By jason-mcalpin 2 min read
December 19, 2017

Connecting your Kubernetes cluster to on-premises resources

Writing microservices in containers and deploying them to a Kubernetes cluster running on IBM Cloud is a great way to create greenfield applications. Frequently you’ll also have mountains of useful data hosted by on-premises systems.  What if you can’t migrate this data to the cloud due to compliance reasons, but you still want to allow your new microservice application to leverage it?

In the IBM Cloud Container Service you can use a Vyatta Gateway Appliance or Fortigate Appliance as an IPSec VPN endpoint to connect your Kubernetes cluster to your on-premise datacenter. This allows your services running in Kubernetes to communicate with on-premise applications and resources through a secure encrypted tunnel.  Information on how to configure the IPSec VPN endpoint with a Vyatta Gateway Appliance can be found here.

Setting up a Vyatta Gateway Appliance or Fortigate Appliance as an IPSec VPN endpoint is not a simple, straight forward task.   The complexity and cost of both of these appliances makes them unattractive solutions when you have a single small Kubernetes cluster or multiple small clusters located in different IBM Cloud regions. The IBM Cloud Container Service now supports a third IPSec VPN method, the Strongswan IPSec VPN service, which resolves these concerns.

Strongswan IPSec VPN service

Unlike the Vyatta Gateway Appliance or Fortigate Appliance solutions which sit outside of your cluster, the Strongswan IPSec VPN service is completely integrated within your Kubernetes cluster. The IPSec VPN endpoint is provided as a Kubernetes pod. Configuration, deployment, and management of the Strongswan IPSec VPN service is also much easier since the normal Kubernetes commands can be utilized. Better yet, there is no additional charge for using the Strongswan IPSec VPN service.

The Strongswan IPSec VPN service consists of a Kubernetes service, a deployment, a daemon set, and multiple config maps. All of these resources and bundled together and delivered as a single Kubernetes Helm chart:

  • Configuration of the VPN service is provided by setting a handful of fields in a config yaml file. If unique VPN settings are required, a complete IPSec configuration file can be specified.

  • A single Helm install command deploys the Strongswan IPSec VPN configuration and automatically creates all the required Kubernetes resources.

  • Once VPN connectivity is established with the on-premises data center, a Kubernetes daemon setconfigures routing on each of the worker nodes.

  • Helm provides additional commands that allow: statusupgrade , rollback , and deletion of the VPN service after it has been deployed.

For more information on how you can use the Strongswan IPsec VPN service to securely connect your worker nodes to your on-premises data center, see Setting up VPN connectivity with the Strongswan IPSec VPN service in the IBM Cloud Container Service documentation.

Categories

Announcements  |  compute  |  networking  |  open-source  | 
jason-mcalpin

More from Announcements
September 21, 2023

IBM TechXchange underscores the importance of AI skilling and partner innovation

3 min read - Generative AI and large language models are poised to impact how we all access and use information. But as organizations race to adopt these new technologies for business, it requires a global ecosystem of partners with industry expertise to identify the right enterprise use-cases for AI and the technical skills to implement the technology. During TechXchange, IBM's premier technical learning event in Las Vegas last week, IBM Partner Plus members including our Strategic Partners, resellers, software vendors, distributors and service…

August 29, 2023

Introducing Inspiring Voices, a podcast exploring the impactful journeys of great leaders

< 1 min read - Learning about other people's careers, life challenges, and successes is a true source of inspiration that can impact our own ambitions as well as life and business choices in great ways. Brought to you by the Executive Search and Integration team at IBM, the Inspiring Voices podcast will showcase great leaders, taking you inside their personal stories about life, career choices and how to make an impact. In this first episode, host David Jones, Executive Search Lead at IBM, brings…

August 18, 2023

IBM watsonx Assistant and NICE CXone combine capabilities for a new chapter in CCaaS

5 min read - In an age of instant everything, ensuring a positive customer experience has become a top priority for enterprises. When one third of customers (32%) say they will walk away from a brand they love after just one bad experience (source: PWC), organizations are now applying massive investments to this experience, particularly with their live agents and contact centers.  For many enterprises, that investment includes modernizing their call centers by moving to cloud-based Contact Center as a Service (CCaaS) platforms. CCaaS solutions…

August 2, 2023

See what’s new in SingleStoreDB with IBM 8.0

3 min read - Despite decades of progress in database systems, builders have compromised on at least one of the following: speed, reliability, or ease. They have two options: one, they could get a document database that is fast and easy, but can’t be relied on for mission-critical transactional applications. Or two, they could rely on a cloud data warehouse that is easy to set up, but only allows lagging analytics. Even then, each solution lacks something, forcing builders to deploy other databases for…