Skip to content

Editorial review of part 1 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 18, 2023
Merged

Editorial review of part 1 #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 26 additions & 17 deletions docs/part1/00-objectives.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,39 @@
# Part 1: End-to-end deployment of a sample web application on top of a secure VPC-topology
# Part 1: End-to-end deployment of a sample web application on a secure VPC topology

This section of the lab walks through the steps to provision a secure VPC-based topology aligned with the with Financial the **VSI on VPC landing zone** Deployable Architecture as show in the diagram below.
In part 1, you provision a secure VPC-based topology that is aligned with the **VSI on VPC landing zone** deployable architecture, as shown in the following diagram.

![](https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone/main/reference-architectures/vsi-vsi.drawio.svg 'size=60%' )

We will then manually customize the deployed infrastructure to:
1. Expose one of the VSI in the management VPC to act as a "jump box" for operator access. This jump box is the entry point for operators to access the VSIs in the workload VPC.
2. Deploy an Apache server in a VSI in the workload VPC.
3. Expose the web pages served by the Apache service to the internet through a public load balancer.

After you provision the VPC, you customize the deployed infrastructure in the following ways:
- Expose one of the VSI in the management VPC to act as a "jump box" for operator access. This jump box is the entry point for operators to access the VSIs in the workload VPC.
- Deploy an Apache server in a VSI in the workload VPC.
- Expose the web pages that are served by the Apache server to the internet through a public load balancer.

## Lab Prerequisites :white_check_mark:

?> _TODO_ review

Make sure that you meet the following prerequisites before you begin the lab.

- An IBM Cloud Pay-As-You-Go or Subscription account.
:information_source: **Note**: Participants in the TechXchange classroom will be provided with credentials to access an IBM Cloud account for the duration of the lab.
- An IBMId
- API Key with the following permissions...
- IBM Cloud
- An IBM Cloud Pay-Go or Subscription account

A development machine with the following software:
- [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
- Text editor of your choice
- Web browser
- Tools to generate SSH key. Linux and Mac comes with ssh-keygen. [PuTTYgen](https://www.ssh.com/academy/ssh/putty/windows/puttygen) can be used on Windows. See [Generating an external SSH key](https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys&interface=ui#generating-ssh-keys)
- Optional: [IBM Cloud CLI](https://cloud.ibm.com/docs/cli?topic=cli-getting-started)
:information_source: **Note**: Participants in the TechXchange classroom will be provided with credentials to access an IBM Cloud account during the lab.
- An IBMid
- API key with the following permissions

:information_source: **Note**: Participants in the TechXchange classroom will be provided with a development VM with pre-installed software.
?> _TODO_ review

- A development computer with the following software.
- [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
- Text editor of your choice
- Web browser
- Tools to generate SSH key
- Linux and Mac come with ssh-keygen.
- Windows users can use [PuTTYgen](https://www.ssh.com/academy/ssh/putty/windows/puttygen)

For more information, see [Generating an external SSH key](https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys&interface=ui#generating-ssh-keys).
- Optional: [IBM Cloud CLI](https://cloud.ibm.com/docs/cli?topic=cli-getting-started)

:information_source: **Note**: Participants in the TechXchange classroom will be provided with a development VM with the prerequisite software installed.
128 changes: 75 additions & 53 deletions docs/part1/10-project.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,53 +1,75 @@
# Deploying Landing Zone VSI pattern through IBM Cloud Project

1. On your machine, create an SSH key pair via the command:
```
ssh-keygen -t rsa -b 4096 -N '' -f ./lab-key
```
This command generates two files in the current directory: `lab-key` (the private key) and `lab-key.pub` (the public key).
Verify that the keys have been created in the current directory.
```
ls lab-key*
```
This should return:
```
lab-key lab-key.pub
```
2. Access the [VSI on VPC landing zone Deployable Architecture](https://cloud.ibm.com/catalog/architecture/deploy-arch-ibm-slz-vsi-ef663980-4c71-4fac-af4f-4a510a9bcf68-global?catalog_query=aHR0cHM6Ly9jbG91ZC5pYm0uY29tL2NhdGFsb2cjcmVmZXJlbmNlX2FyY2hpdGVjdHVyZQ%3D%3D)
3. On the Overview page, make sure the following is selected:\
a. Product version: **Select the latest** (4.4.7 at the time of writting)

b. Variation: Standard
![Overview page](../images/part-1/10-overview-page.png)
4. Click **Review deployment options** on the bottom right
5. Click **Add to project**
6. Under _Create New_, input a name that you wish to provide to the project. For example "\<your initials\> Landing Zone Lab"
7. Click **Add** on the bottom right
8. Under _Configure -> Security_ section, set the following:\
a. Authentication: untoggle _Use a secret_ and paste your IBM Cloud API key input the box

9. Under _Configure->Required_ section, set the following:\
a. `ssh_public_key`: The value of lab-key.pub that was generated from step 1\
b. `region`: Select a region that you wish to deploy in\
c. `prefix`: your initials
![Configuration](../images/part-1/10-configuration.png)

10. Under _Configure-> Optional_, set the following:\
a. `add_atracker_route`: false
11. Click **Save**
12. Click **Validate**
13. The project will go through different steps in validation. When it completes, the validation is marked as successful. In the _Approval pending_ section, add a comment and click **Approve** to start provisioning.

