...
The IP ranges for the subnets will need to be further discussed to ensure there is clarity in what is public/private and elasticity
Load balancers will need to be defined perhaps in a lower level diagram
Jumpbox/Bastion hosts may not be needed if we have the tools/monitoring
Security
There are many security considerations when working with AWS or any kind of infrastructure but the main benefit of using a cloud provider like AWS is that security is “baked in” and that it should provide features to make it easier.
An additional session was done on 22nd April to try a catalogue what security concerns/standards we would like in place for the migration.
Here are some of the high level things we’d want in terms of security
Encryption
In transit - this is relation to network traffic
At rest - when data is stored on disk (either as files or in a form of a database)
Security groups
These behave like firewalls which limit (reject) certain types of traffic - can be attached to many types of resources
Many finely grained groups, named appropriately and not shared between VPC’s
Chained where it makes sense
WAF (Web application firewall)
Where it makes sense, to be placed in front of any application that receives traffic sourced externally
Controlled networking routes
Resources can only be reached via certain routes
No public IP’s
Applications must be stored in privates subnets with no direct accessible route from outside the VPC
Application
The applications we develop and deploy fit roughly in 3 groups
...