Infrastructure setup - Netcracker Active Resource Inventory on AWS

Infrastructure setup

Compared to the high-level application architecture overview shown earlier, the figure below shows a more advanced infrastructure setup. For simplicity reasons, it is restricted to a single Availability Zone. For a high availability setup, see the High Availability (HA) Setup section.


        Reference architecture diagram showing Secure infrastructure via tiered
          configuration

Secure infrastructure via tiered configuration

The application and database subnets are private subnets. That is, the instances do not have public IP addresses and, so, are separated from the public internet.

Optionally, it is possible to deploy an access/integration layer subnet, which is a public subnet. This means that its Amazon EC2 bastion host, used for operational consideration, is visible by way of public IP address. A network address translation (NAT) gateway in the public subnet enables private EC2 instances and Kubernetes pods to communicate with the public internet.

Inbound communication runs through one of the following components:

Thus, it is possible to do a fine-grained configuration of who has access to which part of the platform.

A VPN connection from the Customer Network support a secure encrypted connection between Netcracker active resource inventory on AWS and the network resources running on-premises such as Domain Controllers, Domain Managers, Optical Transport & Access, Microwave Transport and so on.

Depending on the size of the supported Customer Network and its associated data profiling, data can be ingested using AWS Direct Connect.

The Application Load Balancer is the single Access Point for user-related HTTPS traffic through the Netcracker active resource inventory, HTML5-based applications. Depending on the use case, the attached security group can be configured to be completely open or restricted to specific user groups.

The Network Load Balancer is the single Access Point for network-related traffic such as network discovery through various protocols for discovery such as RESTful/RESTConf, NETCONF/CLI, SNMP and BGP-LS/LLDP. Depending on the use case, the attached security group can be configured to be completely open or restricted to specific portion of the network.

Both the bastion host - and access to the Kubernetes cluster - are restricted to the DevOps team operating the platform.

Netcracker active resource inventory uses the following AWS services for its infrastructure setup:

  • AWS Identity and Access Management (IAM) allows Netcracker to have fine-grained access control of AWS resources. IAM allows Netcracker active resource inventory resources to interact with each other with the minimal required privileges for a given task. IAM provides multi-factor authentication for highly-privileged users to protect the Netcracker active resource inventory/AWS environment even further.

  • Amazon Route 53 provides Netcracker with a highly available and scalable cloud Domain Name System (DNS) web service. The Private DNS feature of Amazon Route 53 allows Netcracker to have an authoritative DNS within a Netcracker active resource inventory VPC without exposing DNS records to the internet . In addition, it provides an extremely reliable and cost-effective way to implement a DNS solution.

  • Amazon CloudWatch provides Netcracker active resource inventory with the monitoring and observability required for DevOps engineers, developers, site reliability engineers (SREs) and IT managers. It provides insight on Netcracker active resource inventory resources utilization and provide a unified view of operational health. Amazon CloudWatch provides Netcracker active resource inventory customers with end-to-end operational visibility of metrics, logs, and distributed traces summarizing the performance and health of their Amazon Elastic Container Service for Kubernetes (EKS) cluster by pods/tasks, containers and services.

  • Amazon CloudTrail simplifies Netcracker active resource inventory compliance audits by automatically recording and storing event logs for action made within the AWS account. AWS CloudTrail provides visibility into Netcracker active resource inventory resource activity by recording AWS Management Console actions and API calls. For example, it provides Netcracker active resource inventory customers with an easy way to identify if an authorized user attempts to modify a Kubernetes production namespace.

  • Amazon Simple Storage Service (Amazon S3) is an object storage service built to store and retrieve any amount of data. It offers industry-leading durability, availability, performance, security and virtually unlimited scalability at very low costs. It provides Netcracker active resource inventory with a storage solution for disaster recoveries by hosting database snapshots and applications backups.

  • AWS CloudFormation enables developers and businesses to create collections of related AWS and third-party resources, and provision and manage them in an orderly and predictable fashion. AWS CloudFormation simplifies the codification of infrastructure by supporting JSON or YAML declarative code files that describe the intended state of all the resources needed to deploy applications. Netcracker uses AWS CloudFormation templates as a proxy to Terraform, an open-source infrastructure as code software tool created by HashiCorp. A Terraform server running on Amazon EC2 can be used to support customers through VPC peering.

  • Amazon Key Management Service (Amazon KMS) is used to create and manage cryptographic keys and control their use across a wide range of AWS services and in Netcracker active resource inventory applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect Netcracker active resource inventory keys.

  • AWS Certificate Manager (ACM) is a service that allows Netcracker to easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TSL) certificates for use with AWS services and secure Netcracker active resource inventory internally-connected resources. AWS Certificate Manager allows Netcracker to quickly request a certificate, deploy it, and let AWS Certificate Manager handle certificate renewals. It manages the certificate lifecycle centrally.