1 /n vpc-region1-zone1-app2 | app-group1 |
vpc-region1-zone2-app | vpc-region1-zone2-app1 /nvpc-region1-zone2-app2 | app-group1 | |
db | vpc-region1-zone1-db | vpc-region1-zone1-db1 | |
vpc-region1-zone2-db | vpc-region1-zone2-db2 |
Virtual server instance for ui
Use this task to provision virtual server instances for ui:
- Go to Placement groups.
- Click the actions button for web-group1 and select New instance.
- On the New virtual server for VPC page:
- Enter vpc-region1-zone1-ui1 as your virtual server's unique name.
- Verify the VPC your created earlier, resource groups and the Location, and the zone.
- Set the image to Ubuntu Linux and pick any version of the image.
- Select Compute with 2vCPUs and 4 GB RAM as your profile. To check other available profiles, click View all profiles.
- Under SSH keys, select the SSH key that you created earlier.
- Under Networking select the VPC that you created.
- Under Network interfaces, click the Edit icon for Security Groups.
- Select vpc-region1-zone1-ui as the subnet.
- Clear the default security group and check vpc-region1-ui-sg.
- Click Save.
- Click Create virtual server instance.
- Repeat steps 1-8 to provision a second virtual server instance and for the other availability zones:
- Create another virtual server instance for the second ui (vpc-region1-zone1-ui2).
- Create two virtual server instances for zone 2 (vpc-region1-zone2-ui1 and vpc-region1-zone2-ui2).
- Install necessary packages to support your front-end server such as php, node.js.
Virtual server instance for app
Use this task to provision virtual server instances for application:
-
Go to Placement groups.
-
Click the actions button for app-group1 and select New instance.
-
On the New virtual server for VPC page:
- Enter vpc-region1-zone1-app1 as your virtual server's unique name.
- Verify the VPC your created earlier, resource groups and the Location, and the zone.
-
Set the image to Ubuntu Linux and pick any version of the image.
-
Select Memory with 2vCPUs and 16 GB RAM as your profile. To check other available profiles, click View all profiles.
-
Under SSH keys, select the SSH key that you created earlier.
-
Under Networking select the VPC that you created.
-
Under Network interfaces, click the Edit icon for Security Groups.
- Select vpc-region1-zone1-app1 as the subnet.
- Clear the default security group and check vpc-region1-app-sgc.
- Click Save.
-
Click Create virtual server instance.
-
Repeat steps 1-7 to provision a second virtual server instance and for the other availability zones:
- Create another virtual server instance for the second app (vpc-region1-zone1-app2).
- Create two virtual server instances for zone 2 (vpc-region1-zone2-app1 and vpc-region1-zone2-app2).
-
Install the necessary packages to support your application server such as tomcat.
Use this task to provision virtual server instances for db:
- Go to Subnets.
- Verify that the vpc-region1-zone1-db status is available.
- Click vpc-region1-zone1-db.
- Click Attached resources.
- In Attached instances, click Create.
- Enter vpc-region1-zone1-db1 as your virtual server's unique name.
- Verify the VPC your created earlier, resource group and the Location, and the zone.
- Set the image to Ubuntu Linux and pick any version of the image.
- Select Balanced with 4vCPUs and 16 GB RAM as your profile or change to a different balanced profile that is more suitable for your application.
- Under SSH keys, select the (bastion) SSH key that was created on jumphost-vsi.
- Under Networking select the VPC that you created.
- Under Data Volumes, click Create to add more volumes.
- These volumes are block volumes, so choose the appropriate size and IOPs that meet your db requirements.
- Create as many volumes as needed.
- Under Network interfaces, click the Edit icon next to the Security Groups.
- Select vpc-region1-zone1-db as the subnet.
- Clear the default security group and check vpc-region1-db-sg.
- Click Save.
- Click Create virtual server instance.
- Repeat steps 1-11 to create a virtual server instance for db for availability zone 2, and call the VPC vpc-region1-zone2-db2.
- Install db applications such as NoSQL and tools. Enable the database vendor-provided data replication tool so the database is periodically replicated between the two.
Distribute traffic between zones with load balancers
You create two load balancers for ui and application. IBM Cloud load balancers can service across multiple zones. The load balancers are resilient to avoid a single point of failure and can scale horizontally due to load.
Configure load balancers
-
Go to Load balancers and click Create.
-
Enter vpc-lb-ui as the unique name, and select:
- vpc-region1 as your Virtual private cloud.
- Application load balancer as the load balancer.
- The resource group.
- region1 as the region.
- Load balancer Type: Public.
-
In Subnets, select vpc-region1-zone1-ui and vpc-region1-zone2-ui.
-
Click New pool to create a new back-end pool of virtual server instances that act as equal peers to share the traffic that is routed to the pool. Set the parameters with these values:
- Name: region1-zone1-pool
- Protocol: HTTP
- Session stickiness: Source IP
- Proxy Protocol: - Depends
- Method: Round robin
- Health check path: /
- Health protocol: HTTP
- Health port: Leave blank
- Interval(sec): 15
- Timeout(sec): 5
- Max retries: 2
-
Click Save.
-
Create a back-end pool:
- Click Attach to add server instances to the region1-pool.
- Add the CIDR range that is associated with vpc-region1-zone1-ui, select the virtual server instance (vpc-region1-zone1-ui1) that you created and set 80 as the port. Repeat for the other virtual server instance, vpc-region1-zone1-ui2.
- Click Save to complete the creation of a back-end pool.
-
Click New listener and create a Front-end listener process that checks for connection requests:
-
Set the listener values:
- Protocol: HTTP
- Port: 80
- Back-end pool: region1-zone1-pool
- Max connections: Leave it empty
-
Click Save.
-
-
Click Create load balancer.
-
Repeat steps 1-8 to create the other load balancer for the application tier. Set the Type to Private and change to Port to the port applicable to the tier that is being serviced.