Squid Labs

Alicloud: Designing a secure multi-account, multi region (load balance) cloud architecture

Kev's photo
Kev
·

2 min read

In this architecture design, I showcase a basic architecture on how to plan your multi account, multi region (Load balance) cloud setup.

Account Design

The account design is split into the root account which no one will access it unless required. The purpose of root account is to create other sub accounts and also billings.

The setup for Cloud Config, Governance Center will also be here. This is where if you need to adhere to Banking industry, this configuration will apply to all the sub accounts. You can however shift it to the security account but that will require you to talk to Alibaba Cloud team.

The Non Secure Production Account splits up the usage of KMS and ACR (Container Registry) because this should not be access by any developers. Software developers can only access Dev and Test (limited access). The team to access this will be the DevOps which handles the CI/CD part

Production and DR account are linked to one another through GTM. In Alicloud the Region especially in Malaysia and Singapore doesn’t share resources, thus why they have their own set of resources.

Security

It is a design which focus on security where the usage of security center, cloud firewall, WAF, Anti-DDOS, North-South Firewall and also East West Firewall.

On the topic of KMS, you can use Hardware KMS + HSM in Production and DR. That is costly but that will work for enhance security. The good part of it, is that you can purchase external service for BYOK (Bring your own key) to integrate with Alicloud Hardware KMS. The only downside on using Hardware KMS, the pain of replacing every application that uses each key. There is no auto rotation on the Hardware KMS. Your auto rotation only happens on the external service. You still have to manually create them in the hardware KMS to link the key up

DevOps

Understanding ACK One and ACK. ACK One is the orchestration layer. ACK are the Kubernetes layer. If you have 2 containers in Production, then you will need to register both to ACK One. In ACK One, the gitops tool ArgoCD is provided as part of it. In order to deploy application, you can link up the clusters with your deployment code. You can do it through Github which you will need to provide a secure kube config access in Github secret. How this is done I will share it in future article

Cost

This topic is depending on your company needs. This setup will roughly cost in the ballpark of USD 1 million. Not including the security cost and also the north-south and east-west firewall appliances

alibaba cloudcloud architecture