How many VPCs do I need?

By -
In my previous blog post, we explained the different scenarios required to get a VPC in place. But there’s yet another question we need to answer before creating our first VPC. Is it enough with one VPC? How many VPCs do I really need? In this blog post, we’ll review some of the considerations to decide how many VPCs should be included into our network architecture.

Backend location

If we are going to be connecting our VPC(s) to our data center to provide your Mule apps with access to your back-end systems, the first question to ask is where the backend is. The Mule VPC will be created in an AWS Region, so create this VPC in the closest region to our backend to minimize the latency in the communications.

However, many organizations don’t have a unique location for their data center. Sometimes data centers are geographically distributed in different on-prem locations or in different regions of a cloud provider. If that’s the case, you have two options:
  • Create one VPC and connections to each data center location. In this case, the latency would be different for each region, we’ll need to assess if the furthest region provides an acceptable latency.
  • Create one VPC per region close to a data center location and set a connection in each VPC to that data center location. In this case, the latency would be optimal for every region. The caveat here is that apps in different regions will be isolated and not reachable within the local network.

 image.png

Isolation and traffic segregation

There is another consideration for the number of VPCs needed — the different groups of apps/APIs and the level of isolation required for each group. At this point, we need to talk about business groups and environments.

Business groups are a great solution to separate and control access to Anypoint resources. A VPC is a resource that can be created at the master org and also at a business group level. But be careful, the VPC resource can only be shared vertically down, not up or across.

If you don't have any particular requirement of network isolation between the BGs of your org, create your VPC at the master org level to avoid situations like the previous one. However, there are organizations (usually big companies), made of business units, where a higher level of separation is required, it's not enough to have a logical division in BGs. In those cases, you'll need to create as many VPCs as separated business units require this traffic segregation.

image.png

Environments get associated with one VPC and only one. What’s key to understand here is that we can have multiple environments in the same VPC, but each environment can be associated to only one VPC. One environment cannot be part of two VPCs.

This way, every app gets deployed to an environment and that environment is associated with a VPC. We don't have any settings to link directly an app to a VPC, the app gets hosted to the VPC associated with the environment you're deploying to.

This provides a mechanism of isolation for our apps. Two environments associated to the same VPC will be logically separated, but they will belong to the same network segment. On the other hand, two environments associated with different VPCs will be completely isolated from each other, because the traffic between environments will be segregated, they are two different network segments.

The recommendation at this regard is to have a minimum of two VPCs. One for production environments and one for non-production environments (dev, QA, stage, test) to segregate traffic between production and non-production. This will guarantee that non-production apps can get access to production data and vice versa. Some organizations enforce a greater level of security and require segregation between all the environments. In that case, we’ll need a VPC per environment.

image.png

Anypoint Platform connectivity considerations

If you remember from my previous post, Anypoint Platform offers three connectivity methods to your data center:

  • IPSec VPN
  • VPC peering to your AWS VPC
  • Connection to your AWS Direct Connect location

As we’ve seen earlier in this post, in some cases our data center is geographically distributed or has different locations. In those instances where more than one connection in the same VPC is required we need to pay attention to the following:

VPNs and Direct Connect


We can’t have a VPN and a Direct Connect connection in the same VPC. So, plan ahead your network architecture, if you require a site-to-site VPN connection and another connection to your Direct Connect location. Both connections cannot be within the same VPC, you’ll need two VPCs for that.

Regions in your AWS account

Maybe you’re planning to connect your mule VPC to the VPCs in your AWS account. For that purpose, whether you’re thinking of VPC peering or Direct Connect both types of connections need to be established within the same region of your mule VPC. You can’t have one mule VPC and do VPC peering to two AWS VPCs in different regions. For example, if you have an AWS VPC in Frankfurt and another one in Dublin, you’ll need to create another pair of mule VPC, in the same regions, to do the peering. Same applies to Direct Connect, your Direct Connect location needs to be in the same region as your mule VPC to do the peering.

Subnets

There are no subnets in Mule VPCs. Anypoint VPCs are, behind the scenes, AWS VPCs however this does not mean that our Mule VPCs have the same features as AWS. For example, it is not possible to establish a VPC peering between two Mule VPCs. Also, unlike AWS, subnets don’t exist in Mule VPCs. If you were planning to have two different network segments for isolation purposes, you’ll need two VPCs. You can’t define two network segments within the same Mule VPC as you’d do in AWS. The concept of subnet simply does not exist in Anypoint VPCs.

Isolation between API-led connectivity Layers

You might be wondering, if I can’t define subnets how can I keep the traffic between Process and System APIs only internal while the access to Experience APIs is public? That’s still possible using only one VPC and for that you’ll need one or two dedicated load balancers. Have a look at this article in our Help Center to know more about it.

image.png

VPCs and VPNs relationship

I need to create 2 or more VPN connections, do I need a VPC per each VPN connection? The answer is no, not necessarily. The MuleSoft side of a VPN connection is an implementation of an AWS Virtual Private Gateway, and as such it can support up to 10 VPN connections. So, unless the traffic between your VPC and your VPN connections must be isolated, you can use the same VPC for all your VPN connections.

With that I hope we’ve covered most of the scenarios to require more than one VPC, but there can be more. In summary, as you can see, there are a few considerations to take into account before creating your VPC or VPCs so, please, ask yourself all the questions above and decide first how many you need.

Popular posts from this blog

Benefici di Mule 4 - Parte 2

By -
Image
Come evidenziato nel primo post di questa serie , Mule 4 è un runtime con architettura diversa rispetto a quella della versione precedente Mule 3. I nuovi disegno ed architettura di questa versione portano dei miglioramenti sostanziali e nuove funzionalità. Nel post di oggi vedremo quali sono queste novità riguardo lo streaming e classloader isolation. Streaming Che cosa è lo streaming? In informatica, lo streaming è un meccanismo di trasmissione di dati che permette di fruire del contenuto desiderato senza la necessità di aspettare che questo ultimo sia completamente ricevuto. Nel contesto del runtime di Mule, lo streaming consiste  nella capacità di un event processor di incominciare a girare senza aspettare ad aver ricevuto tutti i dati dell processor precedente. Questo, come potete immaginare è incredibilmente utile quando si lavora con grandi quantità di dati, arrays o collections, come nel caso di un insieme di records che provengono dal database, da un file, oppure da uno stre
Read more

MuleSoft Metrics Accelerator

By -
Image
Metrics Accelerator es una herramienta para automatizar la extracción, agregación y la visualizacion de metricas, o mejor dicho, la carga de métricas en un sistema de visualización. Es una herramienta creada por nuestro equipo de Servicios Profesionales de MuleSoft, a partir del trabajo que han hecho para varios de nuestros clientes. Lo han estandarizado y lo han puesto a disposición de la comunidad como proyecto Open Source en GitHub. Por tanto, como proyecto open source se proporciona el código fuente y se deja abierto para que cualquiera pueda colaborar a evolucionarlo. Aquí tenéis el enlace al  proyecto en GitHub de Metrics Accelerator. En esta serie de posts vamos a ver en detalle la herramienta: desde cómo instalarlo hasta cómo crear dashboards en un sistema de visualización, viendo los detalles de funcionamiento y configuración. Aquí tenéis el detalle de los artículos dedicados a Metrics Accelerator: Metrics Accelerator (I) - Qué es y Cómo Instalarlo Metrics Accelerator (II) - T
Read more

The Mule Migration Assistant

By -
Image
La versione 4 del runtime di Mule è ormai da due anni con noi. Questo 2021 abbiamo due date importanti: una a Marzo, a partire dal 20 di Marzo non sarà più possibile pubblicare nuove applicazioni in Mule 3.9, e questa versione passerà a Extended Support fino il 2024. E la seconda data è a Novembre, a partire della quale finirà lo extended support alla versione 3.8 e di conseguenza tutte le applicazioni in questa versione non funzioneranno più. Potete trovare più informazione su questo link.   Version Release Date End of Standard Support End of Extended Support 4.3 April 30, 2020 April 30, 2022 April 30, 2024 4.2 May 2, 2019 May 2, 2021 May 2, 2023 4.1 March 20, 2018 November 2, 2020 November 2, 2022 3.9 long term supported October 9, 2017 March 20, 2021 March 20, 2024 3.8 long term supported May 16, 2016 November 16, 2018 November 16, 2021 3.7 July 9, 2015 November 16, 2017 January 25, 2020 3.6 January 15, 2015 January 15, 2017 N/A 3.5 long term supported May 20, 2014 July 15, 2016 *
Read more

Cómo configurar Postman para usar las Platform APIs de AnyPoint

By -
Image
Postman se ha convertido en los últimos años en la herramienta standard para cualquier desarrollador de APIs. Nos proporciona una interfaz intuitiva y sencilla para interactuar y probar APIs en general. Y, en particular, para nuestro trabajo con Mule hay dos escenarios donde Postman nos es muy útil. El primero, obviamente, como herramienta de testing. Una vez construidas nuestras Mule APIs podemos usar Postman para probar las distintas operaciones de nuestras APIs: GET, POST, PUT..., podemos construir nuestro JSON para las request e incluso podemos hacer nuestras pruebas con distintos métodos de autenticación en las APIs, por poner varios ejemplos. El otro caso de uso, para el que Postman nos es muy util como desarrolladores Mule, es para interactuar con las Platform APIs de Anypoint. Para los que no las conozcáis, las AnyPoint Platform APIs son el conjunto de APIs que MuleSoft pone a disposición para interactuar con todas las funcionalidades de AnyPoint Platform de forma programá
Read more

Benefici di Mule 4 - Parte I

By -
Image
La versione 4 del runtime di Mule è ormai da due anni con noi. Questo anno, come abbiamo visto in un altro post sul Mule Migration Assistant , è l'anno chiave per migrare da Mule 3. Mule 4 è la migliore versione del runtime al momento con tanti miglioramenti rispetto alla versione precedente. Per quelli che ancora non sono convinti, in questa serie di posts vedremo le principali novità di Mule 4. In questo primo post vedremo i cambiamenti fatti sulla struttura dei eventi Mule, la gestione dei threads e le caratteristiche non-blocking e self-tuning di Mule 4. Struttura dell’Evento Mule La prima cosa che si è semplificata nella versione 4 è la struttura del messaggio Mule, ovvero l’evento Mule. Un’evento Mule è l’unita di informazione, sulla quale lavora il runtime. Ogni messaggio inviato ad una applicazione Mule, sia un messaggio di tipo HTTP, JMS, MQ che in qualsiasi altro protocollo o formato è convertito a questo formato di evento, e poi ogni trasformazione o ulteriore elaborazi
Read more

MuleSoft Metrics Accelerator (I) - Qué es y Cómo Instalarlo

By -
Image
Metrics Accelerator es una herramienta para automatizar la extracción, agregación y la visualizacion de metricas, o mejor dicho, la carga de métricas en un sistema de visualización. Es una herramienta creada por nuestro equipo de Servicios Profesionales de MuleSoft, a partir del trabajo que han hecho para varios de nuestros clientes. Lo han estandarizado y lo han puesto a disposición de la comunidad como proyecto Open Source en GitHub. Por tanto, como proyecto open source se proporciona el código fuente y se deja abierto para que cualquiera pueda colaborar a evolucionarlo. Aquí tenéis el enlace al proyecto en GitHub de Metrics Accelerator. En esta serie de posts vamos a ver en detalle la herramienta: desde cómo instalarlo hasta cómo crear dashboards en un sistema de visualización, viendo los detalles de funcionamiento y configuración. En este primer post veremos cómo instalarlo y empezar a utilizarlo. Y, en los próximos veremos: Metrics Accelerator (II) - Tipos de Métricas Metrics Acce
Read more

MuleSoft Metrics Accelerator (IV) - Visualización en Splunk

By -
Image
En este nuevo post dedicado a Metrics Accelerator vamos a ver un ejemplo de cómo enviar nuestras métricas a un sistema de visualización, en concreto a Splunk. Este post pertenece a la serie de posts dedicada a Metrics Accelerator, si todavia no sabes qué es o cómo funciona te aconsejo empezar con los posts anteriores: Metrics Accelerator (I) - Qué es y Cómo Instalarlo Metrics Accelerator (II) - Tipos de Métricas Metrics Accelerator (III) - Modos de Ejecución Metrics Accelerator (IV) - Visualización en Splunk Metrics Accelerator permite el envio programado y automático de las métricas extraidas por la aplicación a un sistema externo de visualización. Como ejemplo, veamos como configurar Metrics Accelerator para enviar estos datos a Splunk en los siguientes sencillos pasos: 1. Configuración en Splunk Indices en Splunk. Desde Settings/Data seleccionamos la opcion Indexes y crearemos dos índices: metrics y platform _benefits , del tipo Events. Configurar o crear un nuevo HTTP Event Co
Read more

MuleSoft Metrics Accelerator (III) - Modos de Ejecución

By -
Image
En este tercer post de la serie dedicada a Metrics Accelerator  entraremos en sus detalles de configuración y veremos los ajustes necesarios para hacerlo funcionar en modo API o en modo Poller. Si todavía no conoces Metrics Accelerator o para qué sirve, te aconsejo que empieces por los primeros post y vuelvas a éste. Aquí abajo te dejo la lista de posts dedicada a Metrics Accelerator: Metrics Accelerator (I) - Qué es y Cómo Instalarlo Metrics Accelerator (II) - Tipos de Métricas Metrics Accelerator (III) - Modos de Ejecución Metrics Accelerator (IV) - Visualización en Splunk La aplicación de Metrics Accelerator viene preparada para trabajar en dos modos: API mode y Poller mode. Fundamentalmente para cubrir los dos grandes casos de uso que veremos a continuación: API Mode Como hemos visto durante el setup inicial en el primer post de esta serie , la aplicación nos proporciona una serie de endpoints que podemos consultar y obtener datos en cualquier momento. No hace falta configurar na
Read more

How to choose the CIDR block for your VPC

By -
Image
In one of my previous blog posts , we saw that creating a VPC is quite simple. We just need to provide values to four parameters and we can get our VPC up and running in minutes: Region CIDR Block Environments Business Groups From these four parameters, the CIDR block is usually the trickiest one to understand. And this parameter is critical — because once your Mule VPC is created, you can’t change your CIDR block. We’ll see, in the following lines, why this parameter is so important and how to properly calculate it. What is the CIDR block? To understand the CIDR block, we must first understand what an IP address is (don’t worry, this isn’t going to be a networking lesson). An IP address is the numerical representation of a location in a network. Similarly to how your phone number identifies your cell phone, your IP address identifies your device, your server, and your network interface. Computers only understand binary numbers, for that reason an IP address is just a sequence of
Read more