Customers that use cloud-based services for production workloads need to have an increased focus on security.

For many customers, accessing services in a secure manner is not only a sensible corporate policy, but, in some cases, required by compliance regulations.

With IBM Cloud® service endpoints, you can connect to IBM Cloud services over the IBM Cloud private network. In this scenario, you no longer need internet access to connect to IBM Cloud services, and there are no billable or metered bandwidth charges on the private network.

IBM Cloud® Virtual Private Endpoints for VPC (VPE) are an evolution of service endpoints. VPE enables you to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, allocated from a subnet within your VPC.

Two concepts are involved with VPE:

  • The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. You create an endpoint gateway on a per-service or per-service-instance basis (depending on the service operation model).
  • Reserved IPs are bound to an endpoint gateway. You will typically reserve one IP from each zone.

A multi-zone example

In the following architecture, three virtual servers are deployed in three different zones in the same VPC. An IBM Cloud Databases for Redis instance is provisioned in IBM Cloud. To enable private connectivity between the virtual servers and the database instance, a virtual private endpoint gateway is created and reserved IPs are allocated in each zone:

The Terraform template for this architecture can be found in the GitHub repository with instructions on how to deploy the resources. In addition to Redis, the template shows how to configure IBM Cloud Object Storage and IBM Key Protect with VPE. As you go through the instructions, you will notice that at first, the Terraform template does not enable VPE — it relies on service endpoints. This is on purpose to show the difference in addressing between service endpoints and VPE.

Using service endpoints

When using service endpoints (configured with use_vpe = false in the Terraform template) to access the Redis database, the database host name resolves to a 166.9.x.x address. Running the provided script to resolve the service hostname, you will obtain results similar to the following:

This table shows how Redis, Object Storage and Key Protect host names are resolved from one virtual server in the VPC when service endpoints are enabled.

Using virtual private endpoints

Similar to service endpoints, VPE for VPC provides private connectivity to IBM services, but within the VPC network of your choosing. By changing the value of use_vpe to true as you apply the Terraform template, virtual private endpoint gateways will be created for the Redis database instance and for the Object Storage and Key Protect services. If you run the tool again, you will get results like the following:

This table shows how Redis, Object Storage and Key Protect hostnames are resolved from one virtual server in the VPC when virtual private endpoints are enabled.

Notice how the hostnames now resolve to private IPs within the VPC subnets. For the virtual servers, this was transparent as the VPE service automatically upgrades your virtual server instances to use the private DNS as the default DNS resolver. 

Further reading

Virtual Private Endpoints provide you with increased workload isolation and security within the private network of your Virtual Private Cloud. IBM Cloud services are increasingly adopting VPE and making their endpoints available through VPE. Keep an eye on the supported services for the latest information.

Feedback, questions, and suggestions

If you have feedback, suggestions or questions about this post, please reach out to me on Twitter (@L2FProd).

More from Cloud

Modernizing child support enforcement with IBM and AWS

7 min read - With 68% of child support enforcement (CSE) systems aging, most state agencies are currently modernizing them or preparing to modernize. More than 20% of families and children are supported by these systems, and with the current constituents of these systems becoming more consumer technology-centric, the use of antiquated technology systems is archaic and unsustainable. At this point, families expect state agencies to have a modern, efficient child support system. The following are some factors driving these states to pursue modernization:…

7 min read

IBM Cloud Databases for Elasticsearch End of Life and pricing changes

2 min read - As part of our partnership with Elastic, IBM is announcing the release of a new version of IBM Cloud Databases for Elasticsearch. We are excited to bring you an enhanced offering of our enterprise-ready, fully managed Elasticsearch. Our partnership with Elastic means that we will be able to offer more, richer functionality and world-class levels of support. The release of version 7.17 of our managed database service will include support for additional functionality, including things like Role Based Access Control…

2 min read

Connected products at the edge

6 min read - There are many overlapping business usage scenarios involving both the disciplines of the Internet of Things (IoT) and edge computing. But there is one very practical and promising use case that has been commonly deployed without many people thinking about it: connected products. This use case involves devices and equipment embedded with sensors, software and connectivity that exchange data with other products, operators or environments in real-time. In this blog post, we will look at the frequently overlooked phenomenon of…

6 min read

SRG Technology drives global software services with IBM Cloud VPC under the hood

4 min read - Headquartered in Ft. Lauderdale, Florida, SRG Technology LLC. (SRGT) is a software development company supporting the education, healthcare and travel industries. Their team creates data systems that deliver the right data in real time to customers around the globe. Whether those customers are medical offices and hospitals, schools or school districts, government agencies, or individual small businesses, SRGT addresses a wide spectrum of software services and technology needs with round-the-clock innovative thinking and fresh approaches to modern data problems. The…

4 min read