July 19, 2019 By Dimitri Prosper 6 min read

Learn by following a few steps and using our sample code to deploy an application in an IBM Cloud region.

Migrating applications to the cloud can deliver significant business benefits. However, this gets tricky when we are talking about enterprise applications with high-availability or high-security requirements. How can application and data owners be assured they have the right cloud infrastructure in place to handle every potential scenario, yet be flexible enough to satisfy their enterprise requirements?

IBM Cloud is built to support scalable enterprise applications and offers a variety of stack choices to develop them, including the following: 

This blog post explores IBM Cloud VPC running in an IBM Cloud region. This can be used as a pattern for highly-available applications that need built-in security, data-at-rest encryption, and workload isolation from the network up. This pattern enables improved availability and security, along with the significant benefits of the public cloud model.

The sample code shows how to deploy IBM Cloud VPC in an IBM Cloud availability zone. A sample database and application are included. Try out this example to gain hands-on experience with IBM Cloud VPC in a simulation that provides workload isolation and high-availability infrastructure.    

To learn more about virtual private clouds, see IBM Chief Network Architect Ryan Sumner’s video, “What is a Virtual Private Cloud?

Sample application and database

For our scenario, we chose a database stack that has zero pre-integration with IBM Cloud and created a simple application to interact with it. We wanted this example to demonstrate IBM Cloud capabilities that enable the transformation of practically any database application.

This example uses the following:

  • A distributed database that spreads data across physically distinct virtual servers (nodes)
  • A NodeJS/GraphQL application to interact with the database

Note: For large production deployments, we recommend considering databases that are integrated with the IBM Cloud platform.  That means IBM Cloud Databases (for open source databases), IBM Cloudant, and IBM branded databases

IBM Cloud environment

Our deployment example consists of the following IBM Cloud infrastructure and services, as depicted in Figure 1:

  • One IBM Cloud Virtual Private Cloud instance
  • Three-zone IBM Cloud availability zone (also known as a multi-zone region)
  • Seven IBM Cloud Virtual Server Instances. Each zone has an application server, a database server, and attached storage. One of the zones also hosts a bastion/administration function server
  • Two IBM Cloud Load Balancer as a Service (LBaaS) instances, one for public and one for private
  • Three IBM Cloud managed services
    • Identity and Access Management
    • Key Protect
    • Certificate Manager

The following diagram depicts the components to be deployed, including a description for each section (circled numbers):

Figure 1: VPC architecture diagram showing five components to deploy and three managed services to use.

Using the architecture diagram in Figure 1 as a guide, follow these five steps to deploy IBM Cloud Virtual Private Cloud in a three-zone IBM Cloud availability zone.

1. Virtual Private Cloud (VPC) internal and external connectivity

Resources in a VPC are deployable across multiple availability zones in a given region. You can configure load balancers to distribute incoming traffic across virtual server instances within the region. Figure 1 shows how load balancers can be either public (meaning reachable from the Internet as in component 3) or private (meaning internal to the VPC as in component 4).

Figure 2: IBM Cloud public and private load balancers deployed in a Virtual Private Cloud.

If your virtual instances need access to resources that are external to the VPC or to the IBM Cloud, use a public gateway (PGW) or a Virtual Private Network (VPN) gateway to enable external communication for specific or all virtual server instances on a given subnet. 

2.  Secure access to instances

A developer/admin leverages a bastion virtual server instance to administer the remote virtual instances in the VPC Network. This bastion node uses a Floating IP (FIP) to enable communication to and from the Internet and is used to SSH into the other VSIs to install software (custom applications and the database solution used), configure clustering, and create databases. Only the bastion VSI is directly reachable from the Internet via SSH.

Figure 3: IBM Cloud virtual server instances deployed in a Virtual Private Cloud.

Security is integrated into your IBM Cloud VPC, with security groups and access control lists that act as virtual firewalls for instance-level and for subnet-level protection. They provide a convenient way to apply rules that establish filtering to each network interface of a virtual server instance or subnet, based on IP address. For example, rules are applied such that only specific IP addresses or CIDR can SSH to the bastion node, and only the bastion node can reach the internal virtual instances. 

Figure 4: IBM Cloud security groups used to isolate services in a Virtual Private Cloud.

Leverage security groups or access control lists to limit what IP addresses/ports are allowed internally in the VPC and to/from the Internet when applicable. 

3. End user access

VPC provides an ingress address that is used by a user to make HTTP/HTTPS requests. The PUBLIC load balancer directs the request to any of the three available virtual server instances (APP NODE) that run the NodeJS/GraphQL application. 

4. Application database access

The application that is running on the APP NODEs interface with the database(s) via a PRIVATE load balancer that directs the request to any of the three available virtual server instances (COCKROACH NODE) in one of three availability zones. VSIs are created using predefined virtual CPU and RAM profiles optimized for your specific workloads. For each VSI, you can specify storage requirements, the operating system of choice, and deploy your workloads.

5. Data security, performance, and availability

The database VSIs each have a data block storage volume attached that is encrypted with a customer manager encryption key; the encryption keys are stored in a Key Protect service instance, shown as component 6 in Figure 1. In VPC, you can specify an IOPS profile that best meets your storage performance requirements. Profiles are available as predefined IOPS tiers or as custom IOPS. IOPS tiers provide guaranteed IOPS/GB performance for volumes up to 2 TB capacity. The database nodes replicate data across the availability zones using encrypted SSL certificates. The SSL certificates are stored in the Certificate Manager service instance, shown as component 7 in Figure 1. 

Figure 5: IBM Cloud storage volumes deployed in a Virtual Private Cloud.

IBM Cloud managed services

When deploying applications in IBM Cloud VPC, you can take advantage of IBM Cloud managed services. We used the following three managed services:

  • Identity and Access Management (IAM) enables you to securely authenticate users and control access to all IBM Cloud platform resources. In our scenario, IAM enables virtual server instances to access the encryption keys needed to read and write data on the attached storage volumes.
  • Certificate Manager is a service that helps you centrally manage SSL/TLS certificates for your apps and services. Certificate Manager keeps track of when your certificates expire, serves as a secure repository for SSL/TLS certificates and keys, and helps you securely deploy certificates to your IBM Cloud apps. 
  • Key Protect for IBM Cloud helps you provision encrypted keys for apps across IBM Cloud services. As you manage encryption keys throughout their lifecycle, you have the peace of mind that comes from knowing your keys are secured by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs) that protect against information theft.

Next steps

Having deployed the isolated, high availability environment, developers can test various scenarios throughout the application process. For example, how do the database and application components react to the loss of one or two nodes in the database cluster, certificate key expiration, loss of a virtual instance, and other anomalies? Minor changes can improve application resiliency and performance during inevitable component outages.

Getting started

Try our sample code on GitHub, Deploying CockroachDB in a Multi-Zoned Virtual Private Cloud with Encrypted Block Storage. Instructions are provided to deploy a database application in a virtual private cloud using a highly available multi-zone public cloud infrastructure. 

The sample script automatically creates a virtual private cloud along with all required resources, including the following:

  • Subnets
  • Security groups
  • Load balancers 
  • Virtual server instances 
  • Configure encrypted data storage 
  • Install/configure CockroachDB  
  • Install/configure a sample NodeJS/GraphQL application to interact with the database
  • Guide you through setting up a database and testing the solution

For additional hands-on learning, I recommend the following self-directed IBM Cloud Solution Tutorials:

Questions and feedback

The GitHub repository for this scenario has an Issues tab where you can comment on the content and code. If you have suggestions or issues, please submit your feedback.

Was this article helpful?

More from Cloud

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters