How to Privately Connect to IBM Public Cloud with Maximum Network Traffic Control
4 min read
IBM public cloud offers several ways to securely connect customer data centers and on-premises infrastructure to IBM public cloud resources.
Some of the most popular offerings include the following:
- VPN connections to IBM Cloud Classic Infrastructure using a virtual or physical network appliance (e.g., Juniper vSRX or Virtual Router Appliance (Vyatta))
- VPN Gateway for IBM Cloud Virtual Private Cloud (VPC)
- Direct, private connection with IBM Cloud Direct Link
While the virtual or physical network appliances reside in IBM Cloud Classic Infrastructure and give full control to the customer regarding their network management, the other two offerings are available as a service and are being managed by IBM with dedicated configuration capabilities. Compared to Classic Infrastructure, Virtual Private Clouds (VPCs) offer next-gen features and get constant hardware updates; therefore, customers tend to use VPC over Classic Infrastructure.
At the same time, they highly value the capabilities of a Classic Infrastructure’s network appliance. Unfortunately, those network appliances cannot manage a Virtual Private Cloud’s traffic by default. IBM Cloud Direct Link, however, can connect to VPCs and Classic Infrastructure devices.
Besides the various offerings to connect customer on-site infrastructure to IBM Public Cloud, there is also an additional service called IBM Cloud Transit Gateway that enables customers to interconnect IBM Cloud resources, including VPCs, Classic Infrastructure and even cross-account resources.
With a combination of the three offerings mentioned above, it is possible to create a highly secure IP connection to IBM Cloud VPC and Classic Infrastructure, while still having the maximum traffic and network control. It creates a single point of entry for all workload-related traffic (in a high availability scenario, there are, of course, two points of entry). To set this up, three steps are necessary, which will be explained on a high level below.
The following diagram shows the overall configuration, combining Direct Link with Classic Infrastructure, a Transit Gateway and a VPC:
Step 1: Setting up IBM Cloud Direct Link
The Direct Link builds the underlay network of the overall solution and enables the customer to privately and directly connect to IBM Cloud infrastructure without having to route packages over the public network. As soon as the Direct Link connection has been established and IBM Classic Infrastructure has been attached to Direct Link, the customer can access the IBM Classic Infrastructure’s private network.
IBM Cloud Direct Link automatically announces all attached routes to the counterpart, which is usually an appliance controlled by the customer. For the scenario described in this article, the customer should apply a filter on the counterpart device to only allow the private IPs attached to the network appliance residing in Classic Infrastructure (as shown in the architecture overview).
Step 2: Establishing private connectivity to network appliances
After finishing the Direct Link setup, the customer can reach the private endpoints of the network appliances residing in Classic Infrastructure. Those endpoints can then be used to set up a private (not routed over the public network) GRE (Generic Routing Encapsulation) tunnel in combination with BGP (Border Gateway Protocol) to create the overlay network of the solution. BGP is responsible for exchanging the overlay routes between the devices.
Since the network appliance is the gateway being used by Classic Infrastructure devices, the customer is now already able to connect to the Classic Infrastructure devices attached to the network appliance. One more step is necessary to finalize the setup.
Step 3: Connecting an IBM Cloud Transit Gateway with network appliances
As final step, the network appliance needs to be connected to a Transit Gateway, which manages the connection to one VPC or multiple VPCs. First, the possibility of a prefix filter should be used to restrict the Classic Infrastructure connection in such a way that only the prefix of the gateway appliance is permitted.
After that, the Transit Gateway feature to connect IBM Cloud Classic Infrastructure devices via GRE tunnel is used. This feature requires manual configuration, both using the Transit Gateway UI and on the virtual gateway appliance. The configuration includes tunnel IPs, gateway IPs and BGP autonomous system numbers. Detailed configuration steps for setting up a Transit Gateway GRE tunnel can be found in the IBM Cloud Docs.
The configuration of the appliance depends on the type of appliance involved. As soon as the connection has been established, the VPC routes attached to the Transit Gateway are automatically advertised to the network appliance. Similarly, the network appliance can advertise its attached routes to the Transit Gateway. The routes announced depend on the configuration of the appliance. With this last step, all configured routes are exchanged between the involved network nodes.
Now it is possible for customers to route all access to public cloud resources via the gateway appliance and control them there.
For production scenarios, it is also possible to build this architecture in a high availability architecture, as shown in the following figure:
The IBM Cloud Transit Gateway’s GRE feature opens up new possibilities for network design within the IBM Cloud for all customers with strict security requirements. Until now, it was only possible to manage and control network connections between VPCs and on-premises infrastructures to a limited extent. Thanks to the connection between a Transit Gateway and a Classic Infrastructure gateway appliance, customers now have the ability to make fine-grained network configurations and to control and manage any network flows.