Deploying in a VPC without internet

The GeoSpock database can be installed in an AWS VPC that does not contain an internet gateway.

This enables you to meet security compliance rules that require isolation from the general internet. However, there are several restrictions that need to be met in order to use the private VPC setup.

Private VPC

The VPC supplied to the deployment machine when deploying the GeoSpock database in a setup without internet access must fulfil the following conditions:

The VPC must not have:

  • an internet gateway
  • subnets with NAT gateways.

The VPC must have:

  • an ssm VPC endpoint interface attached with a security group that allows HTTPS 443 ingress traffic to all CIDR blocks of the VPC.
  • an ec2 VPC endpoint interface attached to all subnets.
  • an ec2messages VPC endpoint interface attached to all subnets.
  • a logs VPC endpoint interface attached to all subnets.
  • an sns VPC endpoint interface attached to all subnets.
  • a monitoring VPC endpoint interface attached to all subnets.
  • an sqs VPC endpoint interface attached to all subnets.
  • an elasticbeanstalk VPC endpoint interface attached to all subnets.
  • an elasticbeanstalk-health VPC endpoint interface attached to all subnets.
  • a cloudformation VPC endpoint interface attached to all subnets.
  • an rds VPC endpoint interface attached to all subnets.
  • a states VPC endpoint interface attached to all subnets.
  • an elasticmapreduce VPC endpoint interface attached to all subnets.
  • an s3 VPC endoint gateway with an entry in the route table of your subnets.
  • a dynamodb VPC endoint with an entry in the route table of your subnets.

User authentication and authorization in private VPC

In a private VPC setup, the only allowed Identity Provider is an LDAPS server (see Authentication and authorization for more information).

Accessing GeoSpock Database in a private VPC

To access the GeoSpock database in a private VPC setup, you are required to have access to the private VPC. One common way to achieve such connectivity is to use a VPN connection, for example, AWS Client VPN.

Source Data

In a private VPC setup, only S3 files from buckets of the same region can be used. The AWS S3 VPC endpoint does not allow cross region interactions. For more information please refer to the AWS S3 VPC endpoint documentation