loading...

Design Secure & Scalable VPC for Micro-service Architecture

ptuladhar3 profile image Puru ・3 min read

Learn how to design a secure and scalable VPC network for a micro-services architecture.

Introduction

In this post, I'll be covering a high-level design of a secure & scalable VPC network for a micro-service architecture. I'll be using AWS as a primary example; however, the design can be applied to any Cloud provider that's Amazon VPC-like.

Let's get started!

VPC and Subnets

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network.

When creating a new VPC, the maximum allowed block size is /16 which gives us 65,536 IP addresses. We can further divide it into smaller CIDR block to form multiple subnets with the VPC. The smallest allow block size is a /28 - 16 IP addresses.

NOTE: AWS reserves first four IP addresses and the last one IP address in each subnet CIDR block. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved: 10.0.0.0, 10.0.0.1, 10.0.0.2, 10.0.0.3 and 10.0.0.255.

For small to medium scale architecture with less than 50 micro-services, you can get started by using block size of /21 - 2046 IP addresses. Here's a breakdown:

  • Foundation network  -  /21
  • Micro-services A network  -  /21
  • Micro-services B network  -  /21
  • Micro-services X network  - /21

NOTE: AWS allows us to extend the VPC network by associating another /16 CIDR block to our VPC, and it doesn't require VPC peering.


Foundational network

Foundational network is a common network to host resources that's common to micro-services such as public load balancer, private load balancer for service to service communication, VPC Interface Endpoints, etc.

Foundation network usually have two subnets:

  • Public subnet - Internet resources (i.e, Public ALB, NAT Gateway, Cloud9, etc.)
  • Private subnet - Private resources (i.e, Private ALB, VPC Interface Endpoints, etc.)
  • (Optional) Spare subnet - Future use

Fig: Foundation network


Micro-services network

Micro-services network is a dedicated network allocated to individual micro-services to hosts their resources.

Micro-service network usually have two subnets:

  • Stateful subnet - Database resources (e.g: RDS, ElastiCache)
  • Stateless subnet- Application resources (e.g: Lambda, ECS)

Fig: Micro-services on it's own network


🔒 Secure network with Network ACL's

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets

In this VPC design we can leverage Network ACL to fine-grain control both inbound and outbound traffic of each micro-service network.

In addition to security group firewall, we can utilize network level firewall to allow or deny one micro-service from communicating to another micro-service, specially protecting and isolating Stateful resources.

Be aware of adding overly restrictive NACL rules. Thank me later!

NOTE: AWS NACL rules have hard limit of 20 rules. AWS recommends us to stay below 20 rules to avoid network performance hit due to the increased workload to process the additional rules.

Fig: Secure micro-services network using Network ACL's

Conclusion

Designing a VPC network should be part of your micro-service architecture design from early on. Later on, it'll be very difficult (not impossible) to migrate your platform to a new VPC design without it taking down.

I hope you've learned how we can design a secure and scalable VPC network for micro-service architecture.

If you find this post useful, don't forget to hit 👏Clap

Additional Resources

Posted on by:

ptuladhar3 profile

Puru

@ptuladhar3

HTTP/1.1 301 Moved Permanently Location: https://tuladhar.github.io

Discussion

pic
Editor guide