Creating Secure Tunnel connections

A Secure Tunnel connection links the network that contains the Secure Tunnel to a remote network. Your applications can be on either side of the connection. Secure Tunnel comes with connection templates for common application scenarios, including ChatOps, VMware, and Turbonomic. You can also create custom connections to support more scenarios.

Prerequisites
Secure Tunnel Web Console
Creating a secure tunnel
ChatOps
- Creating a ChatOps connection that uses Microsoft Azure as a host machine
VMware
Turbonomic
OpenStack
Custom
- Creating a Custom Instana connection

Prerequisites

Ensure that you have Red Hat OpenShift Container Platform installed on one of your networks (referred to as network-A in the following steps). You use this instance of OpenShift to bridge to the other network.
Ensure that another system (Red Hat OpenShift Container Platform, Kubernetes, or other system) or a host machine (virtual machine or physical machine) is available on a different network (referred to as network-B in the following steps). You use this network as the location for installing the Secure Tunnel Connector.
Ensure that the network access is available on network-A and network-B. Either network-A or network-B needs to have a public IP address.
Ensure that you install Secure Tunnel. For more information, see Installing Secure Tunnel.
Verify that you can access the Secure Tunnel web console

Install Secure Tunnel
- Follow the installation instructions to install Secure Tunnel.

Secure Tunnel Web Console

Use either of these methods to access the Secure Tunnel console:

If you installed Secure Tunnel in IBM Cloud Pak for Watson AIOps, in the Automation console, click the menu bars on the upper left of the screen to open the Navigation Menu. Click Administration, then click Secure Tunnel.
If Secure Tunnel is not installed in IBM Cloud Pak for Watson AIOps, use the (Red Hat OpenShift Container Platform route to access the stand-alone Secure Tunnel. To get the Secure Tunnel URL, enter the following command, with namespace being where your Secure Tunnel is installed:
```
oc get route -n <namespace> sre-tunnel-tunnel-ui -o jsonpath=‘{.spec.host}’
```

In the web console, you can create the following types of connections:

ChatOps
VMware
Turbonomic
OpenStack
Custom

Creating a Secure Tunnel

ChatOps connection

High-level design VMware — Figure. High-level design for VMware

To integrate IBM Cloud Pak for Watson AIOps with a service like Slack or Microsoft Teams, the IBM Cloud Pak for Watson AIOps instance needs to be accessible from the public network. If your IBM Cloud Pak for Watson AIOps is not accessible from the public network, you can open the IBM Cloud Pak for Watson AIOps instance to the public network by creating a Secure Tunnel. You can do it by exposing the IBM Cloud Pak for Watson AIOps instance to either a cluster (Red Hat OpenShift Container Platform or IBM Kubernetes Service cluster) or a host machine (virtual machine or physical machine), which is accessible from the public network. Simplify the creation of a secure tunnel by using the ChatOps template from the Secure Tunnel Console on the Manage connections page. Take the following steps to create a ChatOps connection:

