Introducing Private Service Endpoints in IBM Cloud Databases
5 min read
By: Dr. Abdullah Alger
Enable public and/or private service endpoints for IBM Cloud Databases
You may have noticed a small change in your IBM Cloud Databases UI—we recently released an update to all IBM Cloud Databases which allows you to enable public and/or private service endpoints for your database deployments. In this post, we’ll walk you through the setup.
The benefits of using private Service Endpoints include the following:
They allow you to connect to other IBM Cloud Service Endpoint enabled products over the IBM Cloud network without requiring a routable IP address. This comes with increased security since traffic between your databases stays within the IBM Cloud network. Also, it allows you to create an internal interface for your IBM Cloud services that are accessible using internal network interfaces without requiring internet access to connect to IBM services.
Inbound and outbound traffic on the private network is unlimited and not charged—previously, you’d be billed for egress bandwidth when talking to an IBM Cloud service.
This means that you now have the ability to have both private and public endpoints for your databases deployed on IBM Cloud. Service Endpoints are currently only available in IBM Cloud Multi-Zone Regions, so if your deployments are in Oslo 01, for example, you aren’t able to use private endpoints since it’s a Single-Zone Region. Deployments in all other regions are able to use Service Endpoints.
Public and private Service Endpoints are available to all customers using IBM Cloud Databases. Public Service Endpoints are what you’re given by default to connect to your databases. This allows you to connect securely to your databases over the public network via the internet. Private Service Endpoints, on the other hand, are different since they route your traffic to hardware dedicated to IBM Cloud Databases over the IBM Cloud private network. These Service Endpoints are not accessible from the public internet and an internet connection is not required to connect to your deployment.
Enabling Service Endpoints
If you want to use your databases connections over the public internet, you don’t have to enable IBM Cloud Service Endpoints on your IBM Cloud account. However, to enable a private endpoint, you’ll need to manually set them up using the IBM Cloud CLI. To do that, the first step is to log in to your IBM Cloud account:
Then, see if your account has Service Endpoints enabled:
ibmcloud account show
Service Endpoint Enabled. If it’s
false, then you’ll need to enable it using the following command:
ibmcloud account update --service-endpoint-enable true
At this point, a prompt to will show that you opened a support ticket with IBM Cloud to enable the Service Endpoint. You then can check the status of the ticket by going to your support page on IBM Cloud.
Creating Service Endpoints for Cloud Databases
You can enable Service Endpoints on new and old Cloud Databases deployments from the IBM Cloud console and the Cloud Databases API. The Service Endpoints that are available when provisioning a Cloud Database are public (default), private, or public and private (except for Databases for MongoDB, which allows only either public or private Service Endpoints to be enabled). On Databases for MongoDB, once you’ve enabled either a public or private Service Endpoint after provisioning the database, you can’t change the Service Endpoint.
You can choose whether to add Service Endpoints from the IBM Cloud UI or using the IBM Cloud CLI. We’ll show you how to add them using both ways.
Databases Service Endpoints from the IBM Cloud UI
From the IBM Cloud UI, when selecting a Cloud Database for the first time, you’ll be directed to the database’s provisioning page. Here, you can now select the Service Endpoints that are supported for your deployment. The default Service Endpoint is through the public network, but for most deployments, you can select public, private, or both public and private Service Endpoints.
In this example, I’ve chosen to enable both public and private endpoints.
Once you’ve selected the Service Endpoint you’d like to use, as well as any other configuration that’s available for the database you’ve selected, click Create and your database will provision. After it’s been provisioned, click on the database from your IBM Cloud resources panel and you’ll see both the public and private endpoints visible in the Connections pane in your Cloud Database management console.
Select either the public or private endpoints from the Connections pane to get your database connection strings and credentials.
For deployments that have already been provisioned, you already have a public Service Endpoint created. However, if you’d like to add on a private Service Endpoint, you can do that from your Cloud Databases management console by selecting the Settings tab. From there, scroll down to the Service Endpoints panel, where you can toggle Private endpoints.
After that, click on Update Endpoints and a window will pop up to confirm that you’d like to add the Service Endpoint. Once it’s been added, you’ll also see two connections in your Connections panel: one for public endpoints and another for private endpoints like above.
Databases Service Endpoints from the IBM Cloud CLI
Creating a Cloud Databases deployment from the IBM Cloud CLI with Service Endpoints is also easy to do.
Once you’re logged into your IBM Cloud account and have requested that Service Endpoints are enabled, you can provision a Cloud Database that has public, private, or public and private endpoints. In the example below, I’ve given you the command to create an example Databases for PostgreSQL deployment called
example-databases-for-postgresql with a private endpoint using the --service-endpoints option with private.
ibmcloud resource service-instance-create example-databases-for-postgresql \ databases-for-postgresql standard us-south --service-endpoints private
If you wanted only a private Service Endpoint for your database, you’d use
private. If you wanted only a public Service Endpoint, you’d use
public or not designate an endpoint at all, and it would be public by default.
To update an existing Cloud Databases deployment using the IBM Cloud CLI, you’d use the following command:
ibmcloud resource service-instance-updateexample-databases-for-postgresql --service-endpoints public-and-private
Here, we’re using the
service-instance-update command and our deployment nameexample-databases-for-postgresql
in order to give both public and private Service Endpoints to the database.
Viewing Cloud Databases Service Endpoints with the IBM Cloud API
Using the Cloud Databases API, you can view the Service Endpoints connection strings and credentials of your Cloud Databases. The documentation provides an example of the required parameters you’ll need to create the endpoint. Essentially, the endpoint that you will need to receive or to use:
So, running something like the following in your terminal would give you the private Service Endpoint for your given deployment:
curl -sS -XPOST \ "https://api.us-south.databases.cloud.ibm.com/v4/ibm/deployments/<deployment CRN/users/admin/connections/private" \ -H "Authorization: Bearer <IBM API TOKEN>"
This article provided you with a short overview of how to get started using IBM Cloud Service Endpoints with your IBM Cloud Databases. If you have any more questions, please feel free to reach out to our Cloud Databases support team.