Cloud Network Well-architected Design Guidelines:Enterprise-class service sharing design

Overview

Background information

A growing number of enterprises demand for inter-VPC communication due to the wide adoption of the service-oriented and microservices architectures, which enables enterprises to divide their original architectures into multiple independent and scalable service modules. These modules are usually spread across different VPCs. In addition, more enterprises start to use Alibaba Cloud Landing Zone/Well-Architected Framework to design their business architectures in the cloud. These practices encourage enterprises to develop stable, secure, efficient, and scalable business architectures through sophisticated account system and VPC design. This topic describes how to design an enterprise-class service sharing network for cross-account and cross-VPC communication.

Terms

VPC: VPCs are custom private networks that customers create on Alibaba Cloud. VPCs are isolated from each other. You can specify CIDR blocks, subnets, and route tables for your VPC.

Cloud Enterprise Network (CEN): CEN supports custom communication, isolation, and redirection policies in regions to help you build flexible, reliable, large-scale, and enterprise-class global networks.

Transit router: Transit routers are a type of CEN component. They are routers that connect different VPCs, VPN gateways, virtual border routers (VBRs), and cloud services. Transit routers support highly flexible routing features. For example, you can use multiple route tables and advanced routing policies to manage traffic forwarding in a complex network environment. Transit routers are key components if you want to design a complex network architecture that contains multiple VPCs across accounts. You can use transit routers to manage and control network traffic between different networks and simplify the network architecture and operations.

PrivateLink: You can use PrivateLink to unidirectionally access services deployed in other VPCs without the need to create NAT gateways or purchase elastic IP addresses (EIPs). PrivateLink provides higher data security and network quality because data is not transmitted over the Internet.

Network Intelligence Service (NIS): NIS provides a set of AIOps tools for you to manage the entire lifecycle of cloud networks from network design to network O&M. For example, you can use NIS to perform traffic analysis, network inspections, network performance monitoring, network diagnostics, path analysis, and topology creation. NIS helps you optimize your network architecture, improve network O&M efficiency, and reduce network operations costs.

Principles for designing an enterprise-class service sharing network

By using a combination of transit routers and PrivateLink, enterprises can establish service-sharing tunnels to simply, flexibly, and securely access shared services across accounts and VPCs. The enterprise-class service sharing design must follow these principles:

Stability: Enterprises must prioritize stability when they design networks, and deploy services across zones and establish multiple tunnels to ensure stability.

Security compliance: Enterprises usually create large numbers of tenant accounts and VPCs to isolate faults and conduct security control among business units. In this scenario, many enterprises may need to access shared services deployed in different VPCs across accounts. Therefore, it is important for enterprises to design a secure, hierarchical service sharing architecture based on the least privilege principle.

High performance: In an enterprise-class service sharing environment, elasticity plays an important role in handling unexpected spikes of user traffic to shared services. To meet this challenge, enterprises can use transit routers together with PrivateLink to dynamically scale resources in order to handle fluctuating workloads and maintain service quality.

Key design

Stability

• Transit routers and PrivateLink rely on the high-performance Network Functions Virtualization (NFV) platform. Therefore, they support inter-zone and intra-zone disaster recovery to ensure business reliability and stability.

• When you want to connect production VPCs to the VPC where shared services are deployed, you can create transit routers in multiple zones to ensure high availability. In addition, you can deploy the vSwitches of transit routers and your businesses in the same zones for nearby access, which reduces the network latency.

• When you use PrivateLink to access shared services through transit routers that function as proxies, you can create endpoints across zones to improve the availability of the proxies. Users can obtain the IP addresses of endpoints through DNS resolution.

Security

• Using transit routers and PrivateLink to access shared services ensures that user traffic is forwarded only within the internal network of Alibaba Cloud. This eliminates the risks of data breaches arise from data transmission over the Internet.

• When you access shared services through transit routers, you can create security groups, network ACLs, routes, multiple route tables, and multiple transit routers to build a hierarchical access control system to enhance the security of your network.

• When you access shared services through PrivateLink, you can create security groups and authentication rules for the elastic network interfaces (ENIs) of the shared services to further enhance security and access control.

Performance

• Cross-account communication: If each department or business unit has a separate account or business environment, you can use transit routers and PrivateLink to enable these departments or business units to communicate across accounts or environments and conduct account isolation and permission control at the same time.

• Ultra-large scale: You can use transit routers to connect thousands of VPCs to the VPC where shared services are deployed.

• Ultra-high elasticity: Transit routers can support 100G elastic networks. When you use a two-zone PrivateLink service, the inbound bandwidth can reach up to 50 Gbit/s and the outbound bandwidth can reach 25 Gbit/s. If you require a higher bandwidth value, contact the technical support of Alibaba Cloud.

Observability

After you enable the flow log feature for transit routers and PrivateLink, you can view inbound and outbound traffic that flows through ENIs in flow logs and use NIS to sort traffic flows. This ensures that your network is transparent and controllable and enables you to learn about access from each production environment to shared services.

