On-Premises Access to Cloud Services Using Network Isolation

3 min read

As a developer or administrator, learn how to access applications and services running on the IBM Cloud from on-premises while maintaining network isolation to your applications and backend databases.

A Virtual Private Cloud (VPC) is an isolated environment in the IBM Cloud where you can create subnets, load balancers, storage, virtual server instances (VSIs), and Kubernetes clusters that are then used to deploy small to complex applications and/or microservices

A common scenario is to build/deploy new applications in the cloud while maintaining existing enterprise applications on-premises. With a VPC, anyone can quickly create an environment leveraging the IBM Cloud UI, CLI, REST API, or Terraform and tie to on-premises users and applications when needed.  

This post will explore such a deployment scenario and reference several relevant resources to help you get started on this journey. 

For more of a background on virtual private clouds, see "What is a Virtual Private Cloud (VPC)?"

Deployment scenario

The diagram below depicts a virtual private cloud deployed in an IBM Cloud region. A virtual server hosting an application and a Kubernetes cluster hosting containerized microservices are deployed across one to three availability zones. The application and microservices interact with IBM Cloud services—databases, logging, and monitoring tools—over private endpoints. You can learn more about deploying a Kubernetes cluster from the "Creating a classic cluster in your Virtual Private Cloud (VPC)" tutorial.  

The VPC and the on-premises network are connected via VPN Gateways. In the on-premises network, users access an application running in the cloud via a single-page application (SPA) or mobile UI.

The VPC and the on-premises network are connected via VPN Gateways. In the on-premises network, users access an application running in the cloud via a single-page application (SPA) or mobile UI.

Below is an a rundown of the various steps included in the diagram: 

  1. The VPC is created in one of the IBM Cloud regions, and subnets are defined in one, two, or three availability zones. 
  2. A VPC/VPN Gateway is provisioned and configured to connect with an on-premises VPN Gateway, and it exposes the virtual private cloud environment to the on-premises network. Routing rules are configured to allow an on-premises enterprise application to communicate directly with IBM Cloud services (e.g., databases, logging, and monitoring) over their private endpoints. You can learn more about creating a VPC and configuring the VPN Gateway from the "Use a VPC/VPN gateway for secure and private on-premises access to cloud resources" tutorial. This tutorial also provides an example of using private endpoints to access a PostgreSQL instance, and the steps are similar for other database services running in IBM Cloud. 
  3. Virtual servers are deployed to run one or multiple applications across one, two, or three availability zones. A highly available load balancer service is available in VPC to distribute inbound traffic across the zones. 
  4. Kubernetes clusters are deployed to run multiple microservices and, again, a highly available load balancer service is available in VPC to distribute inbound traffic across the nodes/zones. 
  5. The application and microservices interface with database services in IBM Cloud (e.g., Databases for PostgreSQL) through private endpoints.
  6. Logging and monitoring tools like Log Analysis with LogDNA are configured to capture system information coming from the VPC and other cloud services, such as Databases for PostgreSQL.
  7. On-premises enterprise applications and end-users are able to interact with both the applications/microservices running in the VPC and the cloud services through the private/cloud service endpoints

Deploying your applications or shrink-wrapped software to virtual servers is described in great detail in the "Install software on virtual server instances in VPC" tutorial. Once your applications are deployed, you can further secure your data by applying encryption and authenticating access to your application (the "Apply end-to-end security to a cloud application" tutorial covers these topics extensively).

Log in to your IBM Cloud account and get started with these great tutorials. 

Questions and feedback

If you have feedback, suggestions, or questions about this post, please reach out on LinkedIn (Dimitri Prosper) or use the feedback button on the referenced individual tutorials:

You can also open GitHub issues on related code samples for clarifications. 

Be the first to hear about news, product updates, and innovation from IBM Cloud