Join us for this meetup where Jitendra Bafna (Jacky) will be talking about Anypoint VPC, VPN and DLB Architecture. He will mention the best practices, some use cases, and a live demo!
3. 4
Organizers
#MuleSoftMeetups
Alexandra Martinez
Senior MuleSoft Developer
at Bits In Glass
MuleSoft Ambassadress
Founder and Content
Creator at ProstDev
3+ years using MuleSoft
5x MuleSoft certified
Mahesh Pujari
MuleSoft Developer
at Mackenzie Investments
Around 6 years of
integration expertise
Pravallika Nagaraja
Senior MuleSoft Developer
at Roche
Overall 10 years of
experience developing
integration solutions using
MuleSoft and other
integration technologies
3+ years using MuleSoft
4x MuleSoft certified
Content Creator at
ProstDev
Kishore Reddy Paluri
Senior Consultant
at MuleSoft
Certified Solutions Architect
14+ years of experience
building Integration, ESB,
SOA, API, Security and
Middleware solutions on
Cloud, On-Prem, and
Hybrid environments
7. 8
VPC stands for Virtual Private Cloud and it allows you to create logical or isolated networks in the cloud
where you can deploy or run the resources securely. MuleSoft cloudhub is a multi-tenant integration
platform as a service. Anypoint VPC allows you to create an isolated network where you can host the
workers or mule applications.
Anypoint VPC allows you to extend your corporate network and allows cloudhub workers to connect
resources behind the firewalls. VPC allows to connect cloudhub workers to on premise datacenter using
below techniques.
Secure VPN Tunnel (IPSec Tunneling)
Private AWS using VPC Peering.
AWS Direct Connect.
What is Anypoint VPC?
8. 9
Advantages of Anypoint VPC
Create a secure virtual network within CloudHub.
Connect CloudHub to assets behind the firewall.
Deploy mule runtime securely.
Connect Cloudhub to any public cloud or on premise data center securely.
Anypoint VPC Characteristics
Multiple VPC can be created in the same region.
Always create VPC in the same region or near to your datacenter or AWS region (VPC peering).
All non prod environments like dev, test, sit can be mapped to non prod vpc and production environment to
prod vpc.
Multiple environments can be mapped to the same VPC’s.
Always create the VPC in the parent business group and share with sub business groups.
Anypoint VPC
10. 11
You have four environments dev, test, sit and prod.
Application on dev and sit must run on 1 Worker.
Application on the test must be run on 2 Workers.
Application on prod must run on 2 Workers.
Total Application = 100 (Near Future)
The organization will have 2 VPC’s, one for PROD and another for NON PROD.
The problem statement is that we need to decide the minimum CIDR block will be needed for PROD
and NON-PROD VPC.
VPC Sizing Requirements
11. 12
VPC Sizing Solution
There will be 2 IPs reserved for
each VPC for infrastructure.
For Production VPC, we require
around 302 IPs and it will be
provided by a subnet mask of /23
(e.g. 192.168.0.0/23). This subnet
mask will provide 512 IPs.
For Non-Production VPC, we
require around 602 IPs and it will
be provided by a subnet mask of
/22 (e.g. 192.168.0.0/22). This
subnet mask will provide 1024
IPs.
12. 13
Always create a VPC in the same region or close to your datacenter or AWS region (VPC Peering).
Always choose a higher or appropriate range of CIDR masks because the CIDR mask cannot be updated
once VPC is created. To change the CIDR mask, we need to re-create VPC and it requires downtime for
your applications.
Always choose a CIDR mask which doesn't overlap with your datacenter IP addresses or subnets.
Always create a separate VPC for production and non production environments.
Always create VPC in parent business groups and share with child business groups.
VPC Sizing Best Practices
15. 16
Dedicated Load Balancer is optional components in Anypoint Platform which allows to route external
HTTP/HTTPs traffic to multiple applications deployed to cloudhub within VPC.
Each Dedicated Load Balancer has a DNS A record lb-name.lb.anypointdns.net that resolves to the
two public IP addresses of the two instances.
What is Dedicated Load Balancer?
17. 18
SLB V/S DLB
Shared Load Balancer
Shared Load Balancer available in all environments by default.
Shared Load Balancer provided basic functionality like TCP load balancing.
Shared Load Balancer doesn’t allow you to configure custom SSL certificates and proxy rules.
Shared Load Balancers have lower rate limits and it is different for each region.
Application deployed to Cloudhub exceeds the rate limit for shared load balancers, it will return 503 - Service
Unavailable.
Dedicated Load Balancer
One of the limitations of SLB is the lower rate limit. To avoid that issue, you can use a dedicated load balancer.
All applications can be hosted under a single domain.
Custom SSL certificates can be configured on DLB and optionally two-way authentication can be enforced.
Handle load balancing among the different CloudHub workers that run your application.
18. 19
Dedicated Load Balancer
HTTP Inbound Mode
Off: Causes the load balancer to silently drop the request.
On: Accepts the inbound request on the default SSL endpoint using the HTTP protocol.
Redirect: Redirects the request to the same URL using the HTTPS protocol.
Other Configurations
Disable Static IPs specify to use dynamic IPs, which do not persist when the DLB restarts.
Keep URL encoding specifies the DLB passes only the %20 and %23 characters as is. If you deselect
this option, the DLB decodes the encoded part of the request URI before passing it to the CloudHub
worker.
Support TLS 1.0 specifies to support TLS 1.0 between the client and the DLB.
Upstream TLS 1.2 specifies to force TLS 1.2 between the DLB and the upstream CloudHub worker.
19. 20
Dedicated Load Balancer Certificates
Configure SSL certificate to enable HTTPS (Public Key and Private Key). For two way authentication, you
can configure Client Certificate and that is optional. The dedicated load balancer must be associated with at
least a pair of one certificates.
Generally, we configure the certificates on Dedicated Load Balancer from CA authority. For
testing purposes, you can use self signed certificates.
openssl req -newkey rsa:2048 -nodes -keyout test-private.pem -x509 -days 3000 –out test-public-crt.pem
Above command will generate Private Key and Public Key that can be configured on dedicated load balancer.
20. 21
Dedicated Load Balancer Certificates
Alternatively, you can generate certificates by passing .cfg file in openssl command.
You can add below content in .cfg file and pass to openssl command.
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Arizona
localityName = Phoenix
organizationName = Test
commonName = example.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = api-dev.example.com
DNS.2 = api-qa.example.com
openssl req -newkey rsa:2048 -nodes -keyout test-private.pem -x509 -days 3000 –out test-public-crt.pem -config test-com.cfg
21. 22
Dedicated Load Balancer Certificates
Creating wildcard Certificates
You can even create the wild card certificate to support subdomain requests.
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Arizona
localityName = Phoenix
organizationName = Test
commonName = *.example.com
22. 23
Dedicated Load Balancer Mapping Rules
Mapping rules are used on dedicated load balancers to translate input URI to call applications deployed
on CloudHub. A pattern is a string that defines a template for matching an input text. Whatever value is
placed within curly brackets ({ }) is treated as a variable. Variable names can contain only lowercase
letters (a-z) and no other characters, including slashes.
23. 24
Dedicated Load Balancer Mapping Rules
Mapping rules are used on dedicated load balancers to translate input URI to call applications deployed
on CloudHub. A pattern is a string that defines a template for matching an input text. Whatever value is
placed within curly brackets ({ }) is treated as a variable. Variable names can contain only lowercase
letters (a-z) and no other characters, including slashes.
25. 26
Dedicated Load Balancer Whitelisted CIDR’s
To allow dedicated load balancers must be used by a set of IP addresses or single IP
addresses, you need to add those IP addresses in form of CIDR notations (e.g. 192.168.1.0/24).
By default CIDR mask is 0.0.0.0/0 which means all IP addresses are allowed to access
dedicated load balancer.
27. 28
What is Anypoint VPN?
VPN stands for Virtual Private Network and Anypoint VPN creates a secure connection between CloudHub
and On Premise data centers.
Anypoint VPN supports site-to-site internet protocol security (IPSec) connections.
Each Anypoint VPN connection consists of two tunnels that enable you to connect to a single public IP
address at a remote location. To connect additional remote locations,create another VPN.
The physical or software appliances, called VPN endpoints, are terminators on your side of connection.
The MuleSoft side of the connection is an implementation of a virtual private gateway (VGW). The
MuleSoft VGW is associated with a single MuleSoft VPC but can support up to 10 VPN connections.
The MuleSoft VGW implementation supports a maximum throughput of 1.25 Gbps.
28. 29
Anypoint VPN
Types of VPN Routing
Anypoint VPN supports dynamic or static routing for VPN connections.
Dynamic routing - Your device uses Border Gateway Protocol (BGP) to advertise routes to Anypoint
VPN. Use BGP routing if your device supports this protocol.
Static routing - Requires you to specify the routes (subnets) in your network that are accessible through
Anypoint VPN.
29. 30
Anypoint VPN IP Sec Tunneling
Anypoint VPN IPSec Tunneling VPN IPSec tunnel is set of protocols or standards to establish the connection
with on premise datacenter. IPSec tunnel is applied at the IP layer and it allows to connect the entire network
instead of a single device.