Click the ChatOps tile and a panel with an introduction to the ChatOps template opens. Click Get started.
In the Name and Tags section, provide a name and tag for this connection.
- Connection name: required. The name of the connection. The name can include only lowercase alphanumeric characters and '-', and must start and end with a lowercase alphanumeric character.
- New tag: optional. The tag of the Connection.
In the Connector settings section:
- First, you need to specify where the connector is located, such as whether it is a Cloud or Host machine.
- If you choose to install the connector in the Red Hat OpenShift cluster, the connector can be installed automatically. Complete the following actions:
  - Login command for target Red Hat OpenShift cluster: required. Specify a publicly accessible cluster with a CA-signed domain certificate. Do not install the connector in the cluster that contains the Tunnel Connection worker.
  - Target namespace to install the connector: required. The project (namespace) where you want to install the connector.
  - Connector replicas: configure the tunnel connector replicas to set High Availability
- If you want to install the connector to Red Hat OpenShift Container Platform manually, you can use the Custom method
- If you choose to install the connector in a Kubernetes cluster, you need to complete the following actions:
  - Cloud domain: Run the command to get IBM Kubernetes Service cluster domain name:
```
ibmcloud ks cluster get --cluster <Cluster ID> --output json | jq '.ingress.hostname'
```
  - Target namespace to install the connector: required. The project (namespace) where you want to install the connector.
  - Connector replicas: you will config the tunnel connector replicas to set High Availability.
- If you choose to install the connector in the Host machine,take the following actions:
  - Host machine addresses: required. Includes the External address of the host machine and Port and Default address of the host machine. When a host machine includes multiple addresses, a default IP address is required. If you want to use one host machine to expose more than one IBM Cloud Pak for Watson AIOps, you need to set a different port for other ChatOps connections.
    - Expose mapping port: required. Default is 12443. You can change this port to allow several IBM Cloud Pak for Watson AIOps instances to have different exposed ports. Then, you can use one host machine to create more than one ChatOps connection.
  - DNS and load balancing: required. First, enter the DNS name of a suitable host machine. Next, select the same machine to host a reverse proxy / load balancer (bundled with the connector). Finally, specify the corresponding certificate and private key.
    - Note: If you have an IBM Cloud account, see Getting started with IBM Cloud Internet Services to apply for a DNS name, and see Preparing to order public certificates to apply for a CA-signed certificate. Extract the CA-signed certificate file, hostname.pem, for the certificate and hostname.key for the private key. If an intermediate file is in your CA-signed certificate file – such as hostname-intermediate.pem – concatenate this file with a cert file, such as hostname.pem, by running the following command:
```
cat hostname-intermediate.pem >> hostname.pem
```
In the Secure Tunnel settings, configure the tunnel worker replicas to set High Availability.
HTTPS proxy: optional. Specify a forward proxy to enable the Secure Tunnel to reach the connector in the other network, such as username:password@hostname:port.

Note: It is necessary to enter the HTTPS proxy information when Secure Tunnel is in an air-gapped environment. If your Secure Tunnel is in an air-gapped environment without internet connectivity, you need to prepare a host machine (virtual machine or physical machine). Ensure that the host machine can be accessed from the IBM Cloud Pak for Watson AIOps cluster, and also that it can connect to the internet. Then, install an HTTPS proxy server in the host machine, and set the HTTPS proxy server in the HTTPS proxy field.

If you install a connector in Red Hat OpenShift Container Platform, and the Secure Tunnel in an air-gapped environment and you configured the HTTPS proxy for it, choose Kubernetes for the Cloud Type in the above step. Then, to get the domain for the Cloud domain field, run
```
HOSTNAME=$(oc get route -n openshift-console console -o=jsonpath={.spec.host}) && HOSTNAME=${HOSTNAME#console-openshift-console.} && echo $HOSTNAME
```
For example, squid is a simple HTTPS proxy server. See the following example of using squid to set up an HTTPS proxy server (Do not use this example in your production environment). For a production environment, contact your network administrator to help you configure the HTTPS proxy.

Save the following configurations in a file squid.conf:
```
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl CONNECT method CONNECT

http_access deny CONNECT !SSL_ports

http_access allow all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
refresh_pattern .        0    20%    4320
```
Start the squid server by running the following command:
```
docker run --name squid -d -p 3128:3128 -v `pwd`/squid.conf:/etc/squid/squid.conf datadog/squid
```
Set the <host machine IP>:3128 in the HTTPS proxy field.
Click Create connection to create a ChatOps connection.
- If you choose to install the connector in the Red Hat OpenShift cluster, the connector is automatically installed. You can see the installation status in the connector installation section. When the installation is finished, you can get the application mapping URLs for Slack integration and Microsoft Teams integration.
- If you choose to install the connector in Kubernetes or a host machine, the connector must be manually installed. You can get the installation script in the Next steps section. Install the connector following this installation guide. When the connector is installed, you can use the appropriate application mapping address to integrate with Slack or Microsoft Teams.

ChatOps connection (Microsoft Azure as host machine)

Set up

IBM Cloud Pak for Watson AIOps in network-A (private cloud)
ChatOps in network-B (Slack or Microsoft Teams in public cloud)

Requirement

Configure ChatOps and configure a Secure Tunnel out of network-A to communicate with ChatOps in the public cloud network-B.

