What is a secure gateway and how to connect on-premises to the cloud or from cloud to cloud

Share this post:

With the prevalence of hybrid cloud environments, many of our databases and applications are unreachable due to security restrictions and firewalls. We need an easy, scalable, and secure way to access these databases and systems. The Bluemix Secure Gateway Service easily enables secure access to data and applications across environments, whether it be from on-premises to the cloud, one cloud to another cloud, or just from your laptop to the cloud. For example, you could use Secure Gateway to connect Bluemix to an on-premises DB2/MySQL/Mongo database as depicted in the diagram below:
secure gateway

Is it difficult to connect my environments?

It’s fast and easy to create a Secure Gateway and connect it. Tutorials cited below include step-by-step walkthroughs on setting up your gateway. Below is a basic flow of using the Secure Gateway service and description of current and future features, as well as how the service scales and secures the connection.

  • Connecting Your Gateway: Connecting your environment begins with the creation of a gateway. A gateway contains the configuration information for establishing a tunnel between the Secure Gateway client running in your environment and Bluemix. The client is currently available with Docker. Once the gateway has been created, it is easily connected by running the Docker command provided to start the client in the environment you are trying to connect to Bluemix.
  • Adding Destinations: Once the gateway has been created, destinations need to be created in order to expose databases, systems, or applications through the client. A destination consists of a short description, an IP address or hostname, a port, and any options. A destination can be one of a non-secure destination with no TLS, a secure destination with server side TLS, or one with mutual authentication TLS options. Secure TLS connections are between the cloud side application and Bluemix, then from Bluemix to your on-premises Secure Gateway client. The connection from the on-premises Secure Gateway client is completed in the clear to the final destination.Once the gateway has been connected and destinations have been created, the destinations are now exposed. They can be reached using the cloud hostname and port returned when the destination was created. If the destination requires user authentication for something like ssh, you should be prompted for it when attempting to connect to the destination.
  • Managing Gateways: Managing gateways and destinations can be done either through the Bluemix user interface for Secure Gateway service or the Secure Gateway REST API. Each gateway is assigned a Passport which allows for managing the gateway through the REST API or the bluemix-secure-gateway Node.js SDK available on npm. The API currently allows for creating, updating, deleting, listing and describing gateways and destinations, as well as uploading, downloading and generating certs and keys. In the future, users will have the ability to revoke and regenerate Passports, allowing for easier IT governance.
  • Handling unpredictable workloads: Many connections can be established to each destination, and multiple clients can be started for the same gateway configuration to handle larger connection loads, with load balancing rules determining which client will be connected to for each connection. Currently First Alive load balancing rules will apply, with the options of Round Robin and Least Connected to be available in the future.
  • Keeping data safe: Securing destinations is currently done by specifying TLS, with mutual auth TLS requiring the user to provide a cert and key in order to connect to a destination. Security options that are considered for the future include timed access, single use connections, source IP restrictions, and data restrictions, such as max bytes transferred or number of connections allowed.

That’s a brief introduction to what problems the Secure Gateway Service solves. The tutorials below cover the precise steps public cloud applications follow to access backend services with the Secure Gateway Service.

We’re investigating exciting future possibilities to extend the support and features of the Secure Gateway Service. For example, destinations with an option to be private and only allow traffic from Bluemix applications. Extensions to the Java SDK to allow for another way of creating and managing your gateways and destinations. Additional security features would allow for more advanced security settings on gateways and destinations and easier IT governance.

Tutorials on the Secure Gateway Service

Add Comment

Leave a Reply

Your email address will not be published.Required fields are marked *

Robrt Cairn*

Great article Alex. Thanks!



Hello Alex,

Do you have an example of a two way communication using the secure gateway?

– A bluemix app accessing the on-premise service &
– a on-premise app accessing my bluemix app through the secure gateway.



    Alex Yurkowski

    Hey Prateesh,

    Secure Gateway does not currently support two way communication We hope to support this in the future. You currently need to establish a connection to an on-prem app first to flow data from on-prem, so you could create a long lived connection and push data back over this connection for on-prem to Bluemix connections.



Mike Bender

Is there a Secure Gateway white paper?




Hi Alex,

We have one Bluemix application (A) and on-premises application (B) and there is a need to communicate over HTTPS. This is a 2 way communication.

‘A’ can initiate API call to ‘B’ and similarly ‘B’ can initiate API call to ‘B’.

With Secure Gateway it is possible to have 2 way secure communication over HTTPS using mutual auth?
If no, is there any way to achieve this?




    You can explore VPN service added recently!

More Community Stories

Webinar: IoT development on the cloud just got even easier

IBM recently announced an expansion of their current IoT Foundation service that will not only help you rapidly connect your devices, but also infuse capabilities around device management, information management, real-time analytics, and risk management. Of course this is all combined with the agility you’ve come to expect on Bluemix. Intrigued but not sure how to get started? We will also show you how to utilize a variety of “recipes” provided by our device partners and individual users… just like yourself.

Continue reading

New Methods for Securing Containers

Although container technology has been used in the hosting market for nearly two decades as a cheap, dense hypervisor replacement, now that it's hitting mainstream use cases, parties with various vested interests have been trying to portray them as insecure (or at least less secure than hypervisors). However, based on the hosting market experience, where root within the container was sold to any comer for a few dollars a month, we can see based on the exploit history that such fears look to be not well founded.

Continue reading

Bluemix in the News

Too busy coding to keep up with all the exciting happenings in the Bluemix world? Well don’t worry! Every other week, this concise post will summarize announcements, videos, and events that Bluemix has been involved in because we understand your busy schedule, but we also know your desire to learn more about Bluemix!

Continue reading