Turbot Managed Network and VPC Configurations Overview

These settings have been depreciated in v3. VPC Guardrail information can be found here

Overview

Turbot can help manage your Networking and VPC configurations in a single pane of glass to simplify and ensure tighter controls around your networking constructs across your cloud ecosystem. The following help document will describe all of the Turbot Networks & VPC options and configurations that can be managed by Turbot/Admin and higher permissions across the Cluster.

Concepts

Turbot defines a Network as a logical configuration that can be associated to multiple VPCs across multiple accounts. A Turbot Network is used to define Boundaries of the associated VPCs, DHCP Options, and a Default Security Group. This allows a single pane of glass to manage consistent configurations across multiple VPCs associated to the Network (e.g. all VPCs within a Network configuration inherit all the Boundary, DHCP and Default Security Group configurations – this allows you to make an update in one location where Turbot will programmatically keep all VPCs in sync with the Network Configurations).

Multiple Networks can be defined within Turbot. Often customers will have one major network per region (e.g. a network defined for us-east-1 that all VPCs have direct connects to on-premise, another network maybe defined for eu-central-1 for European workloads, etc.). However there are also patterns where customers create multiple networks to isolate workloads (e.g. a network per region that contains VPCs with direct connects, and another Network(s) solely used for disconnected workloads used for sandboxes or collaboration patterns).

Turbot Network Configurations

Turbot/Admin permissions and higher can create a Turbot Network, go to the Network Admin Page, click on the “Create Network” button in the top right corner of the page. The following configurations are available for a Turbot Network:

  • Define a Network ID – is a short, unique alphanumeric ID for the network. This is used to describe the network through the API and a unique identifier to distinguish across multiple networks. Note: this cannot be changed after it is created.
  • Network Title – is a brief descriptive title for the network that will be displayed on the Network Admin Page
  • CIDR – overall CIDR range for the network. Note: this cannot be changed. Typically this could be a /16 providing sufficient space for multiple large VPCs to be allocated within it
  • VPC Peering – If enabled, Turbot automatically enables a full mesh network of VPC peering between all VPCs in this network.
  • Boundary Definitions – configurations that define overall boundary definitions that will feed into your default security group configurations and Turbot Options. Boundary definitions are defined through YAML format through the Turbot Console and API. For assistance on YAML definitions, please review the following YAML help document
    • Intranet - A list of CIDR ranges that define the boundaries of the Intranet for this network. Includes all internal IP addresses and networks, both in the cloud and in corporate networks. It MUST include the network CIDR defined above for this network to allow for communications to operate between Turbot and other peered VPCs. Typically customers may allow all intranet ranges commonly defined by RFC 1918 (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) however it depends on your networking infrastructure and what is appropriate for this network definition. Note: in cases where you want to limit access to your intranet for isolated workloads, you can choose to be more fine grained on CIDR ranges.
    • Bastion - A list of CIDR ranges that define the boundaries of the Bastion machines. Bastion machines are permitted to connect on administration ports to resources located in the VPC zone. Note: if empty, the Intranet Boundaries will be used.
    • Internet - A list of CIDR ranges that define the Internet boundaries. Typically set to 0.0.0.0/0 to define the entire public internet. In rare cases your network can be defined to only allow public internet from specific CIDR ranges, however commonly it is set to 0.0.0.0/0.
    • Outbound Internet Access - A list of CIDR ranges that define IP addresses that Outbound Internet Access (OIA) Traffic appears as originating from. This configuration is associated to your on premise OIA CIDR Range(s) that represents your public IP from your network.
  • Default Security Group – configurations that define the common default security group across all associated VPCs in the Network. Default Security Group settings are defined through YAML format through the Turbot Console and API. For assistance on YAML definitions, please review the following YAML help document
    • Ingress to Default Security Group - Ingress rules for all resources in the default security group. Commonly customers consider SSH, RDP, and ICMP as default ingress rules. Some customers also define all ingress traffic is allowed within the VPC – allowing instances to easily communicate to one another within the VPC CIDR.
    • Egress to Default Security Group - Egress rules for all resources in the default security group. Commonly customers consider AD, DNS, LDAP, and NTP egress back to their core services infrastructure (on-premise or in another VPC). Also customers commonly consider ICMP, HTTP, and HTTPS allowed to public internet (e.g. 0.0.0.0/0). Some customers also define all egress traffic is allowed within the VPC – allowing instances to easily communicate to one another within the VPC CIDR. Note: changes to any network configurations are made through the Turbot API (there are no Turbot Console available yet for these actions). Please view the Turbot API documentation for examples of updating Network Configurations – Turbot API Documentation

Turbot VPC Configurations

Once a Turbot Network is defined, Turbot/Admin permissions and higher can create a Turbot VPC, go to the Network Admin Page, click on the “Create VPC” button in the top right corner of the page. The following configurations are available for a Turbot VPC:

  • Network – select which Turbot Network the VPC resides in.
  • Account – select which AWS / Turbot account the VPC will be created in.
  • Region – select which AWS Region where the VPC will be created in.
  • VPC ID – create a short, unique alphanumeric ID for the VPC. Note: you cannot change this ID once created
  • CIDR - CIDR range for the VPC within the Turbot Network CIDR range. Note: AWS has VPC size limits from /28 to /16, however at a minimum 2 subnets should be allocated per VPC (thus a /27 to /17 is recommended as the limits). Commonly customers will create VPCs from a /26 to /24 as a standard VPC sizing, with exceptions of larger or smaller.
  • Subnets - configurations that define subnets within the VPC. Subnet settings are defined through YAML format through the Turbot Console and API. For assistance on YAML definitions, please review the following YAML help document
    • Internal Subnets - List of CIDRs that define the internal facing subnets. Must be within the VPC CIDR defined above. Note: if using internal subnets, it recommended to have at least 2 subnets.
    • DMZ (Public) Subnets - List of CIDRs that define the external facing subnets. Must be within the VPC CIDR defined above. Note: if using DMZ (Public) subnets, it recommended to have at least 2 subnets.
  • S3 Endpoint in VPC - If enabled, then access to S3 is direct from the internal subnets of the VPC and not routed via the VGW or IGW.
  • Instance Tenancy in VPC - The required tenancy for instances launched into the VPC (whether default tenancy to allow for any tenancy, or dedicated tenancy for dedicated HW instances only)
Was this article helpful?
0 out of 0 found this helpful