Learn by following a few steps and using our sample code to deploy an application in an IBM Cloud region.

Migrating applications to the cloud can deliver significant business benefits. However, this gets tricky when we are talking about enterprise applications with high-availability or high-security requirements. How can application and data owners be assured they have the right cloud infrastructure in place to handle every potential scenario, yet be flexible enough to satisfy their enterprise requirements?

IBM Cloud is built to support scalable enterprise applications and offers a variety of stack choices to develop them, including the following: 

• IBM Cloud Kubernetes Service
• IBM Cloud Foundry Enterprise Environment (CFEE)
• IBM Cloud Functions
• IBM Cloud Virtual Private Cloud (VPC)

This blog post explores IBM Cloud VPC running in an IBM Cloud region. This can be used as a pattern for highly-available applications that need built-in security, data-at-rest encryption, and workload isolation from the network up. This pattern enables improved availability and security, along with the significant benefits of the public cloud model.

The sample code shows how to deploy IBM Cloud VPC in an IBM Cloud availability zone. A sample database and application are included. Try out this example to gain hands-on experience with IBM Cloud VPC in a simulation that provides workload isolation and high-availability infrastructure.    

To learn more about virtual private clouds, see IBM Chief Network Architect Ryan Sumner’s video, “What is a Virtual Private Cloud?”

Sample application and database

For our scenario, we chose a database stack that has zero pre-integration with IBM Cloud and created a simple application to interact with it. We wanted this example to demonstrate IBM Cloud capabilities that enable the transformation of practically any database application.

This example uses the following:

• A distributed database that spreads data across physically distinct virtual servers (nodes)
• A NodeJS/GraphQL application to interact with the database

Note: For large production deployments, we recommend considering databases that are integrated with the IBM Cloud platform.  That means IBM Cloud Databases (for open source databases), IBM Cloudant, and IBM branded databases. 

IBM Cloud environment

Our deployment example consists of the following IBM Cloud infrastructure and services, as depicted in Figure 1:

• One IBM Cloud Virtual Private Cloud instance
• Three-zone IBM Cloud availability zone (also known as a multi-zone region)
• Seven IBM Cloud Virtual Server Instances. Each zone has an application server, a database server, and attached storage. One of the zones also hosts a bastion/administration function server
• Two IBM Cloud Load Balancer as a Service (LBaaS) instances, one for public and one for private
• Three IBM Cloud managed services
  • Identity and Access Management
  • Key Protect
  • Certificate Manager

The following diagram depicts the components to be deployed, including a description for each section (circled numbers):

Using the architecture diagram in Figure 1 as a guide, follow these five steps to deploy IBM Cloud Virtual Private Cloud in a three-zone IBM Cloud availability zone.

1. Virtual Private Cloud (VPC) internal and external connectivity

Resources in a VPC are deployable across multiple availability zones in a given region. You can configure load balancers to distribute incoming traffic across virtual server instances within the region. Figure 1 shows how load balancers can be either public (meaning reachable from the Internet as in component 3) or private (meaning internal to the VPC as in component 4).

If your virtual instances need access to resources that are external to the VPC or to the IBM Cloud, use a public gateway (PGW) or a Virtual Private Network (VPN) gateway to enable external communication for specific or all virtual server instances on a given subnet. 

2.  Secure access to instances

A developer/admin leverages a bastion virtual server instance to administer the remote virtual instances in the VPC Network. This bastion node uses a Floating IP (FIP) to enable communication to and from the Internet and is used to SSH into the other VSIs to install software (custom applications and the database solution used), configure clustering, and create databases. Only the bastion VSI is directly reachable from the Internet via SSH.

Security is integrated into your IBM Cloud VPC, with security groups and access control lists that act as virtual firewalls for instance-level and for subnet-level protection. They provide a convenient way to apply rules that establish filtering to each network interface of a virtual server instance or subnet, based on IP address. For example, rules are applied such that only specific IP addresses or CIDR can SSH to the bastion node, and only the bastion node can reach the internal virtual instances. 

Leverage security groups or access control lists to limit what IP addresses/ports are allowed internally in the VPC and to/from the Internet when applicable. 

3. End user access

VPC provides an ingress address that is used by a user to make HTTP/HTTPS requests. The PUBLIC load balancer directs the request to any of the three available virtual server instances (APP NODE) that run the NodeJS/GraphQL application. 

4. Application database access

The application that is running on the APP NODEs interface with the database(s) via a PRIVATE load balancer that directs the request to any of the three available virtual server instances (COCKROACH NODE) in one of three availability zones. VSIs are created using predefined virtual CPU and RAM profiles optimized for your specific workloads. For each VSI, you can specify storage requirements, the operating system of choice, and deploy your workloads.

5. Data security, performance, and availability

The database VSIs each have a data block storage volume attached that is encrypted with a customer manager encryption key; the encryption keys are stored in a Key Protect service instance, shown as component 6 in Figure 1. In VPC, you can specify an IOPS profile that best meets your storage performance requirements. Profiles are available as predefined IOPS tiers or as custom IOPS. IOPS tiers provide guaranteed IOPS/GB performance for volumes up to 2 TB capacity. The database nodes replicate data across the availability zones using encrypted SSL certificates. The SSL certificates are stored in the Certificate Manager service instance, shown as component 7 in Figure 1. 

IBM Cloud managed services

When deploying applications in IBM Cloud VPC, you can take advantage of IBM Cloud managed services. We used the following three managed services:

• Identity and Access Management (IAM) enables you to securely authenticate users and control access to all IBM Cloud platform resources. In our scenario, IAM enables virtual server instances to access the encryption keys needed to read and write data on the attached storage volumes.
• Certificate Manager is a service that helps you centrally manage SSL/TLS certificates for your apps and services. Certificate Manager keeps track of when your certificates expire, serves as a secure repository for SSL/TLS certificates and keys, and helps you securely deploy certificates to your IBM Cloud apps. 
• Key Protect for IBM Cloud helps you provision encrypted keys for apps across IBM Cloud services. As you manage encryption keys throughout their lifecycle, you have the peace of mind that comes from knowing your keys are secured by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs) that protect against information theft.

Next steps

Having deployed the isolated, high availability environment, developers can test various scenarios throughout the application process. For example, how do the database and application components react to the loss of one or two nodes in the database cluster, certificate key expiration, loss of a virtual instance, and other anomalies? Minor changes can improve application resiliency and performance during inevitable component outages.

Getting started

Try our sample code on GitHub, Deploying CockroachDB in a Multi-Zoned Virtual Private Cloud with Encrypted Block Storage. Instructions are provided to deploy a database application in a virtual private cloud using a highly available multi-zone public cloud infrastructure. 

The sample script automatically creates a virtual private cloud along with all required resources, including the following:

• Subnets
• Security groups
• Load balancers 
• Virtual server instances 
• Configure encrypted data storage 
• Install/configure CockroachDB  
• Install/configure a sample NodeJS/GraphQL application to interact with the database
• Guide you through setting up a database and testing the solution

For additional hands-on learning, I recommend the following self-directed IBM Cloud Solution Tutorials:

• Deploy Isolated Workloads Across Multiple Locations and Zones
• Virtual Private Cloud with Public and Private Subnets
• Securely Access Remote Instances with a Bastion Host
• Use a VPC/VPN Gateway for Secure Access from On-Prem-to-Cloud Resources

Questions and feedback

The GitHub repository for this scenario has an Issues tab where you can comment on the content and code. If you have suggestions or issues, please submit your feedback.