Creating Virtual Private Endpoint Gateways with Terraform

3 min read

Customers that use cloud-based services for production workloads need to have an increased focus on security.

For many customers, accessing services in a secure manner is not only a sensible corporate policy, but, in some cases, required by compliance regulations.

With IBM Cloud® service endpoints, you can connect to IBM Cloud services over the IBM Cloud private network. In this scenario, you no longer need internet access to connect to IBM Cloud services, and there are no billable or metered bandwidth charges on the private network.

IBM Cloud® Virtual Private Endpoints for VPC (VPE) are an evolution of service endpoints. VPE enables you to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, allocated from a subnet within your VPC.

Two concepts are involved with VPE:

  • The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. You create an endpoint gateway on a per-service or per-service-instance basis (depending on the service operation model).
  • Reserved IPs are bound to an endpoint gateway. You will typically reserve one IP from each zone.

A multi-zone example

In the following architecture, three virtual servers are deployed in three different zones in the same VPC. An IBM Cloud Databases for Redis instance is provisioned in IBM Cloud. To enable private connectivity between the virtual servers and the database instance, a virtual private endpoint gateway is created and reserved IPs are allocated in each zone:

In the following architecture, three virtual servers are deployed in three different zones in the same VPC.

The Terraform template for this architecture can be found in the GitHub repository with instructions on how to deploy the resources. In addition to Redis, the template shows how to configure IBM Cloud Object Storage and IBM Key Protect with VPE. As you go through the instructions, you will notice that at first, the Terraform template does not enable VPE — it relies on service endpoints. This is on purpose to show the difference in addressing between service endpoints and VPE.

Using service endpoints

When using service endpoints (configured with use_vpe = false in the Terraform template) to access the Redis database, the database host name resolves to a 166.9.x.x address. Running the provided lookup.sh script to resolve the service hostname, you will obtain results similar to the following:

This table shows how Redis, Object Storage and Key Protect host names are resolved from one virtual server in the VPC when service endpoints are enabled.

This table shows how Redis, Object Storage and Key Protect host names are resolved from one virtual server in the VPC when service endpoints are enabled.

Using virtual private endpoints

Similar to service endpoints, VPE for VPC provides private connectivity to IBM services, but within the VPC network of your choosing. By changing the value of use_vpe to true as you apply the Terraform template, virtual private endpoint gateways will be created for the Redis database instance and for the Object Storage and Key Protect services. If you run the lookup.sh tool again, you will get results like the following:

This table shows how Redis, Object Storage and Key Protect hostnames are resolved from one virtual server in the VPC when virtual private endpoints are enabled.

This table shows how Redis, Object Storage and Key Protect hostnames are resolved from one virtual server in the VPC when virtual private endpoints are enabled.

Notice how the hostnames now resolve to private IPs within the VPC subnets. For the virtual servers, this was transparent as the VPE service automatically upgrades your virtual server instances to use the private DNS as the default DNS resolver. 

Further reading

Virtual Private Endpoints provide you with increased workload isolation and security within the private network of your Virtual Private Cloud. IBM Cloud services are increasingly adopting VPE and making their endpoints available through VPE. Keep an eye on the supported services for the latest information.

Feedback, questions, and suggestions

If you have feedback, suggestions or questions about this post, please reach out to me on Twitter (@L2FProd).

Be the first to hear about news, product updates, and innovation from IBM Cloud