Skip to content

Latest commit

 

History

History
123 lines (78 loc) · 8.19 KB

planning-vpc.md

File metadata and controls

123 lines (78 loc) · 8.19 KB
copyright lastupdated keywords subcollection
years
2023, 2024
2024-07-22
secure-infrastructure-vpc

{{site.data.keyword.attribute-definition-list}}

Planning for the landing zone deployable architectures

{: #plan}

Before you begin the deployment of a landing zone deployable architecture, make sure that you understand and meet the prerequisites. {: shortdesc}

Confirm your {{site.data.keyword.cloud_notm}} settings

{: #vpc-cloud-prereqs}

Complete the following steps before you deploy the VPC landing zone deployable architecture.

  1. Confirm or set up an {{site.data.keyword.cloud_notm}} account:

    Make sure that you have an {{site.data.keyword.cloud_notm}} Pay-As-You-Go or Subscription account:

  2. Configure your {{site.data.keyword.cloud_notm}} account:

    1. Log in to {{site.data.keyword.cloud_notm}} with the {{site.data.keyword.ibmid}} you used to set up the account. This {{site.data.keyword.ibmid}} user is the account owner and has full IAM access.
    2. Complete the company profile and contact information for the account. This profile is required to stay in compliance with {{site.data.keyword.cloud_notm}} Financial Services profile.
    3. Enable the Financial Services Validated option for your account.
    4. Enable virtual routing and forwarding (VRF) and service endpoints by creating a support case. Follow the instructions in enabling VRF and service endpoints.

Set the IAM permissions

{: #vpc-iam-prereqs}

  1. Set up account access ({{site.data.keyword.iamshort}} (IAM)):

    1. Create an {{site.data.keyword.cloud_notm}} API key. The user who owns this key must have the Administrator role.

      Service ID API keys are not supported for the Red Hat OpenShift Container Platform on VPC landing zone deployable architecture. {: tip}

    2. For compliance with {{site.data.keyword.framework-fs_notm}}: Require users in your account to use multifactor authentication (MFA).

    3. Set up access groups.

      User access to {{site.data.keyword.cloud_notm}} resources is controlled by using the access policies that are assigned to access groups. For {{site.data.keyword.cloud_notm}} Financial Services validation, do not assign direct IAM access to any {{site.data.keyword.cloud_notm}} resources.

      Select All Identity and Access enabled services when you assign access to the group.

Verify access roles

{: #vpc-access-roles}

IAM access roles are required to install this deployable architecture and create all the required elements.

You need the following permissions for this deployable architecture:

  • Create services from {{site.data.keyword.cloud_notm}} catalog.
  • Create and modify {{site.data.keyword.vpc_short}} services, virtual server instances, networks, network prefixes, storage volumes, SSH keys, and security groups of this VPC.
  • Create and modify {{site.data.keyword.cloud_notm}} direct links and {{site.data.keyword.tg_full_notm}}.
  • Access existing {{site.data.keyword.cos_short}} services.

For information about configuring permissions, contact your {{site.data.keyword.cloud_notm}} account administrator.

Access for {{site.data.keyword.cloud_notm}} projects

{: #access-projects}

You can use {{site.data.keyword.cloud_notm}} projects as a deployment option. Projects are designed with infrastructure as code and compliance in mind to help ensure that your projects are managed, secure, and always compliant. For more information, see Learn about IaC deployments with projects.

You need the following access to create a project and create project tooling resources within the account. Make sure you have the following access:

  • The Editor role on the Projects service.
  • The Editor and Manager role on the {{site.data.keyword.bpshort}} service
  • The Viewer role on the resource group for the project

For more information, see Assigning users access to projects.

Create an SSH key

{: #vpc-ssh-key}

Make sure that you have an SSH key that you can use for authentication. This key is used to log in to all virtual server instances that you create. For more information about creating SSH keys, see SSH keys.

(Optional) Set up {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}}

{: #vpc-crypto-prereqs}

For key management services, you can use {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}} instead of {{site.data.keyword.cos_full_notm}}. {{site.data.keyword.hscrypto}} is a dedicated key management service and hardware security module based on {{site.data.keyword.cloud_notm}} that enables keep your own key (KYOK) features.

By using {{site.data.keyword.hscrypto}}, your deployable architecture satisfies the requirements for the following controls:

For more information, see the security information in the VPC reference architecture for IBM Cloud for Financial Services.

It is not possible to update an existing deployable architecture from {{site.data.keyword.keymanagementserviceshort}} to {{site.data.keyword.hscrypto}}. You must create and deploy another deployable architecture. {:restriction: .restriction}

Provisioning and initializing the {{site.data.keyword.hscrypto}} service

{: #vpc-hpcs-setup}

Before you deploy this deployable architecture, you need an instance of the Hyper Protect Crypto Services service.

  1. You can provision {{site.data.keyword.hscrypto}} in one of two ways:

  2. Initialize {{site.data.keyword.hscrypto}}:

    For proof-of-technology environments, use the auto-init flag. For more information, see Initializing service instances using recovery crypto units.

  3. When you configure your deployable architecture, specify the resource group in the hs_crypto_resource_group input variable and the instance name in the hs_crypto_instance_name variable. If you don't provide values for those variables, the default {{site.data.keyword.keymanagementserviceshort}} encryption is used.