|
|
@@ -0,0 +1,21 @@
|
|
|
+# Architecture Notes
|
|
|
+
|
|
|
+Notes on the multiaccount/multipartition architecture. Draft.
|
|
|
+
|
|
|
+## VPC Breakdown
|
|
|
+
|
|
|
+Proposed VPC Breakdown
|
|
|
+
|
|
|
+| VPC Name | Accounts | Purpose | Servers | Special Traffic Considerations |
|
|
|
+| ------------------- | ------------------------ | ----------------------------------------------- | ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
|
|
|
+| vpc-splunk | Customer and C2 | Splunk Clusters including Moose | splunk-\* | Inbound Splunk Data from Customers |
|
|
|
+| vpc-interconnects | C2 Gov Only | Connect GovCloud and Commercial | interconnect-\* | IPSEC inbound and outbound to Transit Gateways |
|
|
|
+| vpc-access | C2 Gov Only | VPN and Bastion Access | openvpn-\*, bastion\* | Inbound from internet/whitelist. Outbound to all systems on admin ports. |
|
|
|
+| vpc-portal | C2 Gov Only??? | Customer Portal | portal\* and supporting | Inbound HTTPS, outbound to customer vpc-splunk |
|
|
|
+| vpc-public | C2 Gov Only | Publicly Accessible Services for Infrastructure | github, ghe-backup, jira | Inbound HTTPS |
|
|
|
+| vpc-scanners | C2 Gov and Commercial | Security Scanning | qualys-\* | Outbound to private |
|
|
|
+| vpc-system-services | C2 Gov and Commercial(?) | Services provided to systems | mailrelay, oscontext-unbound, proxy, reposerver, resolver, salt-master, sensu, vault | Inbound from private |
|
|
|
+| vpc-NEEDS-A-NAME | C2 Gov Only | Employee Services that access Splunk | fm-shared-search, qcompliance | Inbound from employees, outbound to all splunk |
|
|
|
+| vpc-vmray | C2 Gov Only | Malware Detonation | vmray-\* | Inbound from employees |
|
|
|
+
|
|
|
+
|
Fred Damstra