In this post, I'll be covering a high-level design of a secure & scalable VPC network for a micro-service architecture. I'll be using AWS as a primary example; however, the design can be applied to any Cloud provider that's Amazon VPC-like.
Let's get started!
When creating a new VPC, the maximum allowed block size is /16 which gives us 65,536 IP addresses. We can further divide it into smaller CIDR block to form multiple subnets with the VPC. The smallest allow block size is a /28 - 16 IP addresses.
NOTE: AWS reserves first four IP addresses and the last one IP address in each subnet CIDR block. For example, in a subnet with CIDR block
10.0.0.0/24, the following five IP addresses are reserved:
For small to medium scale architecture with less than 50 micro-services, you can get started by using block size of /21 - 2046 IP addresses. Here's a breakdown:
- Foundation network - /21
- Micro-services A network - /21
- Micro-services B network - /21
- Micro-services X network - /21
NOTE: AWS allows us to extend the VPC network by associating another /16 CIDR block to our VPC, and it doesn't require VPC peering.
Foundational network is a common network to host resources that's common to micro-services such as public load balancer, private load balancer for service to service communication, VPC Interface Endpoints, etc.
Foundation network usually have two subnets:
- Public subnet - Internet resources (i.e, Public ALB, NAT Gateway, Cloud9, etc.)
- Private subnet - Private resources (i.e, Private ALB, VPC Interface Endpoints, etc.)
- (Optional) Spare subnet - Future use
Micro-services network is a dedicated network allocated to individual micro-services to hosts their resources.
Micro-service network usually have two subnets:
- Stateful subnet - Database resources (e.g: RDS, ElastiCache)
- Stateless subnet- Application resources (e.g: Lambda, ECS)
In this VPC design we can leverage Network ACL to fine-grain control both inbound and outbound traffic of each micro-service network.
In addition to security group firewall, we can utilize network level firewall to allow or deny one micro-service from communicating to another micro-service, specially protecting and isolating Stateful resources.
NOTE: AWS NACL rules have hard limit of 20 rules. AWS recommends us to stay below 20 rules to avoid network performance hit due to the increased workload to process the additional rules.
Designing a VPC network should be part of your micro-service architecture design from early on. Later on, it'll be very difficult (not impossible) to migrate your platform to a new VPC design without it taking down.
I hope you've learned how we can design a secure and scalable VPC network for micro-service architecture.
If you find this post useful, don't forget to hit 👏Clap