Learn to design a secure and scalable VPC network for a micro-services architecture.
Introduction
In this post, I’ll be covering a high-level design of a secure & scalable VPC network for a micro-service architecture. I’ll be using AWS as a primary example; however, the design can be applied to any Cloud provider that’s Amazon VPC-like. If you are unfamiliar with VPC concept, you can learn more about it here.
VPC and Subnets
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network.
When creating a new VPC, the maximum allowed block size is /16 which gives us 65,536 IP addresses. We can further divide it into smaller CIDR block to form multiple subnets within the VPC. The smallest allowed block size is a /28 — 16 IP addresses.
AWS reserves first four IP addresses and the last one IP address in each subnet CIDR block. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved: 10.0.0.0, 10.0.0.1, 10.0.0.2, 10.0.0.3 and 10.0.0.255.
For small to medium scale architecture with less than 50 micro-services, you can get started by using block size of /21 — 2046 IP addresses. Here’s a breakdown:
Foundation network — /21
Micro-services A network — /21
Micro-services B network — /21
…
Micro-services X network — /21
AWS allows us to extend the VPC network by associating another /16 CIDR block to our VPC, and it doesn’t require VPC peering. See here.
Foundational network
Foundational network is a common network to host resources that’s common to micro-services such as public load balancer, private load balancer for service to service communication, VPC Interface Endpoints, etc.
Foundation network usually have two subnets:
Public subnet — Internet resources (i.e, Public ALB, NAT Gateway, Cloud9, etc.)
Private subnet — Private resources (i.e, Private ALB, VPC Interface Endpoints, etc.)
(Optional) Spare subnet — Future use
Fig: Foundation network
Micro-services network
Micro-services network is a dedicated network allocated to individual micro-service to hosts their AWS resources.
Micro-service network usually have two subnets:
Stateful subnet — Database resources (e.g: RDS, ElastiCache)
Stateless subnet— Application resources (e.g: Lambda, ECS)
Fig: Micro-services network
Security with Network ACL
A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling inbound (ingress) and outbound (egress) traffic to/from your subnet network.
In this VPC design we can leverage Network ACL to fine-grain control inbound and outbound traffic of each micro-service network.
In addition to security group firewall, we can utilize network level firewall to allow or deny one micro-service from communicating to another micro-service, ideal for protecting and isolating Stateful resources.
Be aware of overly restrictive NACL rules - Thank me later!
AWS NACL rules have hard limit of 20 rules. AWS recommends us to stay below 20 rules to avoid network performance hit due to the increased workload to process the additional rules.*
Fig: Securing micro-services network using Network ACL’s
Conclusion
Designing a VPC network should be part of your micro-service architecture design from early on. Otherwise, it’ll be very difficult (not impossible) to migrate your platform to a new VPC design without taking your platform down.
I hope you’ve learned how to design a secure and scalable VPC network for micro-service architecture.
If you find this post useful, cheers 🍻