Core Stack
Overview
The Core stack is the central infrastructure component of the Builder Vault, providing fundamental services such as user management, data storage, and internal communication mechanisms necessary for a robust and scalable cloud application.
- The central unit, with the foundational infrastructure for the system's core functionality.
- Contains shared resources like the SDK load balancer, shared node database, internal networking components, and the initial 2 Builder Vault node EC2 instances.
Prerequisites
Before deploying your Builder Vault core stack, ensure that:
- You have at least 2 Builder Vault KMS stacks deployed for Node Indexes 1 and 2. You will need each node's KMS stack output of the SSM parameter ARN.
- A hosted zone (Route53) where DNS records for each node can be registered.
High-Level Deployment Sequence
The high-level deployment steps are as follows:
- Register a public DNS zone for the Build Vault nodes.
- Deploy Builder Vault Core from AWS MarketPlace.
- Set up the Builder Vault via the SDK.
- Back up the Builder Vault keys.
Note:
The MarketPlace installation (Step 2) is expected to take 30 mins to deploy.
High-Level AWS Infrastructure Architecture Diagram
The AWS Market Place deployment instantiates the following supporting infrastructure services. You don't need to request limit increases to the default Service Quotas for these resources.
| Supporting Services | Technology |
|---|---|
| Certificate Management | ACM |
| Confidential Computing | EC2 with Nitro Enclaves |
| Database Management | RDS |
| DNS Management | Route53 |
| Infrastructure Deployment | CDK/CloudFormation |
| Key Management Services | KMS |
| Monitoring and Logging | CloudWatch |
| Secrets Management | Secret Manager |
| Software Distribution | ECR |
| Network Isolation and Management | VPC |
Warning:
Ensure that organizational AWS policies do not restrict the use of these technologies.
As of December 2023, the Builder Vault is supported across the following AWS regions:
| Region |
|---|
us-east-1 |
us-east-2 |
us-west-1 |
us-west-2 |
ap-south-1 |
ap-southeast-1 |
ap-southeast-2 |
ap-northeast-1 |
ap-northeast-2 |
ap-northeast-3 |
ca-central-1 |
eu-central-1 |
eu-west-1 |
eu-west-2 |
eu-west-3 |
eu-north-1 |
sa-east-1 |
Networking Setup
We offer two network templates implemented using the Builder Vault Node APIs and the AWS Message Queue interface to explore additional use cases for AWS Marketplace deployment. With this template, you can do the following:
- BYO-VPC (Bring Your Own VPC)
- Internal or Internet
Bring Your Own VPC
This template requires you to consider egress requirements (NAT gateway, transit egress) and how nodes will be connected to the network. You can customize this template to fit your needs by making additional adjustments. The template's flexibility lets you make changes that match your setup's particular requirements and preferences.
Internal or Internet Facing
The default installation exposes the Builder Vault Node APIs and the Message Queue interface to the public internet with a 0.0.0.0/0 permit for any allow-list on the Builder Vault Node APIs. Should you wish to restrict access to specific CIDR sources, configure the Allow CIDR range to access SDK fields accordingly.
High-level AWS Deployment Networking Diagram
Updated about 1 month ago