In this section, we describe a common VPC setup for some of the high-availability approaches discussed later in this chapter.
Before setting up your VPC, you will need to carefully select your primary site and a DR site. Leverage AWS's global presence to select the best regions and availability zones to match your overall business objectives. The choice of a primary site is usually the closest region to the location of a majority of your customers, and the DR site could be in the next closest region, or a significantly distant one depending on your objectives. Next, we need to set up the network topology, which essentially includes setting up the VPC and the appropriate subnets. The public-facing servers are configured in a public subnet, whereas the database servers and other application servers hosting services like the directory services will normally reside in the private subnets.
Ensure that you choose different sets of IP addresses across the different regions for the multiregion deployment, for example, 10.0.0.0/16 for the primary region and 192.168.0.0/16 for the secondary region to avoid any IP addressing conflicts when these regions are connected via a VPN tunnel. Appropriate routing tables and ACLs will also need to be defined to ensure that traffic can traverse between them. Cross-VPC connectivity is required so that data transfer can happen between the VPCs (say, from the private subnets in one region to the other region). The secure VPN tunnels are basically IPSec tunnels powered by VPN appliances—a primary and a secondary tunnel should be defined (in case, the primary IPSec tunnel fails).
ELB is configured in the primary region to route traffic across multiple availability zones. However, you need not necessarily commission ELB for your secondary site at this time. Even though the ELB is not particularly expensive, this will help you avoid unnecessary costs for the ELB in your DR or secondary site. Gateway servers and NAT will need to be configured as they act as gatekeepers for all inbound and outbound internet access. Gateway servers are defined in the public subnet with appropriate licenses and keys to access your servers in the private subnet for server administration purposes. NAT is required for servers located in the private subnet to access the internet and is typically used for automatic patch updates.
Elastic load balancing and Amazon Route 53 are critical infrastructure components for scalable and highly available applications; we discuss these services in the next section.