About
VPC as a Service (VPCaaS)
VPCaaS is FCS's unmanaged landing zone and also the foundational layer for FCS's managed offerings.
As an unmanaged landing zone, VPCaaS allows tenants to self-manage their applications and retain responsibility for application development, operations, architecture, and security.
As a baseline layer of FCS's cloud infrastructure stack, VPCaaS includes account configuration and infrastructure provisioned across every FCS AWS account. These include resources and configuration for cloud networking, identity and access management, logging, and monitoring.
More information about FCS landing zones can be found in the FAS IT-Playbook's landing zones page.
VPCaaS Features
The following key features are included in VPCaaS offering.
- Standard AWS account under FCS Master Account
- FCS standard VPC which includes pre-created subnets and route tables
- Integration with FCS cloud network, which provides inter-VPC, VPC to/from on-prem, VPC to/from internet connectivity based on FCS network profiles
- Pre created and delegated route 53 DNS zones under "fcs.gsa.gov" domain
- Standard SAML integration of AWS account with FCS Identity tools. It allows access into AWS account by FCS user accounts.
The following feature are NOT included in VPCaaS offering.
- Servers, EC2 instances, bastions/jump servers, RDS and Database servers etc. In short VPCaaS doesn't provide any compute service. Tenants need to build compute service as needed
- Base hardened container images and hardened AMI images
- Pre-defined/configured DNS/URL names, firewall connections
- Security tools/agents, tools for authentication and authorization. These services are available from various GSA enterprise teams including GSA security team.
For more detail on the VPCaaS shared responsibility model, including the tenant's responsibility, refer to the VPCaaS shared responsibility page
Benefits:
VPCaaS is a maximum flexibility, maximum ownership model. It is designed to provide maximum autonomy to tenants. This means the environment is self-managed and independent from FCS to the greatest extent possible. This includes responsibilities such as development, operations, architecture and security. It provides the following benefits for teams prepared to take a high level of responsibility and ownership, including security, ATO, compliance, development and operational responsibility.
- Tenants have ability to self-provision infrastructure and migrate legacy apps
- Maximum IT solution flexibility
- Minimal external dependencies
- Part of GSA standard Portfolio
VPCaaS AWS Account Types
FCS offers the following standard accounts as part of unmanaged landing zones through VPCaaS. The primary differentiator for various account types is their intended purpose and associated network/connectivity profile.
Persistent Accounts
Production
Production accounts are intended for hosting production applications. For account type, staging and management accounts are also considered production accounts. Production VPCs have network level connectivity to other production VPCs, shared services VPCs and GSA on-prem. Tenants can further control network access by using security groups.
Development/Test
Development/Test accounts are intended for development and test applications. Dev/Test VPCs have network level connectivity to other Dev/Test VPCs, Tenant-specific management VPCs, shared services VPCs and GSA on-prem. Tenants can further control network access by using security groups.
Short-term Accounts
Sandbox
Sandbox accounts are intended for pre-development efforts and early POC work that may require access to limited areas of the internal GSA network or FCS services.
Sandbox VPCs have optional connectivity to GSA on-prem and other non-production FCS VPCs, as well as the public internet, protected by GSA SecOps firewalls. Optional connectivity requires additional security review/approvals. Sandbox account will not have access to production VPCs.
Lab
By contrast, Lab accounts are for experiments, tests and research. These are useful for exploratory Proof of Concept (PoC) work that does not require connectivity to the internal GSA network.
Lab VPCs do not support connectivity to GSA onprem or FCS. As such, tenants have wider latitude to determine Lab VPC configuration (excluding some legacy Lab VPCs created prior to January 2024, that include Sandbox connectivity features). An AWS Internet Gateway can be added by the tenant to enable public internet connectivity.
Sandbox and Lab Comparision
Similarities
- Both sandbox and lab environments are meant to be transient and should not be used for production solutions. What does this mean to me?
- Everything you develop should be stored in a separate repository, such as GSA-approved GitHub, as the entire account will be terminated at the end of testing.
- FCS terminates sandbox and lab environments no later than the end of each fiscal year. If you need a persistent innovation environment, please speak to the leadership.
- Cloud cost control is the tenant's responsibility. The tenant will receive a cost report each month for visibility.
- Neither environment can store sensitive or production data.
- Both environments are accessed using an FCS account.
Differences
-
The sandbox environment can have FCS and GSA network connectivity.
- Environment users cannot access the AWS IAM console without being on the GSA network. VDI or GFE is necessary for accessing the environment.
- A ServiceNow ticket must be submitted to SecOps to establish network connectivity, including Internet connectivity. The network is protected with a GSA IT-approved network architecture
-
The lab environment is isolated.
- An environment user can provision their own jump box to access the environment.
- An environment user has complete control over how the virtual network is configured, including network boundaries and access to the Internet. The lab network cannot be connected to the rest of the FCS or GSA network.
Note: Each of these accounts are delivered with a VPC, however connectivity and configuration options differ. For more information about network profiles, comparing connectivity options, please refer to FCS cloud network page