Anypoint VPC simplified

In this tech article, we’ll learn about Anypoint Virtual Private Cloud (VPC), including its advantages and how to create an Anypoint VPC in your environment.

What is Anypoint VPC?

Anypoint VPC is an on-demand configurable pool of shared computing resources allocated within a public cloud environment and yet providing a certain level of isolation between different organizations using the resources.

The Anypoint VPC offering allows you to create a virtual, private and isolated network segment in the cloud to host your CloudHub workers.

Connecting to your Anypoint VPC extends your corporate network and allows CloudHub workers to access resources behind your corporate firewall. You can connect on-premises data centers through a secured VPN tunnel, a private AWS VPC through VPC peering or by using AWS Direct Connect.

In short, Anypoint VPC restricts the incoming traffic to the application deployed within Anypoint VPC.

Understanding MuleSoft port usage

MuleSoft recommends using specific ports:

• 8081. MuleSoft recommends using this port for HTTP transport. Applications deployed to CloudHub http.port by default have a value of 8081.
• 8082. MuleSoft recommends using this port for HTTPS transport. Applications deployed to CloudHub https.port by default have a value of 8082.
• 8091. MuleSoft recommends using this port for HTTP transport. Applications deployed to CloudHub http.private.port by default have a value of 8091.
• 8092. MuleSoft recommends using this port for HTTPS transport. Applications deployed to CloudHub https.private.port by default have a value of 8092.

All four configuration parameters are reserved and MuleSoft maintains a default value in CloudHub.

MuleSoft application URL

When you deploy any application on CloudHub MuleSoft, you can access it using the following URL:

1. <application-name>.<region>.cloudhub.io
2. mule-worker-<application-name>.<region>.cloudhub.io:<port>
3. mule-worker-internal-<application-name>.<region>.cloudhub.io:<port>
   • <application-name> is the deployed application name, which is unique across all MuleSoft clients

   • <region> is the region name in which an application is deployed

   • <port> will be 8081 or 8082, depending on when the connection is HTTP or HTTPS

As you can see, three different URLs are listed for one application. These different URLs are maintained at different levels.

The first URL is a shared load balancer URL and MuleSoft load balancer. Shared load balancing will redirect it to the correct application and port based on DNS entry.

The second URL is an external IP address of CloudHub workers.

The third URL is an internal IP address of CloudHub workers. Users can’t use it.

 Create an Anypoint VPC

You can create an Anypoint VPC in three ways:

1. Using Anypoint Platform
2. Using Anypoint CLI
3. Using Anypoint Platform API

This article explores the first method.

1. Sign into your Anypoint Platform account as a user with the Organization Administrators role.
2. Under Management Center, click Runtime Manager.
3. In the left navigation, click VPCs.
4. Click Create VPC and enter the following information to define and configure the Anypoint VPC:
   
   • Name. The name to identify your Anypoint VPC
   • Region: The region to which the Anypoint VPC is bound
   • CIDR block. The size of the Anypoint VPC in Classless Inter-Domain Routing (CIDR) notation
   • Environments. Optionally, select an environment to which the Anypoint VPC is bound
   • Set as default VPC. Select this option to set the Anypoint VPC as the default for the region you set
   • Business groups: Optionally, bind the Anypoint VPC with a business group
   • Click Firewall Rules to expand the fields and then configure firewall rules. By default, all inbound traffic is blocked, and you need to configure firewall rules to allow traffic to your workers. (You can configure these rules later.)

Anypoint VPC firewall rules

You can create firewall rules based on your requirements. However, by default, when you first create an Anypoint VPC there are no preconfigured rules available — that is, all inbound traffic is blocked.

In general, you can configure four different rules, as shown in the image below:

• Rule #1: any application running on 8081 can be reached from anywhere 
• Rule #2: any application running on 8082 can be reached from anywhere
• Rule #3: any application running on 8091 can be reached from any application running inside the same Anypoint VPC; if these applications need to be exposed outside the Anypoint VPC, then they can be exposed using a dedicated load balancer
• Rule #4: any application running on 8092 can be reached from any application running inside the same Anypoint VPC; if these applications need to be exposed outside the Anypoint VPC, then they can be exposed using a dedicated load balancer

Scenario #1 is appropriate when only Rules #1 and #2 are configured and only a few applications are deployed on ports 8081, 8082, 8091 and 8092. Applications deployed on ports 8081 and 8082 will be accessible from anywhere. Applications deployed on ports 8091 and 8092 will not be accessible from anywhere, even after configuring the dedicated load balancer.

Scenario #2 is appropriate when only Rules #3 and #4 are configured and only a few applications are deployed on ports 8081, 8082, 8091 and 8092. Applications deployed on ports 8081 and 8082 will not be accessible from anywhere. Applications deployed on ports 8091 and 8092 will only be accessible from outside after configuring the dedicated load balancer.

Scenario #3 is appropriate when Rules #1, #2, #3 and #4 are configured and only a few applications are deployed on ports 8081, 8082, 8091 and 8092. Applications deployed on ports 8081 and 8082 will be accessible from anywhere. Applications deployed on ports 8091 and 8092 will only be accessible from anywhere after configuring the dedicated load balancer.

Question: What’s the importance of region in Anypoint VPC?
Answer: Applications deployed in the same region as Anypoint VPC benefit from the VPC.

Q: What’s the default number of VPC available?
A: By default, two Anypoint VPCs are available with a base subscription. The assumption is that one VPC will be used for a production environment and the other for a non-production environment.

Q: Is it mandatory to have a dedicated load balancer with Anypoint VPC?
A: No, it is not mandatory. A dedicated load balancer is needed only when applications inside Anypoint VPC are deployed on ports 8091 and 8092 and need to be accessed from outside the Anypoint VPC.

Q: Does Anypoint VPC block outbound traffic?
A: Anypoint VPCs are used to restrict incoming traffic. They never interfere with outbound traffic.

Q: Is it mandatory to have a VPN along with Anypoint VPC?
A: No, it is not mandatory. A VPN can be used only when a client wants the outbound connection from Anypoint VPC and their on-premises data center to be secured.

Q: Is Anypoint VPC identical to AWS VPC?
A: MuleSoft VPC is a customized/extended version of AWS VPC. They are not identical.

Q: How do you attach an application to an application?
A: Anypoint VPC is always attached to an environment. When a new application is deployed after attaching a VPC to an environment, it will be deployed automatically within VPC for existing applications but you will need to restart the application.

Q: What happens if I configure the following firewall rule? Will I be able to access applications deployed on port 8091?

A: Yes, you can, but only with URL #2 — that is, with the following URL: 

http://mule-worker-<application-name>.<region>.cloudhub.io:8091

When to use Anypoint VPC?

Anypoint VPC is an optional component. However, if security is your primary goal, its mandatory to have an Anypoint VPC.

Use Anypoint VPC in the following scenarios:

• You have specific requirements of controlling incoming traffic to applications
• You want to make an outbound connection secure using a VPN
• You want to use a dedicated load balancer with Anypoint Platform

— By Mohammad Mazhar Ansari