February 11, 2021 By Frederic Lavigne 3 min read

Customers that use cloud-based services for production workloads need to have an increased focus on security.

For many customers, accessing services in a secure manner is not only a sensible corporate policy, but, in some cases, required by compliance regulations.

With IBM Cloud® service endpoints, you can connect to IBM Cloud services over the IBM Cloud private network. In this scenario, you no longer need internet access to connect to IBM Cloud services, and there are no billable or metered bandwidth charges on the private network.

IBM Cloud® Virtual Private Endpoints for VPC (VPE) are an evolution of service endpoints. VPE enables you to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, allocated from a subnet within your VPC.

Two concepts are involved with VPE:

  • The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. You create an endpoint gateway on a per-service or per-service-instance basis (depending on the service operation model).
  • Reserved IPs are bound to an endpoint gateway. You will typically reserve one IP from each zone.

A multi-zone example

In the following architecture, three virtual servers are deployed in three different zones in the same VPC. An IBM Cloud Databases for Redis instance is provisioned in IBM Cloud. To enable private connectivity between the virtual servers and the database instance, a virtual private endpoint gateway is created and reserved IPs are allocated in each zone:

The Terraform template for this architecture can be found in the GitHub repository with instructions on how to deploy the resources. In addition to Redis, the template shows how to configure IBM Cloud Object Storage and IBM Key Protect with VPE. As you go through the instructions, you will notice that at first, the Terraform template does not enable VPE — it relies on service endpoints. This is on purpose to show the difference in addressing between service endpoints and VPE.

Using service endpoints

When using service endpoints (configured with use_vpe = false in the Terraform template) to access the Redis database, the database host name resolves to a 166.9.x.x address. Running the provided lookup.sh script to resolve the service hostname, you will obtain results similar to the following:

This table shows how Redis, Object Storage and Key Protect host names are resolved from one virtual server in the VPC when service endpoints are enabled.

Using virtual private endpoints

Similar to service endpoints, VPE for VPC provides private connectivity to IBM services, but within the VPC network of your choosing. By changing the value of use_vpe to true as you apply the Terraform template, virtual private endpoint gateways will be created for the Redis database instance and for the Object Storage and Key Protect services. If you run the lookup.sh tool again, you will get results like the following:

This table shows how Redis, Object Storage and Key Protect hostnames are resolved from one virtual server in the VPC when virtual private endpoints are enabled.

Notice how the hostnames now resolve to private IPs within the VPC subnets. For the virtual servers, this was transparent as the VPE service automatically upgrades your virtual server instances to use the private DNS as the default DNS resolver. 

Further reading

Virtual Private Endpoints provide you with increased workload isolation and security within the private network of your Virtual Private Cloud. IBM Cloud services are increasingly adopting VPE and making their endpoints available through VPE. Keep an eye on the supported services for the latest information.

Feedback, questions, and suggestions

If you have feedback, suggestions or questions about this post, please reach out to me on Twitter (@L2FProd).

Was this article helpful?
YesNo

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters