Check out our new tutorial to learn how to centralize communication through a VPC transit hub and spoke.

A Virtual Private Cloud (VPC) provides network isolation and security in the IBM Cloud. A VPC can be a building block that encapsulates a corporate division (e.g., marketing, development, accounting) or a collection of microservices owned by a DevSecOps team. VPCs can be connected to an on-premises enterprise and each other. A new two-part solution tutorial covers the concepts and implementation of the transit hub-and-spoke architecture.

At a high level, the architecture might look like the following diagram:

Traffic will pass through the hub as it flows from enterprise to spoke or even spoke to spoke. IBM Cloud service instances can be created in the hub and used by the enterprise and spokes. The hub will contain a Network Function Virtualization (NFV) firewall-router instance for fine-grain routing control and packet inspection. You can choose a firewall-router from the catalog:

Each of the VPCs has its own addressable entities. This includes microservices and IBM Service Instances. A Virtual Private Endpoint gateway (VPE) provides private and secure access to a service like IBM Cloud Databases for Redis. DNS entries for these entities can be managed through the IBM Cloud DNS Service.

We’re excited to bring you a new, two-part solution tutorial: Part 1 covers the concepts and implementation of the transit hub-and-spoke architecture and Part 2 routes more traffic through a HA firewall-router and implements VPE with DNS. The companion GitHub repository contains a complete implementation divided into small layers.

It can be informative to just read through the tutorial to obtain an understanding of the architecture. To get hands-on experience, you can provision the layers as instructed in the tutorial and use the IBM Cloud Console to view the resources and see the details. The tutorial even describes how to invoke a test suite to verify connectivity and interpret the results.

Topics include the following:

• Transit Gateway to connect Direct Link 2.0 and VPCs
• VPC zone-based routing
• Resolving firewall-router asymmetric routing issues
• Virtual Private Endpoint Gateways for local access to cloud resource instances within a VPC
• DNS name resolution of IBM Cloud Service instances

Summary and next steps

This blog post and the accompanying solution tutorial show how you can use a hybrid cloud to place resources where they are most desirable. You can combine secure IBM Cloud Infrastructure as a Service (IaaS) components with your existing environment to create a platform for cloud and on-premises. Use your existing firewall-router technology in the cloud to meet your compliance needs, and optimize for your business—not your cloud provider.

Get started with Part 1 and Part 2 of our new solution tutorial, “Centralize communication through a VPC transit hub and spoke architecture.”

If you have feedback, suggestions or questions about this post, please email me or reach out to me on Mastodon (@powellquiring@mastodon.social), LinkedIn or Twitter (@powellquiring).