Hybrid cloud network for classic infrastructure disaster recovery
This reference architecture is used in disaster recovery scenarios where either the primary or disaster recovery site is a classic data center where IBM Cloud VPC is not available. Currently, the list includes centers such as Montreal 01, San Jose 03, San Jose 04, Chennai 01, and Hong Kong S.A.R. of the PRC 02. For more information, see see Transit Gateway locations.
This approach is referred to as classic data center because there is no VPC and Transit Gateway connectivity used.
It’s a common approach to complement classic environments with VPC services. This allows extra functionality that is only available with VPC services. The following information in this document references this approach as complementary VPC services and is highlighted in this pattern.
Architecture diagram
This architecture describes on-premises data center connectivity into IBM Cloud classic, with firewall services and a Power Virtual Server workspace. The diagram includes examples of where workload compute instances, proxy servers, and bastion hosts are located. The diagram contains identifying numbers indicating key components in the description.
In this diagram, Region 1 represents a classic data center where IBM Cloud VPC is not available and Region 2 illustrates a classic data center in a multi-zone region where IBM Cloud VPC is available.
- The optional network path is accomplished through site-to-site VPN terminated on a classic gateway.
- The client network connectivity from on-premises using Direct Link.
- The gateway provides routing and security functions.
- The virtual bastion host supports remote administrative access.
- GREa tunnel allows Bring Your Own IP to be advertised between classic and on-premises. Two GRE tunnels allow for resiliency.
- GREb tunnel allows Bring Your Own IP to be advertised between classic environments in separate regions. Two GRE tunnels allow for resiliency.
- GREc tunnel allows Bring Your Own IP to be advertised between classic and PowerVS. Two GRE tunnels allow for resiliency.
- Private Cloud Service Endpoints (CSE) allow access to cloud services over the private network.
- The proxy server acts as an intermediary between on-premises and cloud services.
- Cloud Internet Services (CIS) is used to enhance the security, performance, and reliability of internet-facing applications and websites.
- Virtual Private Endpoint (VPE) for VPC as an alternative to Cloud Service Endpoints and proxy server allow access to cloud services over the private network.
- A custom DNS resolver in classic is used for a fully qualified domain name resolution.
- DNS services on VPC as an alternative to custom DNS in classic.
- In region 2, TGW1 advertises and routes on-premises traffic to classic for gateway or firewall inspection.
- In region 2, TGW2 advertises and routes local traffic between classic, VPC, and PowerVS.
- In region 2, TGW3 advertises and routes global traffic between regions for VPC and PowerVS.
- IBM Cloud® Load Balancer provides local application load balancing.
Design scope
Following the Architecture Design Framework, the classic data center network pattern covers design considerations and architecture decisions for the following aspects and domains:
- Compute: Virtual Servers, Bare Metal Servers
- Networking: Enterprise Connectivity, Bring Your Own IP and Edge Gateways, Network Segmentation, Cloud Native Connectivity, Load Balancing, and DNS
- Security: Identity and Access Management (IAM)
- Resiliency: High Availability, Disaster Recovery
- Service management: Monitoring, Logging, Auditing, and Alerting
The Architecture Design Framework provides a consistent approach to design cloud solutions by addressing requirements across a set of aspects and domains, which are technology-agnostic architectural areas that need to be considered for any enterprise solution. For more information, see Introduction to the architecture framework for more details.
Requirements
The following represents a baseline set of requirements that are applicable to most clients and critical to successful classic data center network deployment. The pattern assumes that the client has a requirement of geolocation, data residency, or low latency that requires resource deployment in a data center that does not have transit gateway technology.
| Aspect | Requirement |
|---|---|
| Compute | Secure remote administrative support of all devices within the IBM Cloud environment. |
| Network | Private enterprise connectivity from customer data centers to IBM Cloud for access to applications, data, and services. |
| Private administrative and management connectivity | |
| Provide network isolation with the ability to separate applications based on attributes such as data classification, public versus private traffic flows, and internal application function. | |
| Provide the ability to use Bring Your Own IP (BYOIP) | |
| Security | Firewalls must be restrictively configured to provide advanced security features and prevent all traffic, both inbound and outbound, except that which is required, documented, and approved and optionally include Intrusion Protection System (IPS) and Intrusion Detection System (IDS) services. |
| Distributed Denial of Service (DDoS) and Web Application Firewall (WAF) security capabilities are required. | |
| Secure access for administration and management of the environment. | |
| Resiliency | Multi-region capability to support a disaster recovery strategy and solution that allows all production applications to be included by using cloud infrastructure disaster recovery strategies. |
| Service management | Provide health and system monitoring with ability to monitor and correlate performance metrics and events and provide alerting across applications and infrastructure |
| Ability to diagnose issues and exceptions and identify error source |
Components
| Aspect | Component | How the component is used |
|---|---|---|
| Compute |
|
The bastion host is deployed on a virtual server instance within classic and is used for remote administrative support. |
|
Acts as an intermediary between the on-premises network and IBM Cloud services. | |
| Networking | Virtual Private Network (VPN) | Provides a secured connection into IBM Cloud over the Internet. VPN can be used for migrations, administrative access, and backup connectivity. |
|
Provides router, firewall, and VPN gateway functions for secure and reliable connectivity to cloud resources. | |
| Generic Routing Encapsulation (GRE) tunnels | Supports Bring Your Own IP (BYOIP) communication between on-premises, classic infrastructure, and Power Virtual Server workspace. | |
|
Connect on-premises networks to the IBM Cloud with physical telco connections or virtual exchange network services. | |
|
Local and global Application Load Balancing for web servers, app servers, and database servers as needed. | |
| Service Endpoints | Connect directly to cloud services without using the public network. | |
| Cloud Internet Services (CIS) | Public Load balancing of web server traffic across regions. | |
| Custom DNS server (VSI) or DNS Services (VPC) |
The Domain Name System (DNS) to associate human-friendly domain names with IP addresses. | |
| Security | IAM | IBM Cloud Identity and Access Management |
| Cloud Internet Services (CIS) | DDoS protection and Web Application Firewall (WAF) for public connectivity. | |
| Gateway Appliance in Classic | Advanced firewall capabilities such as Intrusion Detection System (IDS) and Intrusion Protection System (IPS) services. | |
| Bastion host | The bastion host is deployed on a virtual server instance within classic and is used for remote administrative support. | |
| Resiliency | Multi-region deployment | Allows for disaster recovery in a secondary region. |
| Multiple Direct Link connections | Allows for network resiliency for failover and recovery. | |
| IBM Cloud Internet Services | Allows for multi-regional load balancing over the public internet. | |
| Service management | Health dashboard | Apps and operational monitoring |