Contact Free trial Login

Provision a VPC

Provisioning an Anypoint VPC for your organization consists of two major steps:

  1. Create the VPC.
    This is a self-service process. You can create a VPC using either the Runtime Manager UI, or the Anypoint Platform CLI.

    The Anypoint Platform base subscription includes two Anypoint VPC licenses, which entitles your Anypoint Platform organization to two VPCs. Once your Anypoint VPC license limit is reached, the Create VPC option is disabled in the user interface.
  2. Connect to your Anypoint VPC.
    Configure your Anypoint VPN to connect the Anypoint VPC to your on-premise network. If you will be connecting your Anypoint VPC using VPC Peering or CloudHub Direct Connect, this must be done by a MuleSoft representative.

To avoid unnecessary downtime, it is critical to define the Anypoint VPC settings when you first create a new Anypoint VPC.
If you edit these settings after the Anypoint VPC is created, you must then remove all your workers and redeploy them after the change is complete.

These settings include:

  • The address space for your network.
    This determines the size of your Anypoint VPC.

  • The location of your VPC.
    To enable the VPC to host your workers, the Anypoint VPC must be bound to a business group and a specific CloudHub region.

    • The Organization or Business Group for your VPC.

    • The CloudHub Region for your VPC.

Read the following FAQs to understand how to plan a successful VPC setup.

FAQ: How to Calculate Anypoint VPC and VPN Licensing Requirements

To connect an Anypoint VPC through IPSec VPN, you must have the required number of licenses for your deployment scenario.

The Anypoint Platform base subscription includes two Anypoint VPC licenses, which entitles your Anypoint Platform organization to two licensed Anypoint VPCs. Anypoint VPN licenses are bundled with the Anypoint VPC license, so each Anypoint VPC license also entitles the organization to one VPN gateway with a connection to one public IP address in a remote location.

Anypoint VPN licenses do not need to have a one-to-one relationship with the Anypoint VPC licenses. For example, you can have one Anypoint VPC with two Anypoint VPNs and another VPC with no VPNs.

An additional Anypoint VPC license is required for each remote location that needs to be accessible from the Anypoint VPC.

FAQ: How to Size my VPC

When you create an Anypoint VPC, the range of IP addresses for the network must be specified in the form of a Classless Inter-Domain Routing (CIDR) block, using CIDR notation.
This address space is reserved for Mule workers, so it cannot overlap with any address space used in your data center if you want to peer it with your VPC.

To calculate the proper sizing for your Anypoint VPC, you first need to understand that the number of dedicated IP addresses is not the same as the number of workers you have deployed.
For each worker deployed to CloudHub, the following IP assignation takes place:

  • For better fault tolerance, the VPC subnet may be divided into up to four Availability Zones.

  • A few IP addresses are reserved for infrastructure.

  • At least two IP addresses per worker to perform at zero-downtime.

Due to this structure, the smallest network subnet block you can assign for your Anypoint VPC is /24 and the largest /16.
A /24 CIDR notation subnet has 256 IP addresses.
Reserving one IP address for the network and one for broadcast leaves you with 254 hosts for your worker. These get divided into four availability zones of 62 hosts each. Consider that each worker potentially needs two IP addresses for zero downtime, which leaves around 30 IP addresses to assign to your workers.
Consider also the environments required in a VPC. For example, if you need space for 300 instances each in Dev, QA, and UAT, you need to size for 1024 instances at minimum.

The safe rule of thumb for deciding the size of your Anypoint VPC subnet is to calculate 10 times the maximum number of expected apps to deploy in the VPC.

FAQ: Where To Place an Anypoint VPC Inside my Organization

As an organization administrator, you can create an Anypoint VPC and share it with any business group within your main organization.
However, once the Anypoint VPC is inherited by a business group, only the administrator of said business group can operate the Anypoint VPC. For example, an Anypoint organization administrator or a business group owner can create or update an existing Anypoint VPC (owned or inherited) to make it the default for either the region, the environment, or both.
However, if such an association already exists, it’s overwritten by the requested Anypoint VPC.

If no business group association is specified, or if your organization does not have any business groups, the Anypoint VPC ownership remains associated with the main organization. The organization under which the Anypoint VPC is created is the VPC owner and this organization’s administrator is the only one who can share the Anypoint VPC.
Anypoint VPCs can only be shared vertically from the main organization to one of its business groups, or from a business group to one of its child business groups.
You cannot share an Anypoint VPC created by a business group with another business group that is higher in the hierarchy.

It is recommended that you create your Anypoint VPC in your master organization, and share it with the other business groups.

FAQ: Which Region to use When Creating an Anypoint VPC

You can create your Anypoint VPC inside any of the available CloudHub regions.
The recommended region to use might vary depending on how you connect to your Anypoint VPC. If you are using a VPN tunnel, you might want to choose the CloudHub region closest to your data center.
However, if you are peering with your private AWS VPC, you need to create your Anypoint VPC in the same AWS region.

FAQ: How to deploy or move applications to a VPC

MuleSoft applications are deployed to an environment, such as development or sandbox).

When the deployment region matches the VPC region:

  • If the environment is already associated with a VPC at the time of application deployment, the app resides inside the VPC.

  • If the environment is associated with a VPC after the app deployment, the app will not reside inside the VPC until the app is restarted.

When the deployment region does not match the VPC region, the app is deployed outside of the VPC. This means that the app does not have access to any connectivity methods configured for the VPC.