Author: Mohammad Mazhar Ansari
In this blog, we will try to learn what is Anypoint VPC, its advantages, and how to create Anypoint VPC.
What is VPC?
- VPC stands for Virtual Private Cloud.
- Anypoint VPC is an on-demand configurable pool of shared computing resources allocated within a public cloud environment, providing a certain level of isolation between different organizations using the resources.
What is Anypoint VPC?
- The Anypoint Virtual Private Cloud (VPC) offering allows you to create a virtual, private, and isolated network segment in the cloud to host your CloudHub workers.
- Connecting to your Anypoint VPC extends your corporate network and allows CloudHub workers to access resources behind your corporate firewall. You can connect on-premises data centers through a secured VPN tunnel, or a private AWS VPC through VPC peering, or by using AWS Direct Connect.
- In short, Anypoint VPC restricts the incoming traffic to the application deployed within Anypoint VPC.
Understanding MuleSoft Port Usage
MuleSoft recommends to use gew specific ports.
- 8081- MuleSoft recommends to use this port in case of HTTP transport. When application is deployed to CloudHub http.port by default have value of 8081.
- 8082- MuleSoft recommends to use this port in case of HTTPS transport. When application is deployed to CloudHub https.port by default have value of 8082.
- 8091- MuleSoft recommends to use this port in case of HTTP transport. When application is deployed to CloudHub http.private.port by default have value of 8091.
- 8092- MuleSoft recommends to use this port in case of HTTPS transport. When application is deployed to CloudHub https.private.port by default have value of 8092.
All four configuration parameters are reserved and have default value maintained by MuleSoft in CloudHub.
MuleSoft Application URL
When we deploy any application on CloudHub MuleSoft, it can be accessed by below URL.
- <application-name> is the deployed application name which is unique across all the MuleSoft clients.
- <region> is the region name in which an application is deployed.
- <port> will be 8081 or 8082 depending on when connection is HTTP or HTTPS.
As you can see, I have listed 3 different URLs for one application. These different URLs are maintained at different levels.
- When the user uses the first URL it will be shared load balancer url and MuleSoft load balancer. Shared load balancing will redirect it to the correct application and port based on DNS entry.
- Users can also use the second URL as it is an external IP Address of cloudhub workers.
- Users can’t use the third URL as it is an Internal IP Address of cloudhub workers.
Create an Anypoint VPC
Anypoint VPC can be created in 3 different ways.
- Using Anypoint Platform
- Using Anypoint CLI
- Using Anypoint Platform API
In this blog, we will explore the first method.
- Sign into your Anypoint Platform account as a user with the Organization Administrators role.
- Under Management Center, click Runtime Manager.
- In the left navigation, click VPCs.
- Click Create VPC, and enter the following information to define and configure the Anypoint VPC.
- Name: The name to identify your Anypoint VPC
- Region: The region to which the Anypoint VPC is bound
- CIDR Block: The size of the Anypoint VPC in Classless Inter-Domain Routing (CIDR) notation
- Environments: Optionally, select an environment to which the Anypoint VPC is bound
- Set as default VPC: Select this option to set the Anypoint VPC as the default for the region you set
- Business Groups: Optionally, bind the Anypoint VPC with a business group.
- Click Firewall Rules to expand the fields and configure firewall rules. By default, all inbound traffic is blocked, and you need to configure firewall rules to allow traffic to your worker. You can configure these rules at a later time.
Anypoint VPC Firewall Rules
We can create a number of firewall rules as per our requirement. However when we first create an Anypoint VPC by default there are no preconfigured rules available i.e. all inbound traffic is blocked.
In general, we can configure 4 different rules as shown in the image below:
- Rule #1: any application running on 8081 can be reached from anywhere.
- Rule #2: any application running on 8082 can be reached from anywhere.
- Rule #3: any application running on 8091 can be reached from any application running inside the same Anypoint VPC. If these applications need to be exposed outside the Anypoint VPC they can be exposed using Dedicated Load Balancer.
- Rule #4: any application running on 8092 can be reached from any application running inside the same Anypoint VPC. If these applications need to be exposed outside the Anypoint VPC, they can be exposed using Dedicated Load Balancer.
Scenario #1: In case only Rule # 1 and 2 are configured and there are few applications which are deployed on 8081, 8082, 8091 and 8092. Applications deployed on port 8081 and 8082 will be accessible from anywhere. Applications deployed on port 8091 and 8092 will not be accessible from anywhere even after configuring Dedicated Load Balancer.
Scenario #2: In case only Rule # 3 and 4 are configured and there are few applications which are deployed on 8081, 8082, 8091 and 8092. Applications deployed on 8081 and 8082 will not be accessible from anywhere. Applications deployed on port 8091 and 8092 will only be accessible from outside after configuring Dedicated Load Balancer.
Scenario #3: In case only Rule # 1, 2, 3 and 4 are configured and there are few applications which are deployed on 8081, 8082, 8091 and 8092. Applications deployed on 8081 and 8082 will be accessible from anywhere.Applications deployed on port 8091 and 8092 will only be accessible from anywhere after configuring Dedicated Load Balancer.
Q: What’s the importance of region in Anypoint VPC?
A: Application deployed in the same region as Anypoint VPC can utilise the benefit of Anypoint VPC.
Q: Default number of VPC available?
A: By Default 2 Anypoint VPCs are available with base subscription. The assumption is that one VPC will be used for a production environment and another will be used for a non production environment.
Q: Is it mandatory to have a Dedicated Load Balancer with Anypoint VPC?
A: No it is not. Only in case applications inside Anypoint VPC are deployed on 8091 and 8092 which need to be accessed from outside the Anypoint VPC.
Q: Does Anypoint VPC block outbound traffic?
A: Anypoint VPCs are used to restrict incoming traffic. They never interfere with outbound traffic.
Q: Is it mandatory to have a VPN along with Anypoint VPC?
A: No it is not. VPN can be only used in case a client wants the outbound connection from Anypoint VPC and their On Prem Data center needs to be secured.
Q: Is Anypoint VPC identical to AWS VPC?
A: MuleSoft VPC is a customized/extended version of AWS VPC, they are not identical.
Q: How do we attach an application to an Application?
A: Anypoint VPC is always attached to an environment. When a new application deployed after attaching a VPC to an environment it will automatically be deployed within VPC for existing applications which are deployed before creating VPC you need to restart the application.
Q: What happens if I configure the following firewall rule? Will I be able to access applications deployed on 8091.
A: Yes, you can. However with only URL #2 i.e. with the following URL: http://mule-worker-<application-name>.<region>.cloudhub.io:8091
When to use Anypoint VPC?
Anypoint VPC is an optional component however if security is our primary goal its mandatory to have an Anypoint VPC. Here are few scenarios where we can use Anypoint VPC:
- Specific requirements of controlling incoming traffic to applications
- Want to make outbound connection secure using VPN
- Want to use dedicated load balancer with Anypoint Platform