March 27, 2015 | Written by: Alex Yurkowski
Share this post:
With the prevalence of hybrid cloud environments, many of our databases and applications are unreachable due to security restrictions and firewalls. We need an easy, scalable, and secure way to access these databases and systems. The Bluemix Secure Gateway Service easily enables secure access to data and applications across environments, whether it be from on-premises to the cloud, one cloud to another cloud, or just from your laptop to the cloud. For example, you could use Secure Gateway to connect Bluemix to an on-premises DB2/MySQL/Mongo database as depicted in the diagram below:
Is it difficult to connect my environments?
It’s fast and easy to create a Secure Gateway and connect it. Tutorials cited below include step-by-step walkthroughs on setting up your gateway. Below is a basic flow of using the Secure Gateway service and description of current and future features, as well as how the service scales and secures the connection.
- Connecting Your Gateway: Connecting your environment begins with the creation of a gateway. A gateway contains the configuration information for establishing a tunnel between the Secure Gateway client running in your environment and Bluemix. The client is currently available with Docker. Once the gateway has been created, it is easily connected by running the Docker command provided to start the client in the environment you are trying to connect to Bluemix.
- Adding Destinations: Once the gateway has been created, destinations need to be created in order to expose databases, systems, or applications through the client. A destination consists of a short description, an IP address or hostname, a port, and any options. A destination can be one of a non-secure destination with no TLS, a secure destination with server side TLS, or one with mutual authentication TLS options. Secure TLS connections are between the cloud side application and Bluemix, then from Bluemix to your on-premises Secure Gateway client. The connection from the on-premises Secure Gateway client is completed in the clear to the final destination.Once the gateway has been connected and destinations have been created, the destinations are now exposed. They can be reached using the cloud hostname and port returned when the destination was created. If the destination requires user authentication for something like ssh, you should be prompted for it when attempting to connect to the destination.
- Managing Gateways: Managing gateways and destinations can be done either through the Bluemix user interface for Secure Gateway service or the Secure Gateway REST API. Each gateway is assigned a Passport which allows for managing the gateway through the REST API or the bluemix-secure-gateway Node.js SDK available on npm. The API currently allows for creating, updating, deleting, listing and describing gateways and destinations, as well as uploading, downloading and generating certs and keys. In the future, users will have the ability to revoke and regenerate Passports, allowing for easier IT governance.
- Handling unpredictable workloads: Many connections can be established to each destination, and multiple clients can be started for the same gateway configuration to handle larger connection loads, with load balancing rules determining which client will be connected to for each connection. Currently First Alive load balancing rules will apply, with the options of Round Robin and Least Connected to be available in the future.
- Keeping data safe: Securing destinations is currently done by specifying TLS, with mutual auth TLS requiring the user to provide a cert and key in order to connect to a destination. Security options that are considered for the future include timed access, single use connections, source IP restrictions, and data restrictions, such as max bytes transferred or number of connections allowed.
That’s a brief introduction to what problems the Secure Gateway Service solves. The tutorials below cover the precise steps public cloud applications follow to access backend services with the Secure Gateway Service.
We’re investigating exciting future possibilities to extend the support and features of the Secure Gateway Service. For example, destinations with an option to be private and only allow traffic from Bluemix applications. Extensions to the Java SDK to allow for another way of creating and managing your gateways and destinations. Additional security features would allow for more advanced security settings on gateways and destinations and easier IT governance.
Sign up for Bluemix. It’s free!
Tutorials on the Secure Gateway Service