February 11, 2021 By Frederic Lavigne 3 min read

Customers that use cloud-based services for production workloads need to have an increased focus on security.

For many customers, accessing services in a secure manner is not only a sensible corporate policy, but, in some cases, required by compliance regulations.

With IBM Cloud® service endpoints, you can connect to IBM Cloud services over the IBM Cloud private network. In this scenario, you no longer need internet access to connect to IBM Cloud services, and there are no billable or metered bandwidth charges on the private network.

IBM Cloud® Virtual Private Endpoints for VPC (VPE) are an evolution of service endpoints. VPE enables you to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, allocated from a subnet within your VPC.

Two concepts are involved with VPE:

  • The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. You create an endpoint gateway on a per-service or per-service-instance basis (depending on the service operation model).
  • Reserved IPs are bound to an endpoint gateway. You will typically reserve one IP from each zone.

A multi-zone example

In the following architecture, three virtual servers are deployed in three different zones in the same VPC. An IBM Cloud Databases for Redis instance is provisioned in IBM Cloud. To enable private connectivity between the virtual servers and the database instance, a virtual private endpoint gateway is created and reserved IPs are allocated in each zone:

The Terraform template for this architecture can be found in the GitHub repository with instructions on how to deploy the resources. In addition to Redis, the template shows how to configure IBM Cloud Object Storage and IBM Key Protect with VPE. As you go through the instructions, you will notice that at first, the Terraform template does not enable VPE — it relies on service endpoints. This is on purpose to show the difference in addressing between service endpoints and VPE.

Using service endpoints

When using service endpoints (configured with use_vpe = false in the Terraform template) to access the Redis database, the database host name resolves to a 166.9.x.x address. Running the provided lookup.sh script to resolve the service hostname, you will obtain results similar to the following:

This table shows how Redis, Object Storage and Key Protect host names are resolved from one virtual server in the VPC when service endpoints are enabled.

Using virtual private endpoints

Similar to service endpoints, VPE for VPC provides private connectivity to IBM services, but within the VPC network of your choosing. By changing the value of use_vpe to true as you apply the Terraform template, virtual private endpoint gateways will be created for the Redis database instance and for the Object Storage and Key Protect services. If you run the lookup.sh tool again, you will get results like the following:

This table shows how Redis, Object Storage and Key Protect hostnames are resolved from one virtual server in the VPC when virtual private endpoints are enabled.

Notice how the hostnames now resolve to private IPs within the VPC subnets. For the virtual servers, this was transparent as the VPE service automatically upgrades your virtual server instances to use the private DNS as the default DNS resolver. 

Further reading

Virtual Private Endpoints provide you with increased workload isolation and security within the private network of your Virtual Private Cloud. IBM Cloud services are increasingly adopting VPE and making their endpoints available through VPE. Keep an eye on the supported services for the latest information.

Feedback, questions, and suggestions

If you have feedback, suggestions or questions about this post, please reach out to me on Twitter (@L2FProd).

Was this article helpful?
YesNo

More from Cloud

Fortressing the digital frontier: A comprehensive look at IBM Cloud network security services

6 min read - The cloud revolution has fundamentally transformed how businesses operate. Its superior scalability, agility and cost-effectiveness have made it the go-to platform for organizations of all sizes. However, this shift to the cloud has introduced a new landscape of ever-evolving security threats. Data breaches and cyberattacks continue to hit organizations, making robust cloud network security an absolute necessity. IBM®, a titan in the tech industry, recognizes this critical need, provides a comprehensive suite of tools and offers unmatched expertise to fortify…

How well do you know your hypervisor and firmware?

6 min read - IBM Cloud® Virtual Private Cloud (VPC) is designed for secured cloud computing, and several features of our platform planning, development and operations help ensure that design. However, because security in the cloud is typically a shared responsibility between the cloud service provider and the customer, it’s essential for you to fully understand the layers of security that your workloads run on here with us. That’s why here, we detail a few key security components of IBM Cloud VPC that aim…

New IBM study: How business leaders can harness the power of gen AI to drive sustainable IT transformation

3 min read - As organizations strive to balance productivity, innovation and environmental responsibility, the need for sustainable IT practices is even more pressing. A new global study from the IBM Institute for Business Value reveals that emerging technologies, particularly generative AI, can play a pivotal role in advancing sustainable IT initiatives. However, successful transformation of IT systems demands a strategic and enterprise-wide approach to sustainability. The power of generative AI in sustainable IT Generative AI is creating new opportunities to transform IT operations…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters