You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/part1/50-going-further.md
+4-6
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,8 @@
1
1
# Going further.....
2
2
3
-
In the interest of simplicity, as a gently introduction, this lab gives operator access through a VSI jumpbox in management and expose directly the application through public load-balancer attached to the worker VPC.
3
+
In the interest of simplicity, as a gentle introduction, this lab gives operator access through a VSI jumpbox in management and expose directly the application through public load-balancer attached to the worker VPC.
4
4
5
-
Whilst this approach provides a reasonable level of security and checks a number of compliance controls, and may be sufficient for a number of industries and enterprises, these sections describe a number of aspects to consider to enhance secure and compliance posture, including links to relevant documentation.
5
+
Whilst this approach provides a reasonable level of security and checks a number of compliance controls, and may be sufficient for a number of industries and enterprises, the sections below describe a number of aspects to consider to enhance secure and compliance posture, including links to relevant documentation and automation.
6
6
7
7
## Operator access
8
8
@@ -18,10 +18,8 @@ From a compliance perspective, it is recommended to record all interactive opera
18
18
## Exposing the web application to the internet
19
19
20
20
In the lab, the workload is exposed through a public VPC load balancer attached to the workload VPC. There are a few additions that can be made to make the solution more secure:
21
-
22
21
1. Introduce a web application firewall in the flow. This can be done in two ways:
23
-
24
-
- As-a-service - typically done through adding a global load balancer, such as IBM Cloud CIS or Akamai in front of the VPC load balancer, and adding a network ACL on the VPC load balancer to accept inbound traffic only from the global load balancer set of known IPs
25
-
- Hosted – this can be achieved with 3rd party solution such as BigIP F5. This solution is deployed and hosted on machines that you run – for instance in VSIs in the landing-zone VPC topology. See [here](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-connectivity-waf-tutorial) for a tutorial.
22
+
- As-a-service - typically done through adding a global load balancer, such as IBM Cloud CIS or Akamai in front of the VPC load balancer, and adding a network ACL on the VPC load balancer to accept inbound traffic only from the global load balancer set of known IPs
23
+
- Hosted – this can be achieved with 3rd party solution such as BigIP F5. This solution is deployed and hosted on machines that you run – for instance in VSIs in the landing-zone VPC topology. See [here](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-connectivity-waf-tutorial) for a tutorial.
26
24
27
25
2. Create the public VPC load balancer in a separate ‘edge’ VPC. Route the traffic from the ‘edge’ VPC to the application running on the ‘workload’ VPC through a private load balancer (routable only from within the VPC topology). This approach ensures that there are no direct public network flows to the workload VPC. See this [page](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-connectivity-workload#consumer-provider-public-internet) for more details.
0 commit comments