Bluemix Secure Gateway: Yes, you CAN get there from here!

With the prevalence of hybrid cloud environments, many of our databases and applications are unreachable due to security restrictions and firewalls. We need an easy, scalable, and secure way to access these databases and systems. The Bluemix Secure Gateway Service easily enables secure access to data and applications across environments, whether it be from on-premises to the cloud, one cloud to another cloud, or just from your laptop to the cloud. For example, you could use Secure Gateway to connect Bluemix to an on-premises DB2/MySQL/Mongo database as depicted in the diagram below:
secure gateway

Is it difficult to connect my environments?

It’s fast and easy to create a Secure Gateway and connect it. Tutorials cited below include step-by-step walkthroughs on setting up your gateway. Below is a basic flow of using the Secure Gateway service and description of current and future features, as well as how the service scales and secures the connection.

  • Connecting Your Gateway: Connecting your environment begins with the creation of a gateway. A gateway contains the configuration information for establishing a tunnel between the Secure Gateway client running in your environment and Bluemix. The client is currently available with Docker. Once the gateway has been created, it is easily connected by running the Docker command provided to start the client in the environment you are trying to connect to Bluemix.
  • Adding Destinations: Once the gateway has been created, destinations need to be created in order to expose databases, systems, or applications through the client. A destination consists of a short description, an IP address or hostname, a port, and any options. A destination can be one of a non-secure destination with no TLS, a secure destination with server side TLS, or one with mutual authentication TLS options. Secure TLS connections are between the cloud side application and Bluemix, then from Bluemix to your on-premises Secure Gateway client. The connection from the on-premises Secure Gateway client is completed in the clear to the final destination.

    Once the gateway has been connected and destinations have been created, the destinations are now exposed. They can be reached using the cloud hostname and port returned when the destination was created. If the destination requires user authentication for something like ssh, you should be prompted for it when attempting to connect to the destination.

  • Managing Gateways: Managing gateways and destinations can be done either through the Bluemix user interface for Secure Gateway service or the Secure Gateway REST API. Each gateway is assigned a Passport which allows for managing the gateway through the REST API or the bluemix-secure-gateway Node.js SDK available on npm. The API currently allows for creating, updating, deleting, listing and describing gateways and destinations, as well as uploading, downloading and generating certs and keys. In the future, users will have the ability to revoke and regenerate Passports, allowing for easier IT governance.
  • Handling unpredictable workloads: Many connections can be established to each destination, and multiple clients can be started for the same gateway configuration to handle larger connection loads, with load balancing rules determining which client will be connected to for each connection. Currently First Alive load balancing rules will apply, with the options of Round Robin and Least Connected to be available in the future.
  • Keeping data safe: Securing destinations is currently done by specifying TLS, with mutual auth TLS requiring the user to provide a cert and key in order to connect to a destination. Security options that are considered for the future include timed access, single use connections, source IP restrictions, and data restrictions, such as max bytes transferred or number of connections allowed.

That’s a brief introduction to what problems the Secure Gateway Service solves. The tutorials below cover the precise steps public cloud applications follow to access backend services with the Secure Gateway Service.

We’re investigating exciting future possibilities to extend the support and features of the Secure Gateway Service. For example, destinations with an option to be private and only allow traffic from Bluemix applications. Extensions to the Java SDK to allow for another way of creating and managing your gateways and destinations. Additional security features would allow for more advanced security settings on gateways and destinations and easier IT governance.

Tutorials on the Secure Gateway Service

Share this post:

Share on LinkedIn

Add Comment

Leave a Reply

Your email address will not be published.Required fields are marked *

Robrt Cairn*

Great article Alex. Thanks!



Hello Alex,

Do you have an example of a two way communication using the secure gateway?

– A bluemix app accessing the on-premise service &
– a on-premise app accessing my bluemix app through the secure gateway.



    Alex Yurkowski

    Hey Prateesh,

    Secure Gateway does not currently support two way communication We hope to support this in the future. You currently need to establish a connection to an on-prem app first to flow data from on-prem, so you could create a long lived connection and push data back over this connection for on-prem to Bluemix connections.



Mike Bender

Is there a Secure Gateway white paper?




Hi Alex,

We have one Bluemix application (A) and on-premises application (B) and there is a need to communicate over HTTPS. This is a 2 way communication.

‘A’ can initiate API call to ‘B’ and similarly ‘B’ can initiate API call to ‘B’.

With Secure Gateway it is possible to have 2 way secure communication over HTTPS using mutual auth?
If no, is there any way to achieve this?




    You can explore VPN service added recently!

More Community Stories

IBM Analytics for Apache Spark – Personal Plan price and name change

We’re excited to announce new pricing and a name change for the IBM Analytics for Apache Spark Personal Plan. The pricing change is effective November 1, 2016.

Control home devices with Bluemix Internet of Things (Part 3)

This is the third and last part in the series of what to do with left over Christmas lights. Do you have a bunch of left over Christmas lights sitting around that will be collecting dust till next year? Until now Christmas lights are a once a year thing, that isn't true anymore.  Time to get the dust off of your lights and use them for something fun! Enter Christmas Lights controlled by a Raspberry Pi via IoT in Bluemix!

Common Bluemix ID and billing questions

The Bluemix Support and Project Office team receives a variety of common account management questions each day. This article answers these questions to get you pointed in the right direction as quickly as possible.