This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Architecture : Securing via separate instances in Multiple zones / data centre ?

Posted on 08-19-2017 05:15 AM
sjm2000
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Dear Team,

In a organization is it a good strategy to have multiple instances of apigee on premise -

one inside DMZ - (all the nodes inside DMZ) and second instance in secured WAN internal to corporate network .

Use case is for securing the "zones" / data.

In that case do we need 2 separate licenses ?

Regards

Sujith Mathew

Solved Solved
0 6 578
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
cmbrown
Staff
Reply posted on --/--/---- --:-- AM

For licensing requirements if you indeed decide to install multiple instances you will need to contact your account rep. You can install your RMP's in dmz and your datastore in internal WAN. As long as the rmps can communicate to the datastores it doesn't matter what zone or later they are deployed in. Many clients deploy the platform across security zones but as one planet. Hope this helps.

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Sujith,

I don't think I fully understand your initial question or the one about license but I'll try to provide guidance below.

Edge do not dictate what your network zoning should be. You can decide what is best given your security requirements.

Edge has clear connectivity requirements for within a Region (within a DC) as well as across regions. Connectivity requirements are described on the link below:

http://docs.apigee.com/private-cloud/latest/installation-requirements#firewallsandvirtualhosts-edgep...

Assuming two zones (A and B). What are the options?

  • All components could be on Zone A.
  • All components could be on Zone B.
  • Routers could be on Zone A, all other components on B.
  • Routers and Message Processors could be on A, the rest on B.
  • Routers, Message Processors and Developer Portal could be on A, the rest on B.

Please notice that the list above do not includes all possibilities. But it represents typical component placement.

In regards to license question:

  • If you are using a legacy license model based on Cores. Cores apply to Message Processors (MP). On this model, more MPs can drive more licenses. Each license give you 2 MPs instances.
  • If you are using the current license model, there are not limitations on number of Message Processors. Current Private Cloud license is based on API volume (number of API calls for Production). On this model you can have any number of MPs.

On both license models above you can have as many other components as you want. Number of components will be driven by your requirements (API volume, availability, resiliency, data retention, network zoning, etc).

I encourage you to participate in our Operations Training class. The training covers architecture, topology design, security, installation, upgrade, management and many other topics important for Architects and Operation teams.

http://academy.apigee.com/instructor-led-training

View solution in original post

Jump to Solution
6 REPLIES 6

Posted on --/--/---- --:-- AM
cmbrown
Staff
Reply posted on --/--/---- --:-- AM

What is your current private cloud license you have now, based on that info I can let you know the correct answer. Also, it may not be necessary to deploy 2 instances it depends on your network and security requirements.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
In response to cmbrown
Reply posted on --/--/---- --:-- AM

Firstly, apologies for late response,

current is 4 node license . (license is for message server it seems so)- other nodes are "free" it seems.

Use case is for a separate corporate private network spanning in multiple (geo)locations

Current architecture is for public facing internet (on premise )

Hope i am clear 🙂

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
cmbrown
Staff
Reply posted on --/--/---- --:-- AM

For licensing requirements if you indeed decide to install multiple instances you will need to contact your account rep. You can install your RMP's in dmz and your datastore in internal WAN. As long as the rmps can communicate to the datastores it doesn't matter what zone or later they are deployed in. Many clients deploy the platform across security zones but as one planet. Hope this helps.

Jump to Solution

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
In response to cmbrown
Reply posted on --/--/---- --:-- AM 
	You can install your RMP's in dmz and your datastore in internal WAN. As long as the rmps can communicate to the datastores it doesn't matter what zone or later they are deployed in. Many clients deploy the platform across security zones but as one planet. Hope this helps.

That's news for me.

1. As already mentioned , we have 5 node architecture. 2 RMP+2 for analytics + 1 for MS -- - as i mentioned our license is for 4 node and i its written in the copy of license agreement "node" means MP only.

does that our corporation have 2 node license still remaining?

2. Does that mean we can install 2 new MP in the new zone use "existing nodes of 2 for analytics and 1 for MS" -- Is this technically feasible and correct license wise?.


Yes, i can contact account rep - but i get more clarifications and solutions here in community than via the time taking "formal" method 🙂 -

that's one reason i recommended apigee over another . The support and solutions i get are great.


Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Sujith,

I don't think I fully understand your initial question or the one about license but I'll try to provide guidance below.

Edge do not dictate what your network zoning should be. You can decide what is best given your security requirements.

Edge has clear connectivity requirements for within a Region (within a DC) as well as across regions. Connectivity requirements are described on the link below:

http://docs.apigee.com/private-cloud/latest/installation-requirements#firewallsandvirtualhosts-edgep...

Assuming two zones (A and B). What are the options?

  • All components could be on Zone A.
  • All components could be on Zone B.
  • Routers could be on Zone A, all other components on B.
  • Routers and Message Processors could be on A, the rest on B.
  • Routers, Message Processors and Developer Portal could be on A, the rest on B.

Please notice that the list above do not includes all possibilities. But it represents typical component placement.

In regards to license question:

  • If you are using a legacy license model based on Cores. Cores apply to Message Processors (MP). On this model, more MPs can drive more licenses. Each license give you 2 MPs instances.
  • If you are using the current license model, there are not limitations on number of Message Processors. Current Private Cloud license is based on API volume (number of API calls for Production). On this model you can have any number of MPs.

On both license models above you can have as many other components as you want. Number of components will be driven by your requirements (API volume, availability, resiliency, data retention, network zoning, etc).

I encourage you to participate in our Operations Training class. The training covers architecture, topology design, security, installation, upgrade, management and many other topics important for Architects and Operation teams.

http://academy.apigee.com/instructor-led-training

Jump to Solution

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
In response to
Reply posted on --/--/---- --:-- AM

we do not have any near Dubai

Thanks

Jump to Solution
0 Likes