-
Notifications
You must be signed in to change notification settings - Fork 35
docs: add VPN DA reference architecture #963
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
akocbek
wants to merge
5
commits into
main
Choose a base branch
from
update_docs
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+91
−0
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
5930383
docs: add VPN DA reference architecture
akocbekIBM 66792e6
Update reference-architectures/deploy-arch-ibm-slz-vpn.md
akocbek 844e75e
Update reference-architectures/deploy-arch-ibm-slz-vpn.md
akocbek ce54d03
Update reference-architectures/deploy-arch-ibm-slz-vpn.md
akocbek 6fdc4b7
PR review fix
akocbekIBM File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| --- | ||
| copyright: | ||
| years: 2025 | ||
| lastupdated: "2025-03-05" | ||
|
|
||
| keywords: | ||
|
|
||
| subcollection: deployable-reference-architectures | ||
|
|
||
| authors: | ||
| - name: "Andrej Kocbek" | ||
|
|
||
| # The release that the reference architecture describes | ||
| version: 2.1.3 | ||
|
|
||
| # Whether the reference architecture is published to Cloud Docs production. | ||
| # When set to false, the file is available only in staging. Default is false. | ||
| production: false | ||
|
|
||
| # Use if the reference architecture has deployable code. | ||
| # Value is the URL to land the user in the IBM Cloud catalog details page | ||
| # for the deployable architecture. | ||
| # See https://test.cloud.ibm.com/docs/get-coding?topic=get-coding-deploy-button | ||
| deployment-url: https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-client-to-site-vpn-1b824983-263f-4191-bfcd-c1d1b2220aa3-global | ||
|
|
||
| docs: https://cloud.ibm.com/docs/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-connect-landingzone-client-vpn | ||
|
|
||
| image_source: https://github.com/terraform-ibm-modules/terraform-ibm-client-to-site-vpn/blob/main/reference-architectures/c2s-basic.drawio.svg | ||
|
|
||
| related_links: | ||
| - title: "VPC landing zone - Standard variation" | ||
| url: "https://cloud.ibm.com/docs/deployable-reference-architectures?topic=deployable-reference-architectures-vsi-ra" | ||
| description: "A deployable architecture that is based on the IBM Cloud for Financial Services Framework reference and that provides virtual servers in a secure VPC for your workloads." | ||
|
|
||
| use-case: Cybersecurity | ||
| industry: Banking,FinancialSector | ||
| compliance: FedRAMP | ||
|
|
||
| content-type: reference-architecture | ||
|
|
||
| --- | ||
|
|
||
| {{site.data.keyword.attribute-definition-list}} | ||
|
|
||
| # Cloud automation for Client-to-Site VPN | ||
| {: #vpn-ra} | ||
| {: toc-content-type="reference-architecture"} | ||
| {: toc-industry="Banking,FinancialSector"} | ||
| {: toc-use-case="Cybersecurity"} | ||
| {: toc-compliance="FedRAMP"} | ||
| {: toc-version="2.1.0"} | ||
|
|
||
| This deployable architecture pattern configures client-to-site VPN secure and encrypted server connectivity within an existing management VPC using only a few required inputs. After it's been deployed, you can install an OpenVPN client application on the devices that you wish to use for VPN access, and import a profile from the VPN server. The configuration also allows you to specify a list of users that can have access to the private network, with access control managed by IBM Cloud Identity and Access Management. | ||
|
|
||
| ## Architecture diagram | ||
| {: #ra-vpn-ext-architecture-diagram} | ||
|
|
||
| {: caption="Figure 1. client-to-site VPN on existing landing zone" caption-side="bottom"}{: external download="c2s-basic.drawio.svg"} | ||
|
|
||
| ## Design requirements | ||
| {: #ra-vpn-ext-design-requirements} | ||
|
|
||
| {: caption="Figure 2. Scope of the design requirements" caption-side="bottom"} | ||
|
|
||
| ## Components | ||
| {: #ra-vpn-components} | ||
|
|
||
| ### Client-to-site VPN architecture decisions | ||
| {: #ra-vpn-components-arch} | ||
|
|
||
| | Requirement | Component | Reasons for choice | Alternative choice | | ||
| |-------------|-----------|--------------------|--------------------| | ||
| | Set up secure client-to-site VPN | VPN | | | | ||
| | Store private certificate in existing Secrets Manager | Secrets Manager | Create and store private certificate to ensure secure communication and authentication between public network and the private VPC | | | ||
|
|
||
| ### Network security architecture decisions | ||
| | Requirement | Component | Reasons for choice | Alternative choice | | ||
| |-------------|-----------|--------------------|--------------------| | ||
| | Load VPN configuration to simplify VPN setup | VPNs | Open following ports by default: 53 (DNS service), 443 (https) | | | ||
| | Create two subnets to achieve high availability | VPC | Distributing resources across two subnets allows for load balancing between them, ensuring that no single point of failure affects the performance or availability of client-to-site VPN | | | ||
| | * Create connection to isolated existing management VPC and allow only a limited number of network connections \n * All other connections from or to existing management VPC are forbidden | ACL and security group rules in client-to-site VPN| | More ports might be opened in preset or added manually after deployment | | ||
| {: caption="Table 2. Network security architecture decisions" caption-side="bottom"} | ||
|
|
||
| ## Next steps | ||
| {: #ra-vpn-ext-next-steps} | ||
|
|
||
| - See the landing zone [deployment guide](https://cloud.ibm.com/docs/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-overview). | ||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
diagram is inside VPN repo under
reference-architectures. Will automation will be able to pick it up? https://github.com/terraform-ibm-modules/terraform-ibm-client-to-site-vpn/blob/main/reference-architectures/c2s-basic.drawio.svg