![Validation](../images/part-1/10-validation.png)

14. Click **Deploy**


:information_source: **Note**: The deploy will take approximately 15 minutes to complete. Some suggestions during this time:
- You may following the execution logs. Of interest:
![Deployment](../images/part-1/10-deployment.png)
- The terraform plan steps shows the list of resources that are going to be created.
- The terraform apply steps shows the resources that are being created.
- You may also navigate to the [VPC section](https://cloud.ibm.com/vpc-ext/vpcLayout) and the [resource list](https://cloud.ibm.com/resources) in your account to see the resources starting to spawn up as you refresh the screen during the execution.
- Explore in more details some of the materials in the [introduction section](README)
- Coffee ☕
# Deploying the Landing Zone VSI pattern through IBM Cloud projects

1. On your computer, create an SSH key pair by issuing the following command:

```sh
ssh-keygen -t rsa -b 4096 -N '' -f ./lab-key
```

This command generates two files in the current directory: `lab-key` (the private key) and `lab-key.pub` (the public key.

List the keys exist in the current directory with the following command:

```sh
ls lab-key*
```

If the SSH key pair succeeded, the output lists them:

```sh
lab-key lab-key.pub
```

1. Add the deployable architecture to a project:

1. Access the [VSI on VPC landing zone Deployable Architecture](https://cloud.ibm.com/catalog/architecture/deploy-arch-ibm-slz-vsi-ef663980-4c71-4fac-af4f-4a510a9bcf68-global?catalog_query=aHR0cHM6Ly9jbG91ZC5pYm0uY29tL2NhdGFsb2cjcmVmZXJlbmNlX2FyY2hpdGVjdHVyZQ%3D%3D) in IBM Cloud.
1. On the VSI on VPC landing zone details page, make sure that the following settings are selected:
a. Product version: **Select the latest** (`4.4.7`` at the time of writing).
b. Variation: `Standard`

![Details page](../images/part-1/10-overview-page.png)

1. Click **Review deployment options** on the lower right.
1. Click **Add to project**.
1. In **Create New**, enter a name for the project. For example, "\<your initials\> Landing Zone Lab". You can leave the other information as is.
1. Click **Add** on the lower right.

1. Configure the project
1. In the **Configure** > **Security** section, specify the following information:
a. Authentication: Clear **Use a secret** and paste in your IBM Cloud API key.

1. In the **Configure** > **Required** section, specify the following settings:
a. `ssh_public_key`: The value of the `lab-key.pub` file that you generated in step 1.
b. `region`: The region that you want to deploy in.
c. `prefix`: Your initials.

![Configuration](../images/part-1/10-configuration.png)

1. In the **Configure** > **Optional**, set the following options:
a. `add_atracker_route`: `false`.
1. Click **Save**.

1. Validate and deploy the deployable architecture:
1. Click **Validate**.

The project runs through several validation steps. When it finishes, the validation is marked as successful. In the **Approval pending** section, add a comment and click **Approve** to start provisioning.

![Validation](../images/part-1/10-validation.png)

1. Click **Deploy**

:information_source: **Tip**: Deployment takes approximately 15 minutes to complete.

1. While you wait for the deployment to finish, consider doing these things:

- Look at the deployment logs:
- The Terraform plan steps show the list of resources that are going to be created.
- The Terraform apply steps shows the resources that are being created.

Example:

![Deployment](../images/part-1/10-deployment.png)

- Go to the [VPC section](https://cloud.ibm.com/vpc-ext/vpcLayout) and the [resource list](https://cloud.ibm.com/resources) in your IBM Cloud account. Refresh the screen to see the resources that are created during deployment.
- Explore some of the materials in the [introduction](README) to this lab.
- Have a coffee ☕
55 changes: 34 additions & 21 deletions docs/part1/20-operator-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,40 +1,53 @@
# Providing operator access to the VPC landing zone

## Introduction
## Overview of operator access

By default, network access to the VPC landing zone topology is locked down for security compliance reasons. In this section, you will open up the necessary access for an operator to access the VPC environment, including deploying application on the VSIs located in the workload VPC.
By default, network access to the VPC landing zone topology is locked down for security compliance reasons. In this part of the lab, you open the necessary access for an operator to access the VPC environment, including deploying application on the VSIs located in the workload VPC.

