Anypoint VPC is no different than any other VPC out there with the exception that it is only for running the Mule applications of an organization. To understand and decode what an Anypoint VPC is, we first need to understand what a VPC is in generic terms.
VPC: Is it really that complicated?
VPC or Virtual Private Cloud is a set of servers present in a closed(protected) environment. All these servers inside a VPC have a single access point which is through a VPC firewall. So essentially VPC firewall is the component responsible for creating a closed (protected) environment.
To further simplify, servers inside a VPC are just like any other server or VM one can have, with an exception that all the communication to these servers can only be gained by going through the VPC firewall.
Since it is a closed environment, servers can have private IPs which must be unique only inside the network. Because of this, it is necessary to define what the IPs are, that servers inside a VPC will get. This is defining the IP range that servers inside a VPC can get. This IP range is called CIDR (Classless Inter Domain Routing) range.
Discussing CIDR is out of the scope of this blog and we will look at how to define CIDR range in my next blog on this VPC series. Lets get back to our VPC.
Why go for a VPC in MuleSoft( Anypoint)?
Without a VPC, all the Mule applications run in a shared space. This means that all the customers of MuleSoft who are running applications in CloudHub will run their applications in the same space. A lot of large organizations want their applications to run in a closed and protected setup for reasons such as security and compliance. Now servers running in a shared space might not be a big problem for some organizations.
Since VPC runs all the applications in a contained private environment, it becomes much easier to connect to on-premises servers. Instead of establishing one to one connections for every application, an entire VPC can directly be connected to on-premise using VPN.
The real disadvantage of shared CloudHub is the Shared Load Balancer (SLB). This would mean that all the requests for all the MuleSoft’s customers would got through a single SLB setup. Now this is not something which would make everyone happy.
Having a VPC lets organizations setup their Dedicated Load Balancer(DLB). Having a DLB enables organizations to:
- Have custom domain name for their application. Orgs can have their applications running at https://company.com rather than https://app.cloudhub.io.
- Have a load balancer which is used only for their organization, improving latency and opening up a lot of security options.
- Enable 2 way SSL for securing their apps.
It should be noted that VPC is a pre-requisite for having a DLB. You can have a VPC without a DLB but the other way is not possible.
Lets dig a bit deeper
The diagram below represents a generic design of Anypoint VPC.
As it’s evident in the diagram, access to a VPC can be gained via both Shared Load Balancer and Dedicated Load Balancer. In either case the traffic has to go through the VPC firewall.
Now that we have established what an Anypoint VPC is in MuleSoft CloudHub at a high level let’s deep dive into other features of a VPC.
Role of AWS and its regions
MuleSoft uses AWS for all its infrastructure needs hence any VPC provisioned for any client is done on AWS. AWS is divided into various physical regions worldwide just like any other cloud provider.
VPC in MuleSoft is region specific. Which means that one VPC cannot span across multiple regions. Although it is definitely possible to have more than one VPC in a single region and to have multiple VPCs in multiple regions.
Where does it fit in Anypoint Platform
VPC in MuleSoft is only for deploying mule applications. Getting a VPC does not change anything with respect to Anypoint Platform. The difference that it makes is that you will have an option to deploy applications to your VPC instead of shared CloudHub.
For this, VPCs can span across business groups and environments in Anypoint Platform. Which infers that one can have two applications running in two different VPCs but present in the same Anypoint Runtime Manager (ARM) environment. This is similar to how an on-premise application and a CloudHub application can be present in the same ARM environment.
Extra info for the Techies out there
As we have discussed some concepts already, I thought it might be worth throwing some technical details for techies out there.
- On VPC creation, four firewall rules are added, two for SLB which open ports 8081(for HTTP) & 8082(for HTTPS) and two for DLB which open ports 8091(for HTTP) & 8092(for HTTPS).
- By default, workers in VPC are accessible to MuleSoft’s SLB. A customer organization has to explicitly request a DLB if it wants to use one and remove the access from SLB for more security. This can be achieved simply by removing SLB rules from VPC firewall(Block 8081 and 8082).
- If an organization only uses a DLB, it needs to make sure that all the applications deployed in VPC are running on either 8091(HTTP) or 8092(HTTPS). Running applications on other ports will lead to application not working.
- Do I need to pass a weird port number(8091) every time a call my API in VPC? You DON’T need to. While calling your application running inside VPC, you will always hit it on 443(default HTTPS port). The mapping from 443 to 8091 or 8092 is done at load balancer level(internally).
Wrapping it up!
Now that we have completely understood what an Anypoint VPC is in MuleSoft, a lot of advantages of using VPC are evident. VPC can ensure that the Mule applications of an organization run in an isolated environment and help in cloud aspects like data loss, security and privacy.
Since all the cloud resources are dedicated to the client organization, there is no competition for assigning of resources with other customers of MuleSoft. Also with VPC comes an added option of having a DLB which lets the organization customize and secure their applications further.
VPC makes connecting to on-premise servers a breeze. Entire VPC can be connected to on-premise network using a VPN. Since VPN creation is a one-time process, it removes the hassle of making changes for every cloud application that wants to connect to on-premise.
Thanks for reading! And we would love to hear your suggestions and comments!