Before jumping right away into the real talk I would like to give a bit of background on how I come up with this blog, I was working with a client in managing his cloud infrastructure where we had 4 environments dev, QA, Pre Production and Production and each environment had close to 20 instances, apart from applications instances there were some admin instances as well such as Icinga for monitoring, logstash for consolidating logs, Graphite Server to view the logs, VPN server to manage access of people.
At this point we got into a discussion that whether the current infrastructure set-up is the right one where we are having a separate VPC per environment or the ideal setup would have been a single VPC and the environments could have been separated by subnet’s i.e a pair of subnet(public private) for each environment
Both approaches had some pros & cons associated with them
Single VPC set-up
Pros:
- You only have a single VPC to manage
- You can consolidate your admin app’s such as Icinga, VPN server.
Cons:
- As you are separating your environments through subnets you need granular access control at your subnet level i.e instances in staging environment should not be allowed to talk to dev environment instances. Similarly you have to control access of people at granular level as well
- Scope of human error is high as all the instances will be on same VPC.
VPC per environment setup
Pros:
- You have a clear separation between your environments due to separate VPC’s.
- You will have finer access control on your environment as the access rules for VPC will effectively be access rules for your environments.
- As an admin it gives you a clear picture of your environments and you have an option to clone you complete environment very easily.
Cons:
- As mentioned in pros of Single VPC setup you are at some financial loss as you would be duplicating admin application’s across environments
In my opinion the decision of choosing a specific set-up largely depends on the scale of your environment if you have a small or even medium sized environment then you can have your infrastructure set-up as “All environments in single VPC”, in case of large set-up I strongly believe that VPC per environment set-up is the way to go.
Let me know your thoughts and also the points in favour or against of both of these approaches.
Totally Agree with you, I do follow the same things in managing our infra
Hi , I liked the discussion and i have exactly similar requirement for one of my eCommerce application. Could you please share your experience about how you managed to get the setup and if possible can you please share the architectural diagram.
One of the most critical factor that should be considered for having Single or Separate VPC environment is to be able to showcase adequate auditability and ensuring that all the compliance requirements are being met.
I prefer one VPC for Dev,Staging, and Production. As your AWS infra grows, you will need Directory Services (Name Servers, User Directory, VM Directory, Lookup services etc.). If you have two VPCs, sharing the Directory Services will not be easy. Also if you need Code Repository (e.g. GitHub) or Build tools (e.g. Jenkins) having three separate VPCs for DEV, Staging and Production will make things really complicated.
@Saqib. Couldn't you have a separate VPC for Code Repo and Build tools and use VPC peering to all of the other VPCs?
very poor post. as you're a pure DevOps company, we're not expecting this kind of post.Hoping a good,logical and technical post from you guys.Thanks,
Thanks for reading the post. The first thing is No post is good or bad..Its your thought making it good or bad. If you understand it then its GOOD otherwise you already posted what you got it. Now, Technically if I say, then first get to know what VPC is, then read it again. People share different possibilities to do things, but not to satisfy individual needs with the post. So if its useful for you then take it or else post is doing its job very well.Thanks Mr. Anonymous.
Hello Blogger,
I would not recommend multiple VPC to segregate PROD, NON-PROD, TEST or DEV environment for the following reasons
1) If you have on-prem connectivity(VPN or Direct Connect) then if you use multiple VPC then you would need to create vgw per VPC to create or manage the VPN or Direct Connect. More VPC then more VPN and Direct Connect connection. This would increase the complexity and cost due to number of connections.
2) If you are using NAT gateways then each VPC would need the separate NAT gateways, which would again increase the complexity and cost.
3) If you want your application to communicate with some 3rd party vendor AWS account, then you have to create VPC peering. Then more VPC means more peering to manage.
4) The best solution would be to keep PROD, NON-PROD, DEV in the same VPC and restrict interconnect using the security groups. Make sure to name and tag the instances according to the stages. Tags would help to clone the environment.
Feedbacks are welcome
Anand N S
AWS Advanced Network Specialty Certified
I work for Ellucian as Sr. Cloud Network Engineer
Bangalore
India
Sir,
I am just a beginner and even I’m from Bangalore. what if the xyz company is in multiple countries, that are in multiple regions? do we need to have multiple vpcs?