When designing your infrastructure in the public Cloud, we recommend using a Virtual Private Cloud (VPC) to allow isolation and network control within your infrastructure.
To ensure security while maintaining service accessibility, we usually design a VPC in the same way we design n-tier applications.
When designing your Cloud services, we recommend using the following guidelines and best practices:
For the purpose of this example, we consider that almost all platforms are designed and deployed with two types of services:
You need to define public and private services before moving forward on the implementation of your Cloud infrastructure. The public services will be accessible from outside the VPC by the users, while the private services will not be exposed outside and will be only accessible by other services within the VPC.
For security, traceability and simplicity purposes, we follow these rules:
The demo platform is composed of:
Each layer only needs to communicate with the one above and the one below. The security groups are set accordingly, and you can see that we respected the rule "one service per instance, one service per subnet, one service per security group".
from boto.ec2.regioninfo import EC2RegionInfo from boto.vpc import VPCConnection your_ak, your_sk = "XXXXXAAAXXXXXX", "ZZZZZZBBBBBBZZZZZZBBBBBBBZZZZZZZ" outscale_endpoint = EC2RegionInfo(endpoint="fcu.eu-west-2.outscale.com") # you can change the region outscale_fcu = VPCConnection( aws_access_key_id = your_ak, aws_secret_access_key = your_sk, region = outscale_endpoint) # Setup network vpc, sub_front, sub_intel = setup_vpc(vpc_cidr='10.0.0.0/16') sub_db = outscale_fcu.create_subnet(vpc_id=vpc.id, cidr_block='10.0.3.0/24') rt_db = outscale_fcu.create_route_table(vpc_id=vpc.id) outscale_fcu.associate_route_table(route_table_id=rt_db.id, subnet_id=sub_db.id) # Setup security sg_nginx = outscale_fcu.create_security_group(name='nginx', description='Web front security group', vpc_id=vpc.id) sg_intel = outscale_fcu.create_security_group(name='intel', description='Intel security group', vpc_id=vpc.id) sg_db = outscale_fcu.create_security_group(name='db', description='Database security group', vpc_id=vpc.id) # Now you need to allow traffic between applications for port in [80, 443]: sg_nginx.authorize(ip_protocol='tcp', from_port=port, to_port=port, cidr_ip='0.0.0.0/0') sg_intel.authorize(ip_protocol='tcp', from_port=8080, to_port=8080, src_group=sg_nginx) sg_db.authorize(ip_protocol='tcp', from_port=3306, to_port=3306, src_group=sg_intel)
This example suggests that we handled the SSL termination on the NGINX, that we use classic HTTP port for our intel (8080) and that we implemented MySQL databases listening on port 3306.
We used security groups to access security groups instead of using CIDR of subnets, even if in our case, both approaches offer similar results. For more information, see About Security Groups.
This architecture can be applied to more complex applications, and enforces the state of the art in terms of security and network control.