The Landing zone for applications with virtual servers - Quickstart (Financial Services edition) variation

The Quickstart (Financial Services edition) variation of the Landing zone for applications with virtual servers deployable architecture creates a fully customizable Virtual Private Cloud (VPC) environment in a single region. The solution provides virtual servers in a secure VPC for your workloads. The Quickstart (Financial Services edition) variation is designed to deploy quickly for demonstration and development.

Architecture diagram

Design requirements

Components

VPC architecture decisions

Architecture decisions
Requirement	Component	Reasons for choice	Alternative choice
Provide infrastructure or application administration access to monitor, operate, and maintain the environment Limit the number of infrastructure or application administration entry points to help ensure security audit.	Management VPC service	Create a separate VPC service where SSH connectivity from outside is allowed
Provides compute, storage, and network services to support hosted applications and operations that deliver services to the consumer. Ensure you can reach IBM Cloud services, Workload VPC, and Management VPC	Workload VPC service	Create a separate VPC service as an isolated environment, without direct public internet connectivity and without direct SSH access
Create a virtual server instance to support hosted applications	Workload virtual server instance	Create a VPC virtual server instance that can act as a workload server to support hosted applications. Configure ACL and security group rules allow access to IBM Cloud services, Workload and Management VPCs
Create a virtual server instance as the only management access point to the environment	Jump box host VPC instance	Create a Linux VPC instance that acts as a jump box host. Configure ACL and security group rules to allow SSH connectivity (port 22). Add a public IP address to the VPC instance.
Set up network for all created services Isolate network for all created services Ensure all created services are interconnected	Secure landing zone components	Create a minimum set of required components for a secure landing zone	Create a modified set of required components for a secure landing zone in preset

Network security architecture decisions

Network security architecture decisions
Requirement	Component	Reasons for choice	Alternative choice
Isolate management VPC and allow SSH network connections from public network All other connections from or to management VPC are forbidden except for IBM services and VPC	ACL and security group rules in management VPC	Open following ports by default: 22 (for limited number of IPs) All ports to other VPCs are open	More ports might be opened in preset or added manually after deployment
Isolate workload VPC and allow only a limited number of network connections All other connections from or to workload VPC are forbidden	ACL and security group rules in workload VPC	Allow connectivity for IBM Cloud services, Workload VPC and Management VPC	More ports might be opened in preset or added manually after deployment
Enable floating IP on jump box host	Floating IPs on jump box host in management VPC	Use floating IP on jump box host for administration access

Key and password management architecture decisions

Key and passwords management architecture decisions
Requirement	Component	Reasons for choice	Alternative choice
Use public SSH key to access virtual server instances by using SSH	Public SSH key provided by customer	Ask customer to specify the key. Accept the input as secure parameter.

Next steps

Read about IBM Cloud for Financial Services
To deploy this architecture, understand Deploying a landing zone deployable architecture steps.