Best practices

Enterprises usually deploy the following types of public services in the cloud: internal public services and cloud services (public SaaS services).

• Internal public services: such as Active Directory (AD) and Bastionhost. Internal public services are deployed in the public service VPC and accessed by different business teams through transit routers.

• Public SaaS services: such as Container Registry and Object Storage Service (OSS). You can directly configure these services in the consoles and connect to the endpoints of these services through PrivateLink.

Enable multiple departments to access the public service VPC

Multiple network plane design

To isolate networks that belong to different departments, such as the development and testing, finance, HR, and administration departments, you can deploy multiple transit routers to create separate network planes. Each transit router connects to the VPC of a department. This ensures that the network planes are isolated from each other.

Public service VPC design

• When multiple departments want to access public services from isolated networks, you can deploy the public services in the public service VPC. Then, the departments can connect to the public service VPC through their dedicated transit routers. When you connect the public service VPC to different transit routers, we recommend that you disable route synchronization in case routes in different environments conflict with each other. In addition, avoid using the default routes, including 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, to forward traffic to any transit router.

• Fine-grained route design: We recommend that you use static routes to route traffic to different transit routers. If a route conflict occurs, adjust the sizes of the destination CIDR blocks based on the most specific route principle. For example, if the public service VPC needs to access the 172.16.1.0/24 CIDR block in the TR1 environment and the 172.16.0.0/16 CIDR block in the TR2 environment, create an attachment to TR1 for 172.16.1.0/24 and an attachment to TR2 for 172.16.0.0/16.

Public SaaS services

Design for accessing Alibaba Cloud public SaaS services

Alibaba Cloud SaaS services are classified into the following types:

• Services that are deployed in VPCs (such as ApsaraDB RDS): Enterprises can use private addresses to access these services within a VPC or across VPCs.

• Services that are not deployed in VPCs (such as OSS): Enterprises can access these services through the public CIDR block (100.64.0.0/10) provided by Alibaba Cloud from their VPCs. However, enterprises cannot access these services by using custom private addresses.

• Services that use only public addresses (such as Alibaba Cloud Model Studio): These services cannot be accessed by using private addresses.

For SaaS services that do not use private addresses, if you want to access them through private addresses and centrally manage these addresses, you can use PrivateLink as a proxy to translate addresses.

Public service VPC design

• Design the CIDR blocks of vSwitches connected to transit routers to enhance data transmission and security.

• Deploy the vSwitches of PrivateLink endpoints across zones to ensure high availability and prevent single points of failure.

Design for accessing SaaS services from a production VPC

• Connect both the production VPC and public service VPC to a transit router.

• The production VPC connects to the transit router and then accesses SaaS services through PrivateLink endpoints in the public service VPC. The PrivateLink endpoints can be the private IP addresses or domain names of ENIs.

• Add specific routes to the route table of the production VPC to route traffic to the SaaS services through PrivateLink. We recommend that you use the most specific routes in case route conflicts occur.

Use scenarios

Using multiple VPCs and accounts can greatly improve security, flexibility, and management efficiency. You can combine this solution with the service sharing architecture to isolate services and resources with different virtual networks and accounts in order to optimize resource management and enhance security. Enterprise-class service sharing applies to the following scenarios:

Multi-department authentication (use an Active Directory system to manage production environments in the cloud): Each department of the enterprise has a separate account and VPC. Some departments may even use a separate network. In this scenario, the enterprise needs an enterprise-class Active Directory system for authentication and logon management. To do this, deploy Active Directory domain services in the VPCs of shared services and add them to the transit routers of different departments. This not only guarantees the independence and security of each environment but also seamlessly interfaces the Active Directory system with the transit router environments to support unified user authentication and management. In addition, it simplifies access control and IT management, enables employees to efficiently access resources from any where or any department. This greatly improves the flexibility and response speed of your business system.

Security and O&M (use Bastionhost to centrally manage logons and access): To enhance security and monitoring, the O&M teams of large-sized enterprises usually require a unified and secure environment to conduct daily O&M and management activities. In this scenario, Bastionhost is used and deployed in a VPC and the VPC is then connected to transit router environments. This way, Bastionhost can provide endpoints for security and centralized management, and monitor and limit access to key systems. With the help of Bastionhost, enterprises can audit and record the activities of administrators, monitor and trace high-risk operations, and simplify cross-VPC and cross-account access management. This significantly improves security and efficiency.

Enterprise-class shared storage (use PrivateLink to access shared OSS buckets): In large and medium-sized enterprises, storage services are key services shared by departments. To ensure security and high resource utilization, storage resources are usually deployed in a unified environment and then shared to different departments. The enterprise can use PrivateLink to access the shared OSS resources and combine it with an authentication system to establish secure and fast data transmission channels. PrivateLink guarantees efficient data transmission on the cloud and avoids exposing data to the Internet. This solution allows secure storage resource sharing across environments, guarantees network isolation and data confidentiality, and optimizes resource management and data security policies.

Virtualize the architecture on CADT

Enterprise-class service sharing design

Visualized deployment architecture

Procedures