kubernetes-guides icon indicating copy to clipboard operation
kubernetes-guides copied to clipboard

Published 20 hours ago verified publisher icon pulumi

[AWS, Azure, GCP] Break out networking into their own stack

Open hausdorff opened this issue 6 years ago • 0 comments

Networking and security infrastructure like (in the case of AWS) VPCs and SecurityGroups have significant security implications in their setup, and the blast radius of changes to this plane are very high. We should split these into their own stacks, instead of provisioning them along with databases and compute.

Our current plan for each of the clouds, roughly, is to have an architecture with:

  • A subnet with a small set of publicly-available hosts (e.g., bastion hosts)
  • A subnet with a larger set of hosts which can only be reached from the publicly-available hosts
  • A subnet with the managed data services (e.g., RDS) which can only be reached from the managed compute subnet.

hausdorff avatar Jan 22 '19 08:01 hausdorff