Procedure

IBM Cloud Pak for Watson AIOps is installed as normal
User deploys a VM to Azure, gives it a public internet-facing endpoint. Note: This must have a signed trusted certificate that ChatOps accepts as trusted (that is not self-signed).
On Azure, open the 50443 port on the VM that uses an NSG (Network Security Group).
Give the VM a public DNS name.
Check whether it is a private IP on the Azure UI. For example, the private IP in this case is 172.18.0.4:

Figure. Azure UI
Get the signed trusted certs, including the root and any intermediate CAs.
To configure the tunnel connector on the Secure Tunnel console, enter it as shown here:

Figure. Secure Tunnel UI
Note where the private IP is entered and note the values for DNS. You need to select the host machine in the dropdown menu.
Enter your cert and keys in the connector UI.

Figure. Enter certifaction keys
You then get a tar.gz. Download this file and transfer it to Azure VM.
On the Azure VM, where you unpack the download, ensure that nothing is connected to the 443 port (like an Apache server) and run the secure tunnel installer as root, as it needs that privilege to bind to the 443 port.

You then get a successful installation and see a Ready status back on the Secure Tunnel UI.

Script output

Install Tunnel Connector successfully
{"ok":true}
{"ok":true}

Start Tunnel Connector successfully

{"description":""}
{"description":""}
A
Tunnel Connector is ready to use.

IBM Cloud Pak for Watson AIOps UI

Click the application mappings entry, which shows you the URLs to use in your Slack or Microsoft Teams. You can renew the certificate and private key by editing the application mapping.

Figure. Application mappings
In the Microsoft Teams bot, enter the URL in the Messaging endpoint field.

Figure. Azure team

VMware connection

Follow the installation instructions to install Secure Tunnel.

You can access services in a private VMware® vCenter from a public cloud Infrastructure automation. In this case, install a Secure Tunnel in the Infrastructure automation cluster, with IBM Cloud Pak for Watson AIOps or a stand-alone version. Then, take the following steps to configure the VMware tunnel connection:

Note: VMware template supports the VMware scenario specifically. Other scenarios can be created by using a Custom template.

Simplifying the creation of a Secure Tunnel by using VMware template in IBM Cloud Pak for Watson AIOps:

Click VMware tile. The VMware side panel opens and provides an introductory explanation to the VMware template. Click Get started.
In the Name and Tags section, provide a name and tag for this connection:
- Connection name: required. The name of the connection. The name can include only lowercase alphanumeric characters and '-', and must start and end with a lowercase alphanumeric character.
- New tag: optional. The tag of the Connection.
In the Connector settings section, configure the tunnel connector replicas to High Availability and install the tunnel connector to Cloud or Host machine by selecting the connector location section.
In the Secure Tunnel setting, configure the tunnel worker replicas to set High Availability.
HTTPS proxy: optional. Specify a forward proxy to enable the Secure Tunnel to reach the connector in the other network, such as username:password@hostname:port.

Note: It is necessary to enter the HTTPS proxy information when Secure Tunnel is in an air-gapped environment. If your Secure Tunnel is in an air-gapped environment without internet connectivity, you need to prepare a host machine (virtual machine or physical machine). Ensure that the host machine can be accessed from the IBM Cloud Pak for Watson AIOps cluster, and can also connect to the internet. Then, install an HTTPS proxy server in the host machine, and set the HTTPS proxy server in the HTTPS proxy field.

If you install the connector in OCP, and Secure Tunnel in an air-gapped environment, you need use the Custom method to create a ChatOps connection

For example, squid is a simple HTTPS proxy server. See the following example of using squid to set up an HTTPS proxy server. (It is just an example. Don't use it in your production environment.) For the production environment, contact your network administrator to help you configure the HTTPS proxy.
- Save the following configurations in a file squid.conf.
```
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl CONNECT method CONNECT

http_access deny CONNECT !SSL_ports

http_access allow all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
refresh_pattern .        0    20%    4320
```
  - Start the squid server by running the following command:
```
docker run --name squid -d -p 3128:3128 -v `pwd`/squid.conf:/etc/squid/squid.conf datadog/squid
```
  - Set the < host machine IP >:3128 in the HTTPS proxy field.
In the Application mappings section, edit the VMware addresses to match your environment. If it is the same as the address in the template, you don't need to change anything.
Click Create connection to create a VMware connection. You can get the installation script in the Next steps section. Install the Connector following the guide. When the connector is installed, the application mapping address is accessible. You can use this address as the VMware vCenter service address to configure the VMware connection from the Infrastructure Automation UI.

