MuleSoft Government Cloud is a secure, FedRAMP-compliant (FISMA Moderate) deployment environment that enables government agencies to use Anypoint Platform in the cloud. With MuleSoft Government Cloud, you can leverage an integration platform as a service (iPaaS) to reduce the infrastructure and management costs associated with legacy on-premises integration. Your IT teams can focus on designing and building APIs and integrations rather than worrying about managing and maintaining infrastructure with Anypoint Platform. You can manage and monitor all government integration assets from a single secure, cloud-based management console.
1. Enable SSO using IDP
MuleSoft Government Cloud works with your identity provider (IdP) to enable single sign-on (SSO) for users in your agency. Rather than using Anypoint Platform’s sign-in page, your users sign in to the SSO system to access Anypoint Platform. The IDP setup is done by our support team on MuleSoft Government Cloud. MuleSoft Government Cloud solution supports the use of either the OpenID Connect or SAML 2.0 standards for SSO.
2. Share and isolate resources with business groups
Business groups are self-contained resource groups that contain Anypoint Platform resources, such as APIs and applications. They provide a way to separate and control access to Anypoint Platform resources, as users have access only to the business groups that they work within.
The master organization business group is created by default and you can use the master business group and all the resources like CPU cores, static IPS, environments, VPCs, VPN, and load balancers. If you have a need to isolate resources based on your organization structure, you can create child business groups. Each business group you create has one direct parent and can have multiple children. Business groups provide more fine-grained control over access to resources where the redistributable entitlements from the parent business group can be allocated to the child business group.
3. Isolate your worker instances using a VPC
Applications on MuleSoft Government Cloud are run by one or more instances of Mule, called workers. Each worker is a dedicated instance of Mule that runs your integration application. The worker cloud is a multi-tenant cloud of virtual machines. Anypoint Virtual Private Cloud (VPC) allows you to create a virtual, private, and isolated network segment in the cloud to host your organization’s MuleSoft Government Cloud workers. For example, the most common setup has one isolated network for your production environment, and another for your non-productions environments, which can be QA and staging.
Determine the CIDR block size and range for the VPC. The smallest network subnet block you can assign for Anypoint VPC is /24 and the largest /16. VPC cannot be resized once applications are deployed so it’s important to size the VPC large enough to accommodate enough IPs for all services and instances. The address space reserved by MuleSoft workers should not conflict with address space in customer data centers. The safe rule of thumb for deciding the size of your Anypoint VPC subnet is to calculate 10 times the maximum number of expected apps to deploy in the VPC.
Place the VPC in Anypoint Organization in a business group within your main organization. Usually, create the VPC in your master organization and then it can be shared with different business groups.
You can specify custom private domains by adding the IP address and domain name for your network. When you provide private domains, your worker resolves them using your private DNS, so you can still use the internal host names of your private network (make sure your applications call the backend resources by FQDN). Identify the applications that need static IPs, as one VPC provides only two static IPs.
Connecting your Anypoint VPC extends your corporate network and allows MuleSoft Government Cloud workers to access resources behind your corporate firewall. You can connect on-premises data centers through a secured VPN tunnel, or a private AWS VPC through VPC peering, or by using AWS Direct Connect.
Configure your own VPC firewall rules to allow specific IP ranges and ports to reach your workers. Before you implement firewall rules, or make changes to existing rules, you should fully understand all security implications.
4. Secure your data center connection
You can connect on-premises data centers through a secured VPN tunnel, or a private AWS VPC through VPC peering, or by using AWS Direct Connect.
IPsec VPN Tunnel
You can use an IPsec VPN tunnel with network-to-network configuration to connect your on-premises data centers to Anypoint VPC. Anypoint VPN supports site-to-site Internet Protocol security (IPsec) connections. A physical or software appliance, called a VPN endpoint, is the terminator on your side of the connection. The MuleSoft connection is an implementation of a virtual private gateway (VGW). The MuleSoft VGW is associated with a single MuleSoft VPC, but can support up to 10 VPN connections.
