AWS Reference Architecture
This guide presents a reference architecture for Pivotal Cloud Foundry (PCF) on Amazon Web Services (AWS). It builds on the common base architectures described in Platform Architecture and Planning.
See PCF on AWS Requirements for general requirements for running PCF and specific requirements for running PCF on AWS.
The following diagram illustrates the reference architecture for PCF on AWS.
The following sections provide guidance about networking resources.
You can use AWS Route 53 for DNS resolution to host your PCF domains.
AWS offer Application Load Balancers (ALBs) and Network Load Balancers (NLBs). Pivotal recommends using NLBs because of the simplicity and security of leaving all encrypted traffic in place until it reaches the Gorouters. If you require Amazon Certificate Management or more complex layer 7 routing rules, you can front or replace the NLB with an ALB.
The follow list provides considerations related to networks, subnets, and IP spacing planning.
- In AWS, each AZ requires its own subnet of which the first 5 IPs are reserved.
- Your organization may not have the IP space necessary to deploy PCF in a consistent manner. To alleviate this, Pivotal recommends using the
100.64address space to deploy a NAT instance and router so that the PCF deployment can use few IP addresses.
- If you want the front-end of PCF to be accessible from your corporate network or the services running on PCF to be able to access corporate resources, you must either provide routable IPs to your VPC or use NAT.
- If you want a VPC that is only public-facing, no special consideration is necessary for the use of IPs.
- See the following table to understand the action required depending on the type of traffic you want to allow for your PCF deployment.
If you want… then… Internet ingress Create the load balancers with Elastic IPs. Internet egress Create the NAT Gateway towards the Internet. Corporate Ingress Create load balancers on your corporate subnet. Corporate Egress (For accessing corporate resources) Create the NAT instance on your corporate subnet or if business requirements dictate, make the entire VPC corporate-routable.
- If you plan to install PCF Service Broker for AWS, you may want to create another set of networks in addition to those outlined in the base reference architecture. This set of networks would be for for RDS and other AWS managed instances.
The following options are available for choosing your network topology:
|Type of Traffic||Options|
Use a single RDS instance for BOSH and PAS. This instance requires several databases. See the following sections of the installation documentation for more information:
- Step 3: Director Config Page in Configuring BOSH Director on AWS
- External System Database Configuration in Configuring PAS
Ops Manager requires a bucket for the BOSH blobstore.
PAS requires the following buckets:
These buckets require an associated role for read/write access.
For identity management, use Instance Profiles whenever possible . For example, the AWS Config Page of the BOSH Director tile provides a Use AWS Instance Profile option. See Step 2: AWS Config Page.