Network management
To provide structure to DiSSCo resources and route traffic, DiSSCo has implemented a network plan. In general an environment consists of two virtual networks. Within the AWS ecosystem these are called Virtual Private Clouds (VPCs).
In the first VPC, we deploy our Kubernetes cluster through the managed AWS solution, Elastic Kubernetes Service (EKS). To provide clear separation to other resources we restrict this VPC to only EKS resources. These resources are managed by EKS and no manual intervention needs to take place.
In the second VPC we deploy our other resources, such as databases and handle servers. These resources need enough room to replicate and fail-over when necessary. Access to the second VPC is managed by DiSSCo. For this we created a Security Group (often called a firewall) in which we only allow specific incoming traffic to specific ports. For example, we will allow traffic from a range of IP-address to port 5432, to connect with the Postgres database.
To ensure traffic between both VPC we connect them via network peering. We allow traffic from one VPC to the other through an internal connection. This means that traffic from a pod (deployed on a VM in the first VPC) can travel internally to the database (on a VM in the second VPC). This is important as traffic which stays internal is safer and faster.
The IP range DiSSCo uses are:
- Production
10.0.0.0 - 10.49.0.0 - Acceptance
10.50.0.0 - 10.99.0.0 - Development
10.100.0.0 - 10.149.0.0
All other ranges are free to deploy other resources on.
We deploy the VPCs through Terraform. The deployment files are available here.
The full network plan (end state) (drawio)