Operator access is provided through the _Management VPC_. There are multiple ways to give operator access to the VPC landing zone, with varying level of security, compliance, and ease of enablement:
You give operator access through the _Management VPC_. You have several options to give operator access, with varying level of security, compliance, and ease of enablement.

- Exposing a VSI in the management VPC as a ‘jump-box’ by assigning a public floating IP
- Deploying a client-to-site VPN solution in the management VPC
- Deploying a site-to-site VPN solution in the management VPC
- Deploying a certified bastion solution, such as Gravitational Teleport in the management VPC.

This part of the lab shows how to expose one of the VSI in the management VPC as a 'jump-box', as this is one of the simplest way to proceed, albeit not being strongly secure. The [Going Further](./part1/50-going-further) section below provides links to some of the other ways to provide operator access.
In this lab, you expose one of the VSIs in the management VPC as a 'jump-box'. This method is one of the simplest ways to proceed, although it is not overly secure. The [Going further](./part1/50-going-further) section later in the lab provides links to some of the other ways that you can provide operator access.

## Steps

Perform the following actions to enable public ssh access to one of the VSI in the management VPC. This VSI will be the unique operator entry point ('jump-box') to the landing zone VPC topology.
Complete the following steps to enable public SSH access to one of the VSI in the management VPC. This VSI is the unique operator entry point ('jump-box') to the landing zone VPC topology.

1. Access the [Virtual server instances for VPC list](https://cloud.ibm.com/vpc-ext/compute/vs)
2. Verify that the region is set to the region you provisioned your resources and click the VSI labeled _&lt;initials&gt;-management-server-1_
3. Add a Floating IP address by clicking the pencil icon in the Network Interface section and reserve a new floating IP
![Pencil icon](../images/part-1/20-network-int-pencil.png)
1. Access the [Virtual server instances for VPC list](https://cloud.ibm.com/vpc-ext/compute/vs).
2. Verify that the region is set to the region you provisioned your resources and click the VSI labeled `<your_initials>-management-server-1`.
3. Add a floating IP address by clicking the pencil icon in the Network Interface section. Reserve a new floating IP address.

![Floating IP](../images/part-1/20-floating-ip.png)
![Pencil icon](../images/part-1/20-network-int-pencil.png)

4. Take note of the public Floating IP. This IP will be used in a subsequent step.
5. In the [Security Groups for VPC](https://cloud.ibm.com/vpc-ext/network/securityGroups), click the one labelled _&lt;initials&gt;-management_
6. Go to the Rules section and allow port 22 for inbound by clicking **Create** in the _Inbound rules_ section (Note: Security groups are stateful so you don’t need to add a corresponding outbound rule)
:exclamation: **Important**: Take note of the public floating IP address. You need it later.

![Allow SSH in Security group](../images/part-1/20-ssh-sg.png)
![Floating IP address](../images/part-1/20-floating-ip.png)

7. Click **Create**
8. In the [Access control lists for VPC](https://cloud.ibm.com/vpc-ext/network/acl), click the one labeled _&lt;initials&gt;-management-acl_
5. In the [Security Groups for VPC](https://cloud.ibm.com/vpc-ext/network/securityGroups), click the one labeled `<your_initials>-management`.
6. Go to the Rules section and allow port 22 for inbound by clicking **Create** in the _Inbound rules_ section.

:information_source: **Tip**: Security groups are stateful so you don’t need to add a corresponding outbound rule.

![Allow SSH in Security group](../images/part-1/20-ssh-sg.png)

7. Click **Create**.
8. In the [Access control lists for VPC](https://cloud.ibm.com/vpc-ext/network/acl), click the one labeled `<your_initials>-management-acl`.
9. Create the following ACL inbound rule:
![SSH ACL Inbound rule](../images/part-1/20-ssh-acl-inbound.png)
10. Create the folloiwng ACL outbound rule:
![SSH ACL Outbound rule](../images/part-1/20-ssh-acl-outbound.png)
11. You will now be able to access the 'jump-box' through the public Floating IP address that you provisioned in a prior step. On your workstation, issue the following command from a terminal\
`ssh -i ./lab-key root@<Floating IP of Virtual server instance>`

![SSH ACL Inbound rule](../images/part-1/20-ssh-acl-inbound.png)

10. Create the following ACL outbound rule:

![SSH ACL Outbound rule](../images/part-1/20-ssh-acl-outbound.png)

11. You can now access the 'jump-box' through the public floating IP address that you provisioned earlier. On your computer, issue the following command from the terminal or command window:

```sh
ssh -i ./lab-key root@<Floating IP of Virtual server instance>
```

Replace \<Floating IP of Virtual server instance> with the address that you reserved earlier.
Loading