-
Notifications
You must be signed in to change notification settings - Fork 260
feat(vpc): add first use case #4140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Changes from 9 commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
f10e9d4
feat(vpc): start use case
RoRoJ d45b9ed
feat(vpc): use case
RoRoJ d936e0f
feat(vpc): use case started
RoRoJ cd3daf2
feat(vpc): first use case draft
RoRoJ c0bd597
fix(vpc): add use case info
RoRoJ 19b9fe5
feat(vpc): add use case final doc
RoRoJ c7e0c5f
fix(vpc): corrections
RoRoJ 6189787
Apply suggestions from code review
RoRoJ 70c91b2
Update network/vpc/reference-content/use-case-basic.mdx
RoRoJ 88f5d6d
Update network/vpc/reference-content/use-case-basic.mdx
RoRoJ d1b86b6
Apply suggestions from code review
RoRoJ 875437a
fix(add TF link)
RoRoJ 3421efd
Merge branch 'main' into MTA-5141
RoRoJ 2262738
Update network/vpc/reference-content/use-case-basic.mdx
RoRoJ File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,125 @@ | ||
| --- | ||
| meta: | ||
| title: VPC use case 1 - Basic infrastructure to leverage VPC isolation | ||
| description: Learn how to set up a basic infrastructure using VPC isolation for secure cloud environments. Step-by-step guidance on leveraging VPCs for optimal network isolation. | ||
| content: | ||
| h1: VPC use case 1 - Basic infrastructure to leverage VPC isolation | ||
| paragraph: Learn how to set up a basic infrastructure using VPC isolation for secure cloud environments. Step-by-step guidance on leveraging VPCs for optimal network isolation. | ||
| tags: vpc private-network connectivity best-practice use-case infrastructure-diagram | ||
| dates: | ||
| validation: 2024-10-25 | ||
| posted: 2024-10-25 | ||
| categories: | ||
| - network | ||
| --- | ||
|
|
||
| Scaleway **V**irtual **P**rivate **N**etwork (VPC) and the accompanying range of network products, are important building blocks within the Scaleway ecosystem. By creating your Scaleway resources within a carefully thought out VPC-based infrastructure, you can maximize security, resilience and efficiency. | ||
|
|
||
| Knowing how to create, combine and configure resources such as Private Networks with definable subnets, VPC routing with custom routes, IPAM to define and manage your IP addresses, and resources such as Load Balancers and Public Gateways to facilitate connectivity and traffic distribution, is invaluable in achieving control over your networking environment. | ||
|
|
||
| This is the first in a series of use cases designed to show you potentially interesting and useful infrastructures, illustrating how to use VPC and other network products to achieve a robust, secure and scalable cloud environment. | ||
|
|
||
| ## Overview | ||
|
|
||
| The architecture diagram below shows the infrastructure for this use-case. | ||
|
|
||
| <Lightbox src="scaleway-vpc-infra-1.webp" size="large" alt="An architecture diagram shows how a Load Balancer inside a Scaleway VPC is attached to a Private Network. Also attached to the Private Network are three Instances (connected to Block Storage), a Managed Database, and a Public Gateway. Users access resources via a domain name which a Domains and DNS entry points to the Load Balancer's public flexible IP address. The Load Balancer distributes requests to the three Instances, which do not have public IP addresses. Instances can privately retrieve and store data in the Managed Database and Block Storage. The Public Gateway also has a flexible IP address, which allows admins to connect to resources in the Private Network via SSH bastion. The gateway's public flexible IP also allows connections to Scaleway resources outside the VPC, e.g. Object Storage, Transactional Email, Nats, Queues, Topics and Events, Serverless products, and Secret Manager." /> | ||
RoRoJ marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| This is a basic infrastructure to leverage VPC isolation: | ||
|
|
||
| - [Instances](/compute/instances/concepts/#instance) are hosting the application without having their own [public/flexible IP addresses](/compute/instances/concepts/#flexible-ip). | ||
| - [Managed Database](/managed-databases/postgresql-and-mysql/concepts/#managed-database) is accessed by the Instances over the Private Network only, with no exposure to the public internet. | ||
| - [Load Balancer](/network/load-balancer/concepts/) distributes user traffic to the Instances over the Private Network. | ||
| - Administrators can access the Instances via the [Public Gateway](/network/public-gateways/concepts/#public-gateway). | ||
| - External services are accessed by the Instances via the Public Gateway. | ||
|
|
||
| Full [Terraform templates](#terraform) are available for this infrastructure. | ||
|
|
||
| ## Detail | ||
|
|
||
