Create a VPC with the Anypoint Platform CLI

This section shows you how to create and configure an Anypoint Virtual Private Cloud (Anypoint VPC) using the Anypoint Platform CLI.

cloudhub vpc create (1)
vpc-tutorial (2)
us-east-1 (3)
10.111.0.0/24 (4)
--default

In this example:

The Anypoint VPC is called vpc-tutorial.
The Anypoint VPC is bound to the us-east-1 region.

All Anypoint VPCs need to be associated to a CloudHub region.
The Anypoint VPC size is 10.111.0.0/24. In CIDR notation, this grants 256 IP addresses from 10.111.0.0 to 10.111.0.255.
- It is not possible to resize an Anypoint VPC once created.
- Understanding how to size your Anypoint VPC is crucial at this point. If you are not sure how to configure this, make sure to follow our VPC sizing guide.
- The CIDR blocks chosen for the Anypoint VPC should ideally come from a private IP space, and should not overlap with any other Anypoint VPC’s CIDR Blocks or any CIDR Blocks in use in your corporate network.
The Anypoint VPC is set as default. This means that all environments in this region that are not associated to an Anypoint VPC will be, by default, associated to this Anypoint VPC.

In this example, we are not passing:

Environment information:
Not setting a specific environment makes that every application deployed to US-EAST is associated to this Anypoint VPC disregarding the environment to which it is being deployed.
Business group information:
By doing so, we are associating this Anypoint VPC to the main organization.

When the operation succeeds, Anypoint Platform CLI displays the details of the newly created Anypoint VPC.

┌──────────────────────────────┬───────────────────┐
│ Name                         │ vpc-tutorial      │
├──────────────────────────────┼───────────────────┤
│ Region                       │ us-east-1         │
├──────────────────────────────┼───────────────────┤
│ CIDR Block                   │ 10.111.0.0/24     │
├──────────────────────────────┼───────────────────┤
│ Inherited                    │ No                │
├──────────────────────────────┼───────────────────┤
│ Organization default         │ Yes               │
├──────────────────────────────┼───────────────────┤
│ Special domains              │                   │
├──────────────────────────────┼───────────────────┤
│ DNS Servers                  │                   │
├──────────────────────────────┼───────────────────┤
│ Firewall rules               │                   │
├──────────────────────────────┼───────────────────┤
│ Environments                 │                   │
├──────────────────────────────┼───────────────────┤
│ Business groups              │                   │
├──────────────────────────────┼───────────────────┤
│ Load balancers               │                   │
└──────────────────────────────┴───────────────────┘

Create Firewall Rules

When the Anypoint VPC is created, four firewall rules are set by default. You can review them using the vpc firewall-rules describe command:

cloudhub vpc firewall-rules describe vpc-tutorial

This command returns:

┌───────┬────────────────────┬──────────┬────────────┬──────────┐
│ Index │ CIDR Block         │ Protocol │ From port  │ To port  │
├───────┼────────────────────┼──────────┼────────────┼──────────┤
│ 0     │ 10.111.0.0/24      │ TCP      │ 8091       │ 8092     │
├───────┼────────────────────┼──────────┼────────────┼──────────┤
│ 1     │ 0.0.0.0/0          │ TCP      │ 8081       │ 8082     │
└───────┴────────────────────┴──────────┴────────────┴──────────┘

Rule 0 allows inbound connections from your local Anypoint VPC from ports 8091 and 8092, while rule 1 allows traffic from any host to reach your workers through ports 8081 and 8082.

You can use the vpc firewall-rules remove command to remove any of the default rules or you can add new ones using the vpc firewall-rules add command.

Assume you want to enable TCP traffic through port 8090 inside your Anypoint VPC. You need to run the following:

cloudhub vpc firewall-rules add
(1)
vpc-tutorial (2)
10.111.0.0/24 (3)
tcp (4)
8090

Set vpc-tutorial as the target Anypoint VPC for this new firewall rule.
Set the IP range to allow only hosts from inside your Anypoint VPC by setting 10.111.0.0/24.
In CIDR notation, this allows the range 10.111.0.0 to 10.111.0.255.
Set the allowlisted protocol to tcp
Allow the port number 8090

When you create a new firewall rule, the Anypoint Platform CLI shows you a success message:

VPC firewall modified successfully

Update an Existing Anypoint VPC

Although it is not possible to update certain values from your Anypoint VPC through the Anypoint Platform CLI, you can use the CloudHub API to programmatically manage and update your Anypoint VPC:

Log into the CloudHub services passing your credentials through the https://anypoint.mulesoft.com/accounts/login endpoint.
Use the organizations/{orgid}/vpcs/{vpcId} endpoint to update your Anypoint VPC.

You can use the CloudHub API to understand how to interact with the API’s resources.

For example, to update the environments of your Anypoint VPC you need to send a PUT request to the anypoint.mulesoft.com/cloudhub/api/organizations/{orgid}/vpcs/{vpcId} endpoint with a JSON payload:

You can query your {orgid} using the account business-group describe command.

Your {vpcId} value is listed by running a cloudhub vpc describe-json command.

{
	"associatedEnvironments": [
		"<EnvironmentId>"
	]
}

<EnvironmentId> needs to be replaced by the Id of the environment to which you want to associate this Anypoint VPC.
You can get the Ids for your environments running a account environment list command.

Create a VPC with the Anypoint Platform CLI

Create Firewall Rules

Update an Existing Anypoint VPC

See Also