Turbonomic connection

High-level design Turbonomic — Figure. High-level design for Turbonomic

The Turbonomic server is in one private network cluster and you want to integrate it with a kubeturbo probe in another private network.

In this case, install a stand-alone Secure Tunnel on a public Cloud. Then, create one tunnel connection to export the Turbonomic server endpoint to the public cloud cluster. Next, create another tunnel connection to export the exposed Turbonomic server endpoint (a Kubernetes service in the public cloud cluster) to the kubeturbo private network cluster.

So the kubeturbo can access the Turbonomic server through the Secure Tunnel.

Simplifying the creation of a secure tunnel by using the Turbonomic template:

Click the Turbonomic tile to open the Turbonomic side panel. Next, click Get started to create a connection. The first connection exposes Turbonomic to the Secure Tunnel server.
In the Name and Tags section, provide a name and tags for this connection:
- Connection name: required. The name of the connection. The name can include only lowercase alphanumeric characters and '-', and must start and end with a lowercase alphanumeric character.
- New tag: optional. The tag of the Connection.
In the High availability section:
- Connector replicas: configure the tunnel connector replicas to High Availability
- Tunnel worker replicas: configure the tunnel connector replicas to High Availability
In the Application mappings section, edit the Turbonomic server addresses to match your environment.(In particular, check the namespace part of the Turbonomic Kubernetes service address, and check whether it matches the Turbonomic Kubernetes service address). If it is the same as the address in the template, you don't need to change anything.
Click Create connection to create a Turbonomic connection to expose the Turbonomic server to the public cloud cluster (as a Kubernetes network service), then you get the installation script in the Next steps section. You can install the connector by following this guide or install it later in the Manage connections page, by clicking Action > installation connector.
Click Next. Install the second connection. This step is the same as the first. The difference is that you cannot change the application address in the Application mappings section. Now create a tunnel connection to export the exposed Turbonomic server from the public cluster (a Kubernetes network service) to the kubeturbo private network cluster. Then, click Create connection to create a Turbonomic connection. You can get the installation script in the Next steps section, and install the connector.
Finally, select the <the name that you provided in the Name and Tags>-kubeturbo tunnel connection and obtain the application mapping address. Then, you can use this application mapping address as the Turbonomic server address in the kubeturbo. The address is similar to this: http://sre-tunnel-9a4f8fbb26374fa7.tunnel-connector-turbo:8080.

Install the kubeturbo. Create a Project(namespace), like kubeturbo, to install the kubeturbo operator and instance from the Red Hat OpenShift console OperatorHub. Enter kubeturbo into the All Items field. Click the Kubeturbo Operator panel to install the kubeturbo. After the operator is installed from the Installed Operators > Kubeturbo Operator, click Create instance from the Kubeturbo operator panel. Change to the YAML View and edit the YAML like this:

spec:
  replicaCount: 1
  restAPIConfig:
    opsManagerPassword: <password of the Turbonomic server>
    opsManagerUserName: <username of the Turbonomic server>
  serverMeta:
    turboServer: '<the turbo server application mapping address, should be like: http://sre-tunnel-9a4f8fbb26374fa7.tunnel-connector-turbo:8080>'
    version: '8'
  targetConfig:
    targetName: <give a name like: tunneltest>

Note: Check that the connectors have successfully installed for the two connections. One is in the private Turbonomic server cluster, the other is in the private kubeturbo agent container.

OpenStack connection

High-level design Openstack — Figure. High-level design for Openstack

Scenario: The OpenStack server is in a private network cluster and IBM Cloud Pak for Watson AIOps is in a public cluster. To integrate with the private OpenStack server, you can use a Secure Tunnel to create an OpenStack connection. The OpenStack template that is described in the following section supports this type of connection. You can create other templates through a custom connection. For more information, see Custom connection.