30. 31
VPC Peering
VPC peering basically connects two VPCs. In this case, it pairs your private Amazon VPC
directly to your Anypoint VPC. This enables you to route traffic between the two VPCs so they
can communicate as though they are in the same network.
33. 34
Accessing Application within VPC
For accessing applications within VPC, you can use below urls.
Port 8091: - http://mule-worker-internal-<appname>.region.cloudhub.io:8091/
Port 8092: - https://mule-worker-internal-<appname>.region.cloudhub.io:8092/
Creating AnyPoint VPC, VPN and DLB is the self service but you can request MuleSoft to create
VPN IPSec tunneling, VPC Peering or AWS Direct Connect by filling AnyPoint VPC discovery
template.
34. 35
Accessing Application within VPC
Important Points
Once a VPC is created, to modify the name, CIDR mask, you need to delete and recreate the VPC which
may lead to downtime of your applications.
Always select the higher range of the CIDR mask. So you have enough IP addresses available.
VPC Use Cases
To run the integration or api's within secure networks or private subnets, you can deploy api
withithe VPC. For example, you have system api's that are accessing backend databases and
those api's must be deployed within a secure or private network in cloudhub, so it is accessible
by the applications deployed within the same VPC.
For creating the dedicated load balancer, we need to create a VPC.
For creating VPN IPSec tunneling, AWS Direct Connect or VPC peering, we need to create a
VPC.
There are many other use cases where we have requirements of VPC.
35. 36
Accessing Application Over Public Internet
deployed within VPC
There are various ways that you can api's over the public internet when an application is
deployed within the VPC.
Deploy the application on port 8081 (http.port) or 8082 (https.port), as per firewall rule these ports
are accessible anywhere. So this apis can be access using
http://<appname>.region.cloudhub.io/ or
https://<appname>.region.cloudhub.io/
In case an application deployed on port 8091 (http.private.port) or 8092 (https.private.port), as per
above firewall rule these ports are accessible within VPC.
So this apis can be accessible on our public internet using a dedicated load balancer if
your IP Address is whitelisted in DLB configurations.
41. 42
Demo 2: Deploying the Application on 8081
dsffd
Anypoint Platform
Runtime Manager
10.0.1.0/24
vpc-8081
us-e1
External Consumer
http://vpc-8081.us-e1.cloudhub.io/test
http://mule-worker-vpc-8081.us-
e1.cloudhub.io:8081/test
To find internal or private IP Address of Application
ping mule-worker-internal-vpc-8081.us-e1.cloudhub.io
To find public IP Address of Application
ping mule-worker-vpc-8081.us-e1.cloudhub.io
42. 43
Demo 3: Deploying the Application on 8091
dsffd
Anypoint Platform
Runtime Manager
10.0.1.0/24
vpc-8091
us-e1
External Consumer
http://vpc-8091.us-e1.cloudhub.io/test
http://mule-worker-vpc-8091.us-
e1.cloudhub.io:8091/test
To find internal or private IP Address of Application
ping mule-worker-internal-vpc-8091.us-e1.cloudhub.io
To find public IP Address of Application
ping mule-worker-vpc-8091.us-e1.cloudhub.io
Note: - Application deployed to 8091 is not directly accessible publicly as per
firewall rule defined on Anypoint VPC and it can be access within VPC using url
http://mule-worker-internal-vpc-8091.us-e1.cloudhub.io:8091/test
43. 44
Demo 4: Accessing Application within VPC
dsffd
Anypoint Platform
Runtime Manager
10.0.1.0/24
vpc-8091
us-e1
External Consumer
http://vpc-8081.us-e1.cloudhub.io/test
http://mule-worker-vpc-8081.us-
e1.cloudhub.io:8081/test
Note: - Application deployed on 8081 can access application deployed to port
8091 as both are in same VPC. Hence external consumer can send request on
application deployed to port 8081 and 8081 can access application deployed on
port 8091
vpc-8081
http://mule-worker-internal-vpc-
8091.us-e1.cloudhub.io:8091/test
46. 47
Demo 4: Accessing Application within VPC
dsffd
Anypoint Platform
Runtime Manager
10.0.1.0/24
vpc-8091
us-e1
External Consumer
http://vpc-8081.us-e1.cloudhub.io/test
http://mule-worker-vpc-8081.us-
e1.cloudhub.io:8081/test
Note: - Application deployed on 8081 can access application deployed to port
8091 as both are in same VPC. Hence external consumer can send request on
application deployed to port 8081 and 8081 can access application deployed on
port 8091
vpc-8081
http://mule-worker-internal-vpc-
8091.us-e1.cloudhub.io:8091/test
47. 48
Demo 7: Setting Up Anypoint VPN
dsffd
Anypoint Platform
Runtime Manager
10.0.1.0/24
us-e1
Google
Cloud
Platform
VPN IPSec Tunneling
(BGP or Dynamic
Routing)
50. How does the quiz work?
1. Organizers show the question.
2. Organizers read the question out loud.
3. Organizers will write in the chat the following message: “Answers from question n start
here” after reading the question.
4. Only answers that appear after this message will be taken into account.
5. A final raffle, with the people that answered the quiz correctly, will take place after the quiz,
where the 3 lucky winners will receive a training or certification voucher.
6. The 3 winners will send their email in the chat so we can contact them for further steps.
51
#MuleSoftMeetups
51. Rules:
1. First person to give the correct answer in the chat will enter the final raffle.
2. If you already answered one question correctly, please stop answering and give a chance to
the rest. You don’t receive “extra points” for answering correctly more than once.
3. If the answer is sent before the “Answers from question n start here” message appears in the
chat, it won’t be taken into account.
52
#MuleSoftMeetups
52. 1. What protocol does “VPN Dynamic Routing”
use?
53
#MuleSoftMeetups
53. 1. What protocol does “VPN Dynamic Routing”
use?
A: BGP
54
#MuleSoftMeetups
54. 2. What is the default private port for accessing
applications within VPC over HTTP protocol?
55
#MuleSoftMeetups
55. 2. What is the default private port for accessing
applications within VPC over HTTP protocol?
A: 8091
56
#MuleSoftMeetups
56. 3. What is the correct URL for accessing
applications within VPC in US east 1 region over
HTTP?
a) http://mule-worker-external.us-
e1.cloudhub.io:8091/
b) http://mule-worker-external.us-
e1.cloudhub.io:8092/
c) http://mule-worker-internal.us-e1.cloudhub.io:8091/57
#MuleSoftMeetups
57. 3. What is the correct URL for accessing
applications within VPC in US east 1 region over
HTTP?
A: C
http://mule-worker-internal.us-e1.cloudhub.io:8091
58
#MuleSoftMeetups
58. 4. What is the correct way of connecting AWS
VPC if CloudHub VPC and AWS VPC are in the
same region for accessing backend services or
databases?
59
#MuleSoftMeetups
VPN IPSec Tunneling AWS Direct Connect
VPC Peering None
59. 4. What is the correct way of connecting AWS
VPC if CloudHub VPC and AWS VPC are in the
same region for accessing backend services or
databases?
A: VPC Peering
60
#MuleSoftMeetups
64. 7. How many IP addresses are available in subnet
mask 0/22?
65
#MuleSoftMeetups
65. 7. How many IP addresses are available in subnet
mask 0/22?
A: 1024
66
#MuleSoftMeetups
66. 8. What is the subdomain in this DNS:
api-dev.example.com?
67
#MuleSoftMeetups
67. 8. What is the subdomain in this DNS:
api-dev.example.com?
A: api-dev
68
#MuleSoftMeetups
68. 9. What component cannot be configured at
Dedicated Load Balancer?
69
#MuleSoftMeetups
Whitelisted CIDRs Mapping Rules
SSL Certificates Firewall Rules
69. 9. What component cannot be configured at
Dedicated Load Balancer?
A: Firewall Rules
70
#MuleSoftMeetups
70. 10. What does VPN Tunnel Status Available
(UP/DOWN or UP/UP) mean?
a) VPN connection is created and actions pending in background.
b) VPN is successfully created but the remote side is not configured.
c) VPN is successfully created and remote connection is established
in Active/Active mode or Active/Passive mode.
d) VPN connection is not created. You need to delete and try again.
71
#MuleSoftMeetups
71. 10. What does VPN Tunnel Status Available
(UP/DOWN or UP/UP) mean?
A: C
VPN is successfully created and remote connection is
established in Active/Active mode or Active/Passive
mode
72
#MuleSoftMeetups
72. 73
● Share:
○ Tweet using the hashtag #MuleSoftMeetups
○ Invite your network to join: https://meetups.mulesoft.com/toronto/
● Feedback:
○ Fill out the survey feedback and suggest topics for upcoming events
○ Contact MuleSoft at meetups@mulesoft.com for ways to improve the program
What’s next?
#MuleSoftMeetups
73. 75
● You choose!
● Speaker:
○ This can be you
● Earn a certification or training voucher by being a speaker!
Next event
YOU!
#MuleSoftMeetups