| User requests go via a domain name, whose DNS record points to the public flexible IP of a Scaleway Load Balancer. This Load Balancer is attached to a **Private Network** in a **VPC**. It distributes user traffic to multiple **Instances** which are also attached to the Private Network, and do not have their own public/flexible IP addresses. These Instances are accessible only from within the VPC. The Instances can store data to and retrieve data from **Block Storage** and a **Managed Database** attached to the same Private Network and not exposed to the internet. | ||
|
|
||
| The **Public Gateway** attached to the Private Network has its own public flexible IP address, and administrators can use solutions such as SSH bastion to connect to Instances via the Public Gateway for maintenance and administrative tasks. The Public Gateway also provides secure access to the public internet should the Instances need to download package updates, for example. Finally, the Public Gateway also allows the Instances to access services outside the VPC, e.g. those hosted on other Scaleway resources which are not compatible with VPC, via their public endpoints. | ||
|
|
||
| ## Advantages | ||
|
|
||
| ### Isolation and security | ||
|
|
||
| Resources are isolated within a VPC, and public IP exposure is restricted to Load Balancer and Public Gateway. This enhances security, ensuring that only authorized services and users can access the VPC's resources, and reducing exposure to external threats. Any sensitive data stored on the Instances and Managed Databases is kept within the VPC, and not exposed to the public internet. | ||
|
|
||
| ### Scalability and reliability | ||
|
|
||
| Use of the Load Balancer to distribute traffic across multiple Instances enhances reliability. If the Load Balancer's built-in health checks register that one Instance is down, it is able to immediately redirect traffic to the remaining healthy Instances only, ensuring high availability. Additional Instances can be spun up and added to the Load Balancer's backend at any time, facilitating on-demand scalability. | ||
|
|
||
| External services like Transactional Email, Serverless, and NATS, Queues, Topics, and Events are also highly scalable, flexibly facilitating event-driven architectures and asynchronous processing. | ||
|
|
||
| ### Controlled access | ||
|
|
||
| The Public Gateway, with its public IP address, allows controlled access between the public internet and the VPC. Features such as SSH bastion allow selected administrators with the correct credentials to connect to resources within the VPC, and static NAT and/or advertisement of a default route provides the ability to direct traffic through the gateway to and from the resources within. | ||
|
|
||
| ### Cost control | ||
|
|
||
| Creating Scaleway resources without their own public IP addresses saves money, as these addresses are billed resource, while the creation, configuration and assignment of IP addresses from a Private Network is free of charge. | ||
RoRoJ marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ## Applications | ||
|
|
||
| This kind of infrastructure is appropriate for many applications, including but not limited to: | ||
| - **E-commerce platforms**: A scalable backend (Instances, Block Storage), which can securely connect to payment systems and privately-accessed user data (Managed Database), with public-facing components (Load Balancer) for appropriately handling user traffic. | ||
| - **Web applications**: Web applications that routinely need to handle high traffic are ideally suited to the solution of a Load Balancer in front of a horizontally scalable set of Instances, to facilitate uptime and high availability and grow with demand. | ||
| - **Enterprise applications**: Enterprises handling sensitive data (e.g. HR systems) can benefit from the isolation and security of a VPC, with all of its additional features, to keep internal services running without unnecessary exposure to the internet. | ||
|
|
||
| ## Tutorial | ||
|
|
||
| Follow the steps below to create this infrastructure using the [Scaleway console](https://console.scaleway.com/organization): | ||
|
|
||
| 1. [Create a VPC](/network/vpc/how-to/create-vpc/) (or use the [default VPC](/network/vpc/how-to/create-vpc/#how-to-identify-your-default-vpcs) pre-created for each Scaleway Project in the appropriate [region](/network/vpc/concepts/#region-and-availability-zone)). | ||
| 2. [Create a Private Network](/network/vpc/how-to/create-private-network/) inside the VPC. You can either let Scaleway create the network with an auto-generate subnet, which will provide the private IP addresses for attached resources, or specify a self-defined subnet. | ||
RoRoJ marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| 3. [Create a Public Gateway](/network/public-gateways/how-to/create-a-public-gateway/) (set it to advertise the [default route](/network/public-gateways/concepts/#default-route)) and [attach it to the Private Network](/network/public-gateways/how-to/configure-a-public-gateway/#how-to-attach-a-public-gateway-to-a-private-network). | ||