An IPsec VPN tunnel is recommended for VPC to on-premises connectivity, as it provides a standardized, secure way to connect. This method also integrates well with existing IT infrastructure, such as routers and appliances. The MuleSoft VPN/VGW implementation supports a maximum throughput of 1.25 Gbps.
Multiple VPN connections to the same VPC share the throughput capabilities of a single VGW. The VPN connection throughput depends on several factors, such as the capability of your VPN endpoint, the capacity of the connection, the average packet size, the protocol, and network latency between the gateways.
Anypoint VPN supports dynamic or static routing for VPN connections. Dynamic routing of your device uses Border Gateway Protocol (BGP) to advertise routes to Anypoint VPN. Use BGP routing if your device supports this protocol. Static routing requires you to specify the routes (subnets) in your network that are accessible through Anypoint VPN. One VPN connects one VPC to one customer gateway (data center). For high availability setup two VPN.
VPC peering provides a connection between two VPCs. In this case, it pairs your private Amazon VPC directly to your Anypoint VPC. This enables you to route traffic between two VPCs so they can communicate as though they are in the same network. To use VPC peering, your AWS and Anypoint VPCs must be located in the same region.
Direct Connect establishes a dedicated network connection from your Amazon account to Anypoint VPC. Direct Connect is a network service that provides an alternative to using the internet. AWS Direct Connect enables customers with low latency, secure, and private connections to Anypoint VPC for workloads that require higher speed or lower latency than the internet.
Customers can implement additional security controls by encrypting the traffic that rides the direct connections using similar protocols like SSL, HTTPs, and SSH. This enables you to create a hosted virtual interface to attach to your Anypoint VPC. Direct Connect gateways are not supported. Direct Connect requires the use of the Border Gateway Protocol (BGP) for dynamic routing. For high availability, use multiple Direct Connect connections from different AWS Direct Connect locations. Direct Connect provides 1 Gbps and 10 Gbps port connections, and you can easily provision the requested bandwidth through your AWS Direct Connect Partner. Documentation here provides details on how to connect VPC with Direct Connect.
Hostnames, IP addresses, and ports connectivity to data center
Involve your network security teams to verify that all the ports, hostnames, and IPs are allowed access and can connect from the list mentioned here. Also make sure that the data center firewalls are configured to allow access to applications, databases, etc. for connecting from the deployed applications in MuleSoft Government Cloud.
5. Distribute your APIs traffic with load balancer
Shared load balancer
MuleSoft Government Cloud provides a default shared load balancer that is available in all environments. The shared load balancer provides basic functionality, such as TCP load balancing. Shared load balancers don’t allow you to configure custom SSL certificates or proxy rules. The shared load balancer supports TLS 1.2. Shared load balancer routes the HTTPS traffic to port 8082 and HTTP traffic to port 8081.
Dedicated load balancer
MuleSoft Government Cloud dedicated load balancers (DLBs) are an optional component of Anypoint Platform that enable you to route external and VPC-internal HTTP and HTTPS traffic to multiple Mule applications deployed to MuleSoft Government Cloud workers in a VPC.
Dedicated load balancers enable you to handle load balancing among the different MuleSoft Government Cloud workers that run your application. Define SSL configurations to provide custom certificates and optionally enforce two-way SSL client authentication. Configure proxy rules that map your applications to custom domains. This enables you to host your applications under a single domain. Create mapping rules that can support routing for different versions of an API. You can configure the IP address CIDR to allow access to your DLB.
To use a dedicated load balancer in your environment, you must first create an Anypoint VPC. Because you can associate multiple environments with the same Anypoint VPC, you can use the same dedicated load balancer for your different environments.
We look forward for government agencies to use Anypoint Platform in a FedRAMP-authorized, cloud-based environment, where IT teams can rapidly design, develop, and manage APIs and integrations to connect cloud and on-premises applications all from a single, unified platform. Learn how government agencies can accelerate digital transformation with MuleSoft’s Government Cloud by downloading our white paper.