VPC Configuration

As of version 1.1, Asgard can create VPC based Security Groups, Load Balancers, and Auto Scaling Groups. When creating Security Groups, you will be able to specify an available VPC for your region. When creating Load Balancers or Auto Scaling Groups you will be able to specify one or more subnets.

You must add a special tag to any VPC subnets that you want to use in Asgard. Note that subnet configuration must currently be done outside of Asgard. An example tag would look like immutable_metadata = { "purpose": "internal", "target": "ec2" }. This tag is based on several Netflix conventions. Since tags are often limited, we prefer to use the key "immutable_metadata" with a JSON value for attributes that won't change over the lifetime of an object.

• "purpose" indicates a type of subnet configuration. Purpose is an open ended set of values that are used to describe the configuration of a subnet. The purpose value is what Asgard will display when choosing subnets. Purposes should be unique within an availability zone, and subnets with the same purpose in different zones should have a common configuration to better facilitate constructs like multi-zone ASGs and ELBs.
• "target" determines what kind of AWS object can use the subnet. This allows for partitioning. It is optional and currently has only two valid values ("ec2" and "elb"). If target is unspecified, then Asgard will be able to associate both ELBs and ASGs with the subnet.

By convention, Netflix uses these four subnet configurations:

• { "purpose": "external", "target": "elb" } - Used to host external ELBs. The goal of splitting ELBs off to a separate subnet from instances is to give the ELBs room to scale and ensure that VPC instances and ELB instances are not competing for the same subnet capacity.
• { "purpose": "external", "target": "ec2" } - Used to host externally facing instances (e.g. NAT instance, VPC instances with EIPs). These instances can directly receive traffic from external, non-VPC hosts (e.g. EC2, Internet).
• { "purpose": "internal", "target": "ec2" } - Used to host internal instances. Instances on this subnet can communicate externally (assuming the subnet has been configured with a route table that facilitates this access) and can receive inbound communications from corporate/internal systems that may be accessible via a VPC customer gateway. These instances cannot receive direct inbound connections from external, non-VPC hosts (e.g. EC2, Internet). This subnet is also used to host instances that will be associated with an ELB (including both internal and external ELBs).
• { "purpose": "internal", "target": "elb" } - Used to host internal ELBs. The goal of splitting ELBs off to a separate subnet from instances is to give the ELBs room to scale and ensure that VPC instances and ELB instances are not competing for the same subnet capacity.