February 6, 2023 By Powell Quiring 3 min read

Check out our new tutorial to learn how to centralize communication through a VPC transit hub and spoke.

A Virtual Private Cloud (VPC) provides network isolation and security in the IBM Cloud. A VPC can be a building block that encapsulates a corporate division (e.g., marketing, development, accounting) or a collection of microservices owned by a DevSecOps team. VPCs can be connected to an on-premises enterprise and each other. A new two-part solution tutorial covers the concepts and implementation of the transit hub-and-spoke architecture.

At a high level, the architecture might look like the following diagram:

Hub-and-spoke architecture.

Traffic will pass through the hub as it flows from enterprise to spoke or even spoke to spoke. IBM Cloud service instances can be created in the hub and used by the enterprise and spokes. The hub will contain a Network Function Virtualization (NFV) firewall-router instance for fine-grain routing control and packet inspection. You can choose a firewall-router from the catalog:

Data flow through a firewall-router.

Each of the VPCs has its own addressable entities. This includes microservices and IBM Service Instances. A Virtual Private Endpoint gateway (VPE) provides private and secure access to a service like IBM Cloud Databases for Redis. DNS entries for these entities can be managed through the IBM Cloud DNS Service.

DNS for microservices and VPEs.

We’re excited to bring you a new, two-part solution tutorial: Part 1 covers the concepts and implementation of the transit hub-and-spoke architecture and Part 2 routes more traffic through a HA firewall-router and implements VPE with DNS. The companion GitHub repository contains a complete implementation divided into small layers.

It can be informative to just read through the tutorial to obtain an understanding of the architecture. To get hands-on experience, you can provision the layers as instructed in the tutorial and use the IBM Cloud Console to view the resources and see the details. The tutorial even describes how to invoke a test suite to verify connectivity and interpret the results.

Topics include the following:

  • Transit Gateway to connect Direct Link 2.0 and VPCs
  • VPC zone-based routing
  • Resolving firewall-router asymmetric routing issues
  • Virtual Private Endpoint Gateways for local access to cloud resource instances within a VPC
  • DNS name resolution of IBM Cloud Service instances

Summary and next steps

This blog post and the accompanying solution tutorial show how you can use a hybrid cloud to place resources where they are most desirable. You can combine secure IBM Cloud Infrastructure as a Service (IaaS) components with your existing environment to create a platform for cloud and on-premises. Use your existing firewall-router technology in the cloud to meet your compliance needs, and optimize for your business—not your cloud provider.

Get started with Part 1 and Part 2 of our new solution tutorial, “Centralize communication through a VPC transit hub and spoke architecture.”

If you have feedback, suggestions or questions about this post, please email me or reach out to me on Mastodon (@powellquiring@mastodon.social), LinkedIn or Twitter (@powellquiring).

Was this article helpful?

More from Cloud

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

24 IBM offerings winning TrustRadius 2024 Top Rated Awards

2 min read - TrustRadius is a buyer intelligence platform for business technology. Comprehensive product information, in-depth customer insights and peer conversations enable buyers to make confident decisions. “Earning a Top Rated Award means the vendor has excellent customer satisfaction and proven credibility. It’s based entirely on reviews and customer sentiment,” said Becky Susko, TrustRadius, Marketing Program Manager of Awards. Top Rated Awards have to be earned: Gain 10+ new reviews in the past 12 months Earn a trScore of 7.5 or higher from…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters