VPCs
Stax VPCs are pre-configured AWS VPCs that you can deploy within your Stax Networking Hub. Depending on your needs, you can choose how they connect with your Stax Networking Hub and other VPCs. Stax makes networking easy and secure by configuring route tables, NACLs, basic security groups, flow logs, and much more.
VPC Types
The type of VPC deployed will determine which VPCs can talk to each other and which VPCs are connected to the Internet. The four types of Stax VPCs include:
-
Isolated VPC: Segregated from all other Isolated and Flat VPCs. If required, this type of VPC can be connected to Shared Services VPCs and Transit VPCs for access to core services and outbound egress to the internet.
-
Flat VPC: Connectivity between Flat VPCs is only possible when the VPCs exist within the same Zone. A Zone is a group of VPCs defined by a customer.
-
Shared Services VPC: To provide core services across VPCs in a Hub, this type of VPC can be connected to all other VPCs.
-
Transit VPC: Created as a component of the Stax Networking Hub - this VPC provides centralized outbound access and egress to the internet. A Transit VPC is created only once by Stax as part of each Networking Hub and is shared across all CIDR Ranges within a Hub.
The table below provides an overview of inter-connectivity between Stax VPCs.
| VPC Type | Isolated | Flat | Shared Services | Transit |
|---|---|---|---|---|
| Isolated | ❌ | ❌ | ✔️ | ✔️ |
| Flat | ❌ | ✔️* | ✔️ | ✔️ |
| Shared Services | ✔️ | ✔️ | ✔️ | ✔️ |
| Transit | ✔️ | ✔️ | ✔️ | ✔️ |
*Connectivity between Flat VPCs is only possible when the VPCs exist within the same Zone.
Stax VPC Architecture
Stax VPCs are uniformly architected, regardless of the VPC type, and conform with AWS best practice. Stax VPCs are architected with the below configuration:
-
3 Availability Zones
-
4 Subnets - Public, Private, Restricted and Connectivity Subnets
-
VPC Flow Logging - all logs flow to an S3 bucket in your logging account
-
Gateway VPC Endpoints for AWS Services
-
3 sizes - Small (/23), Medium (/22) and Large (/20) (detailed subnet sizing information)
Subnets
Subnets provisioned by Stax within Stax VPCs conform to a strict security model. The table below provides detail in regard to this model.
| Trust Level | Security Zone |
|---|---|
| 0 | Endpoint Subnet: The Endpoint Subnet is only created within the Transit VPC, all other VPCs and their subnets are able to connect to interfaces within this subnet. Only Networking Hub Interface VPC Endpoints are to be deployed to this Zone. |
| 1 | Public Subnet: The Public Subnet is exposed publicly and acts as the flow control for data and interfaces within Private Subnet services. Customers with zero trust networks should connect endpoints (workstations and other devices/ services) to this Zone. |
| 2 | Connectivity Subnet: The Connectivity Subnet is dedicated to the customer and provided for connectivity between multiple Stax provisioned accounts, environments and VPCs. Customers with either trusted internal networks or SD-WAN networks can connect to the Transit Gateway. |
| 3 | Private Subnet: Authorized services from the Public Subnet or Connectivity Subnet can communicate with interfaces within the Private Subnet Zone. |
| 4 | Restricted Subnet: Only authorized services from the Private Subnet are permitted to connect to interfaces within the Restricted Subnet Zone. The Public Subnet and Connectivity Subnet are not permitted to directly connect to this Zone. |
The default subnet type connectivity within a VPC is as follows. Subnets can always communicate with other subnets of the same type. Other, shown below, refers to default route connectivity to networks outside of the VPC.
| Subnet Type | Endpoint | Public | Connectivity | Private | Restricted | Other |
|---|---|---|---|---|---|---|
| Endpoint | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ (via Transit Gateway) |
| Public | ✔️ TCP 443 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ (via Internet Gateway) |
| Connectivity | ✔️ TCP 443 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
| Private | ✔️ TCP 443 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ (via Transit Gateway) |
| Restricted | ✔️ | ❌ | ❌ | ✔️ | ✔️ | ❌ |
More detail regarding the connectivity options for specific subnets can be found by reviewing the Route table and Network ACL tabs of the Subnet configuration in the AWS VPC Management Console.
CIDR Ranges
All Stax VPCs reside within a CIDR Range. A CIDR Range is the overarching object within a Stax Networking Hub that contains VPCs and Exclusions. The configured CIDR Range must be contained within an RFC1918-compliant private address space. You should confirm your CIDR ranges with your networking team before configuring them in a Stax Networking Hub. Some examples of supported CIDR ranges are below.
| CIDR Range | First IP Address | Last IP Address |
|---|---|---|
| 10.2.0.0/16 | 10.2.0.1 | 10.2.255.255 |
| 172.16.0.0/12 | 172.16.0.1 | 172.23.255.255 |
| 192.168.0.0/16 | 192.168.0.1 | 192.168.255.255 |
The largest supported size for a Stax CIDR Range is /8, while the smallest is /23.
When creating a Networking Hub in Stax, you must define a CIDR Range which will host your Transit VPC. Additional VPCs can be created in this same CIDR Range or additional ranges can be created.
CIDR Ranges cannot be resized once created. When creating a CIDR Range in Stax, we recommend you:
-
Ensure you size your CIDR Range to support growth for your workloads.
-
Ensure that your CIDR Range does not overlap with your organization’s other private network ranges. Use Stax Exclusions to exclude other private network ranges in your Networking Hub's CIDR Ranges if they overlap.
Exclusions
An Exclusion is a CIDR Range that will be reserved and excluded across all CIDR Ranges in a given Networking Hub. Exclusions help to prevent overlapping subnets and ensure the range of IP addresses in your CIDR Ranges are unique. Exclusions allow you to integrate Stax Networking Hubs with your on-premises data centers, offices and other VPCs without experiencing network address conflicts.
VPC Endpoints
AWS VPC endpoints provide fast and efficient integration with AWS resources. Stax provides you with the ability to enable AWS VPC Endpoints with a click of a button. It is important to be aware that enabling VPC Endpoints will incur costs, however, Stax helps you manage costs by sharing endpoints across VPCs.
Types of AWS VPC Endpoints offered by Stax:
-
Interface VPC Endpoints: Can be attached to Transit VPCs at the Networking Hub level and shared across other VPCs.
-
Gateway VPC Endpoints: Can be attached to any VPC.
CloudWatch VPC Flow Logs
When creating or updating your Stax VPC, you can choose to enable CloudWatch for your VPC Flow Logs. When this feature is enabled, Stax will automatically save your VPC flow logs to CloudWatch Log Groups in your VPC's account. You can access your flow logs via the CloudWatch Logs dashboard giving you immediate access to real-time application and system monitoring. Stax will continue to send all your VPC flow logs to a centralized S3 bucket in your logging account.