Customers that use cloud-based services for production workloads need to have an increased focus on security.
For many customers, accessing services in a secure manner is not only a sensible corporate policy, but, in some cases, required by compliance regulations.
With IBM Cloud® service endpoints, you can connect to IBM Cloud services over the IBM Cloud private network. In this scenario, you no longer need internet access to connect to IBM Cloud services, and there are no billable or metered bandwidth charges on the private network.
IBM Cloud® Virtual Private Endpoints for VPC (VPE) are an evolution of service endpoints. VPE enables you to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, allocated from a subnet within your VPC.
Two concepts are involved with VPE:
- The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. You create an endpoint gateway on a per-service or per-service-instance basis (depending on the service operation model).
- Reserved IPs are bound to an endpoint gateway. You will typically reserve one IP from each zone.
A multi-zone example
In the following architecture, three virtual servers are deployed in three different zones in the same VPC. An IBM Cloud Databases for Redis instance is provisioned in IBM Cloud. To enable private connectivity between the virtual servers and the database instance, a virtual private endpoint gateway is created and reserved IPs are allocated in each zone:
The Terraform template for this architecture can be found in the GitHub repository with instructions on how to deploy the resources. In addition to Redis, the template shows how to configure IBM Cloud Object Storage and IBM Key Protect with VPE. As you go through the instructions, you will notice that at first, the Terraform template does not enable VPE — it relies on service endpoints. This is on purpose to show the difference in addressing between service endpoints and VPE.
Using service endpoints
When using service endpoints (configured with use_vpe = false
in the Terraform template) to access the Redis database, the database host name resolves to a 166.9.x.x address. Running the provided lookup.sh
script to resolve the service hostname, you will obtain results similar to the following:
Using virtual private endpoints
Similar to service endpoints, VPE for VPC provides private connectivity to IBM services, but within the VPC network of your choosing. By changing the value of use_vpe
to true
as you apply the Terraform template, virtual private endpoint gateways will be created for the Redis database instance and for the Object Storage and Key Protect services. If you run the lookup.sh
tool again, you will get results like the following:
Notice how the hostnames now resolve to private IPs within the VPC subnets. For the virtual servers, this was transparent as the VPE service automatically upgrades your virtual server instances to use the private DNS as the default DNS resolver.
Further reading
Virtual Private Endpoints provide you with increased workload isolation and security within the private network of your Virtual Private Cloud. IBM Cloud services are increasingly adopting VPE and making their endpoints available through VPE. Keep an eye on the supported services for the latest information.
- IBM Cloud Virtual Private Endpoints for VPC documentation
- Terraform resources for VPE:
Feedback, questions, and suggestions
If you have feedback, suggestions or questions about this post, please reach out to me on Twitter (@L2FProd).