Deploying in a VPC without internet
The GeoSpock database can be installed in an AWS VPC that does not contain an internet gateway.
This enables you to meet security compliance rules that require isolation from the general internet. However, there are several restrictions that need to be met in order to use the private VPC setup.
Private VPC
The VPC supplied to the deployment machine when deploying the GeoSpock database in a setup without internet access must fulfil the following conditions:
The VPC must not have:
- an internet gateway
- subnets with NAT gateways.
The VPC must have:
- an
ssm
VPC endpoint interface attached with a security group that allows HTTPS 443 ingress traffic to all CIDR blocks of the VPC. - an
ec2
VPC endpoint interface attached to all subnets. - an
ec2messages
VPC endpoint interface attached to all subnets. - a
logs
VPC endpoint interface attached to all subnets. - an
sns
VPC endpoint interface attached to all subnets. - a
monitoring
VPC endpoint interface attached to all subnets. - an
sqs
VPC endpoint interface attached to all subnets. - an
elasticbeanstalk
VPC endpoint interface attached to all subnets. - an
elasticbeanstalk-health
VPC endpoint interface attached to all subnets. - a
cloudformation
VPC endpoint interface attached to all subnets. - an
rds
VPC endpoint interface attached to all subnets. - a
states
VPC endpoint interface attached to all subnets. - an
elasticmapreduce
VPC endpoint interface attached to all subnets. - an
s3
VPC endoint gateway with an entry in the route table of your subnets. - a
dynamodb
VPC endoint with an entry in the route table of your subnets.
User authentication and authorization in private VPC
In a private VPC setup, the only allowed Identity Provider is an LDAPS server (see Authentication and authorization for more information).
Accessing GeoSpock Database in a private VPC
To access the GeoSpock database in a private VPC setup, you are required to have access to the private VPC. One common way to achieve such connectivity is to use a VPN connection, for example, AWS Client VPN.
Source Data
In a private VPC setup, only S3 files from buckets of the same region can be used. The AWS S3 VPC endpoint does not allow cross region interactions. For more information please refer to the AWS S3 VPC endpoint documentation