Network security constraints protect infrastructure, data, and applications from unauthorized network access.
| Constraint | Purpose | Responsibility | Configured on |
|---|---|---|---|
| Private network service endpoints | Access services through secure private network endpoints | Customer | IBM Cloud |
| Integrations | Secure connections to Third-party clouds through a firewall | Customer and Third-party clouds | Cloud Pak for Data as a Service |
| Connections | Secure connections to data sources | Customer | Cloud Pak for Data as a Service |
| Secure gateway | Secure connection to applications and data sources | Customer | IBM Cloud |
| Satellite locations | Securely access data in satellite locations | IBM and Third-party clouds | IBM Cloud, Cloud providers |
| VPNs | Share data securely across public networks | Customer | IBM Cloud |
| Allow specific IP addresses | Protect access from unknown IP addresses | Customer | IBM Cloud |
| Multi-tenancy | Provide isolation in a SaaS environment | IBM and Third-party clouds | IBM Cloud, Cloud providers |
| Custom network security policy | Restrict access to unknown external sites | Shared | IBM Cloud |
Use private network service endpoints to securely connect to endpoints over IBM private cloud, rather than connecting to resources over the public network. With Private network service endpoints, services are no longer served on an internet routable IP address and thus are more secure. Service endpoints require virtual routing and forwarding (VRF) to be enabled on your account. VRF is automatically enabled for Virtual Private Clouds (VPCs).
For more information about service endpoints, see:
You can configure integrations with third-party cloud platforms to allow Cloud Pak for Data as a Service users to access data sources hosted on those clouds. The following security constraints apply to integrations with third-party clouds:
For example, you have a data source on AWS that you are running notebooks on. You need to integrate with AWS and then generate a connection to the database. The integration and connection are secure. After you configure firewall access, you can grant appropriate permissions to users and provide them with credentials to access data.
See Integrations with other cloud platforms
Connections require valid credentials to access data. The account owner or administrator configures the type of credentials that are required, either shared or personal, at the account level. Shared credentials make the data source and its credentials accessible to all collaborators in the project. Personal credentials require each collaborator to provide their own credentials to use the data source.
For more information about connections, see:
Secure Gateway provides a secure, persistent connection between your environment and the cloud. With Secure Gateway, you can safely connect all of your applications and resources regardless of their location.
For more information, see:
IBM strictly manages account and resource access to Satellite locations that use access control policies, procedures, and systems. These systems allow access only to those individuals with explicit access permission.
IBM does not move data out of Satellite locations. Although the IBM control plane might reside elsewhere, the data plane (where data is processed) is located in the IBM-owned AWS account and data never leaves that location.
For more information, see Satellite locations overview
Virtual Private Networks (VPNs) create virtual point-to-point connections using tunneling protocols, and encryption and dedicated connections. They provide a secure method for sharing data across public networks.
Following are the VPN-related technologies on IBM Cloud that provide VPN connection capability:
IPSec VPN: The VPN facilitates connectivity from your secure network to IBM IaaS platform’s private network. Any user on the account can be given VPN access.
VPN for VPC: With Virtual Private Cloud (VPC), you can provision generation 2 virtual server instances for VPC with high network performance.
The blog describing the deprecation of the Secure Gateway also provides information and scenarios for using VPNs as an alternative. See IBM Cloud Secure Gateway Deprecation
Use this constraint to control access to the IBM cloud console and to Cloud Pak for Data as a Service. Access is allowed from the specified IP addresses only; access from all other IP addresses is denied. You can specify the allowed IP addresses for an individual user or for an account.
When allowing specific IP addresses for Watson Studio, you must include the CIDR ranges for the Watson Studio nodes in each region (as well as the individual client system IPs that are allowed). You can include the CIDR ranges in Cloud Pak for Data as a Service by following these steps:
For step-by-step instructions for both user and account restrictions, see IBM Cloud docs: Allowing specific IP addresses
Cloud Pak for Data as a Service is hosted as a secure and compliant multi-tenant solution on IBM Cloud. See Multi-Tenant
A custom network security policy restricts the external sites that users can access from Watson Studio and Watson Machine Learning. Users might access external sites to download data files or to install library packages. By default, the Watson Studio and Watson Machine Learning services do not restrict the external sites that users can access from the service. To limit access to a list of approved and secure external sites, contact IBM Cloud Support and request a custom network security policy for your organization.