Environments

Environments

Environments

What is an Environment?

An environment in Citadel is a construct built on top of an AWS account and a specific AWS region.

It includes:

  • Baseline Setup
    • S3 buckets in the Log Archive AWS account
    • Membership to security services in the Audit AWS account
    • Cloudtrail setup for audit trail logs
    • AWS Config for tracking resource changes and compliance status
  • Network Setup
    • Virtual Private Cloud (VPC)
    • Subnets
      • 3 subnets per tier
      • Across 3 Availability Zones
      • 3 tiers: Public, Private and Secure
      • Total 9 subnets
    • Internet Gateway
    • Route Tables
    • NAT Gateway
      • 3 when High-Availability is enabled
      • 1 when High-Availability is disabled
      • Elastic IP per NAT Gateway created
    • Network Access Control Lists (NACLs)
    • DNS Hosted Zones (Route53) - configured later in the environment
    • SSL Certificates issued by AWS Certificate Manager (ACM) - configured later in the environment

Preparation

To create an environment, you need:

  • An AWS account under the same Organization as your connected Management AWS account. To create one, follow these instructions.
  • The AWS Account ID of the account created.
icon
We recommend using one AWS account per environment. This helps isolating data from production to other environments.

Creating the Environment

  1. Log in to Citadel
  2. Go to Environments
  3. Click on New Environment
  4. Enter Environment Name
  5. Enter AWS Account ID
  6. Choose Region (see the explanation below to help you decide)
  7. Choose High-Availability (see the explanation below to help you decide)

Choosing a Region

You can only select Regions that have been prepared at the Management page.

Under the Initial Setup, you were asked to select a Primary AWS Region. This region is available to use when creating an environment.

Secondary regions can be added under Management > Regions (coming soon); adding it will allow you to use them on new environments.

There are no practical differences between primary and secondary regions when creating environments.

Baseline Only (no network)

Select Baseline Only to deploy an environment without network. Therefore, the environment will have only the baseline:

  • Baseline Setup
    • S3 buckets in the Log Archive AWS account
    • Membership to security services in the Audit AWS account
    • Cloudtrail setup for audit trail logs
    • AWS Config for tracking resource changes and compliance status

High-Availability

Enabling High-Availability (or HA for short) will create 3 NAT Gateways instead of 1.

Regardless of HA, Citadel always deploys subnets across 3 Availability Zones (AZs), as it increases the availability and scalability of your applications without considerable extra costs.

With HA disabled, NAT Gateway is created in the first AZ and subnets in different AZs will route traffic to the first AZ to access internet services.

This means that with HA is disabled and there’s an outage in the first AZ, your applications and services deployed to the environment will lose internet connectivity and any calls to external APIs will fail.

Advanced Options

In the Advanced Options, you can set customised configurations. See below what you can customise:

  • CIDR Block Address: vpc_cidr_block: 10.10.0.0/16
    • ⚠️
    CIDR block address is defined automatically and sets a unique IP address for each environment. If you are setting a customised CIDR block by entering a number manually, make sure the IP address is unique.

← Previous

Initial Setup
Initial Setup

On this page