| 4. [Set up SSH bastion](/network/public-gateways/how-to/use-ssh-bastion/) on the Public Gateway, to allow administrator access. | ||
| 5. [Create a Managed Database](/managed-databases/postgresql-and-mysql/how-to/create-a-database/) | ||
RoRoJ marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| 6. [Detach the Managed Database's public endpoint](/managed-databases/postgresql-and-mysql/how-to/remove-public-endpoint/) and [attach it to the Private Network](/managed-databases/postgresql-and-mysql/how-to/connect-database-private-network/) you created in step 2. | ||
| 7. Create and configure external services as required, e.g. [Object Storage](/storage/object/quickstart/), [Transactional Email](/managed-services/transactional-email/quickstart/) and [Secret Manager](/identity-and-access-management/secret-manager/quickstart/). | ||
| 8. [Create your Instances](/compute/instances/how-to/create-an-instance/), using the configuration best-suited to your application. Do not assign public IPv4 or IPv6 addresses to the Instances. Add Block Storage volumes as required (or you can create and attach these [later](/storage/block/quickstart/).) | ||
| <Message type="tip"> | ||
| If you are creating several Instances with the exact same configuration running the exact same template, consider creating just one Instance, configuring and installing it to communicate with the other resources inside and outside the VPC as required, then [creating an image](/compute/instances/how-to/create-a-backup/) of this Instance and creating the remaining Instances [using this image](/compute/instances/how-to/create-a-backup/#how-to-create-or-restore-an-instance-from-an-image). | ||
| </Message> | ||
| 9. [Attach each Instance to the Private Network](/compute/instances/how-to/use-private-networks/#how-to-attach-instances-to-an-existing-private-network) you created at step 2. Either let Scaleway automatically choose an IP from the Private Network's subnet for each Instance, or use [reserved IPs](s/network/ipam/how-to/reserve-ip/) to specify the IP for each Instance on the network. | ||
| 10. [Create a Load Balancer](/network/load-balancer/how-to/create-load-balancer/), ensuring you assign a public (flexible) IP address. Do not yet create the frontends and backends. | ||
| 11. [Attach the Load Balancer to the Private Network](/network/load-balancer/how-to/use-with-private-network/#how-to-attach-a-private-network-to-your-load-balancer). As before, you can use an auto-selected IP, or a specific reserved IP from the subnet. | ||
| 12. [Create a frontend and backend for the Load Balancer](/network/load-balancer/how-to/create-frontends-backends/). Choose the most appropriate configuration for your purpose and application, following advice and tips in the linked documentation. When configuring the Load Balancer's backend servers, enter the private IP addresses of the Instances on the Private Network. | ||
| 13. [Create your domain](/network/domains-and-dns/how-to/register-internal-domain/) and [add a DNS record](/network/domains-and-dns/how-to/manage-dns-records/#how-to-add-dns-records) (e.g. an A record) to point it to the public IP of your Load Balancer. While instructions show how to do this with Scaleway's **Domains and DNS** product, you can also use an external domain and configure it with another provider. | ||
|
|
||
| ## Terraform | ||
|
|
||
| Terraform templates for this architecture are provided in full on our [Scaleway Terraform Examples repo](https://github.com/scaleway/terraform-examples/tree/main/demo-vpc-app/). Terraform allows you to create Infrastructure as Code (IaC) to build, configure and manage your infrastructure with configuration files, rather than with the Scaleway console. | ||
|
|
||
| The templates include an example "Task Tracker" application to show how the infrastructure is used. The application is containerized using Docker, deployed on an Instance in the Private Network and leverages PostgreSQL for data storage. Full instructions are provided for creating the infrastructure with Terraform and deploying the test application. | ||
|
|
||
| The following snippet shows an extract of one of the templates: | ||
|
|
||
| ``` | ||
| resource "scaleway_vpc" "vpc01" { | ||
| name = "vpc_${var.app_name}" | ||
| } | ||
|
|
||
| resource "scaleway_vpc_private_network" "pn01" { | ||
| name = "pn_${var.app_name}" | ||
| vpc_id = scaleway_vpc.vpc01.id | ||
| ipv4_subnet { | ||
| subnet = local.subnet | ||
| } | ||
| } | ||
|
|
||
| resource "scaleway_vpc_public_gateway_ip" "gwip01" { | ||
| } | ||
|
|
||
| resource "scaleway_vpc_public_gateway" "pgw01" { | ||
| type = "VPC-GW-S" | ||
| name = "pgw_${var.app_name}" | ||
| ip_id = scaleway_vpc_public_gateway_ip.gwip01.id | ||
| bastion_enabled = true | ||
| bastion_port = 61000 | ||
| } | ||
| ``` | ||
|
|
||
| [See the full Terraform templates](https://github.com/scaleway/terraform-examples/tree/main/demo-vpc-app/) | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.