Simplifying the creation of a Secure Tunnel by using an OpenStack template

From the Secure Tunnel Console on the Manage connections tab page, click Create connection. Then, take the following steps to create an OpenStack connection:

Click the OpenStack tile. The OpenStack introductory side panel opens. Click Get started.
In the Name and Tags section, provide a name and tags for this connection:
- Connection name: required. The name of the connection. The name can include lowercase alphanumeric characters and '-', and must start and end with a lowercase alphanumeric character.
- New tag: optional. A tag for the connection.
In the Connector settings section, configure the tunnel connector replicas to set High Availability and choose to install the tunnel connector to Cloud or Host machine by selecting the Connector location section.
In the Secure Tunnel setting, configure the tunnel worker replicas to set High Availability.
In the HTTPS proxy, optionally specify a forward proxy to enable the Secure Tunnel to reach the connector in the other network, such as username:password@hostname:port.

Note: It is necessary to enter the HTTPS proxy information when Secure Tunnel is in an air-gapped environment. If your Secure Tunnel is in an air-gapped environment without internet connectivity, you need to prepare a host machine (virtual machine or physical machine). Ensure that the host machine can be accessed from the {site.data.keyword.cp4waiops_notm}} cluster, and can also connect to the internet. Then, install an HTTPS proxy server in the host machine and set the HTTPS proxy server in the HTTPS proxy field.

For example, squid is a simple HTTPS proxy server. See the following example of using squid to set up a HTTPS proxy server. It's just an example. Don't use it in your production environment. (For the production environment, contact your network administrator to help you configure the HTTPS proxy.)
- Save the following configurations in a file squid.conf.
```
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl CONNECT method CONNECT

http_access deny CONNECT !SSL_ports

http_access allow all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
refresh_pattern .        0    20%    4320
```
- Start the squid server by running the following command:
```
docker run --name squid -d -p 3128:3128 -v `pwd`/squid.conf:/etc/squid/squid.conf datadog/squid
```
- Set the :3128 in the HTTPS proxy field.
In the Application mappings section, edit the OpenStack addresses to match your environment, and enable Origin application uses HTTPS.
Click Create connection to create an OpenStack connection. You can get the installation script in the Next steps section. Follow the installing connector steps. After installing the connector, the application mapping address is accessible. Use this address as the VMware vCenter service address to configure the VMware connection from the Infrastructure Automation UI.

Custom connection

Secure Tunnel can accommodate specific requirements with a Custom connection. For instance, you can use this type of connection for ChatOps to help you understand how to custom your own connection.

The installation connector in Red Hat OpenShift is automatically supported when you use the ChatOps template. If you don't want to take this approach, you can install the connector in Red Hat OpenShift manually with the Custom method.

Use case summary: IBM Cloud Pak for Watson AIOps is installed. Slack (for ChatOps) is in a public network. To access IBM Cloud Pak for Watson AIOps, expose the IBM Cloud Pak for Watson AIOps instance to the public cluster through a connector that is installed in Red Hat OpenShift.

Create a connection to create a bridge configuration for the network where Secure Tunnel is installed and the network that has the connector.
- Click Custom tile. This opens the Custom side panel. Then, click Get started.
- In the Name and Tags section, Provide a name and tags for this connection:
  - Connection name: required. The name of the connection. The name can include lowercase alphanumeric characters and '-', and must start and end with a lowercase alphanumeric character.
    - New tag: optional. The tag of the Connection. Add the tag chatops=true in our example.
- In Direction, specify whether the relationship is connector in private network initializes connection to Secure Tunnel in public network or Secure Tunnel in private network initializes connection to connector in public network. Because Secure Tunnel is in the IBM Cloud Pak for Watson AIOps cluster, you need to choose the option Secure Tunnel in private network initializes connection to connector in public network.
- In the Connector settings section:
  - Connector location: required. Select whether installation connector is in the Cloud or in a Host machine. Because the connector is installed on Red Hat OpenShift, choose Cloud.
  - Connector replicas: Configure the tunnel connector replicas to set High Availability, 1 - 16, as you need.
  - Cloud domain: If you install the connector in the Cloud direction, the Secure Tunnel in the private network initializes the connection to a connector in a public network. You need to input the cloud domain of the cluster where you installed the connection. Run this command to get the Red Hat OpenShift cluster domain name:
```
oc get route -n openshift-console console -o jsonpath={.spec.host} | sed -e 's/[^\.]*\.//
```
    Run this command to get the IBM Kubernetes Service cluster domain name:
```
ibmcloud ks cluster get --cluster <Cluster ID> --output json | jq '.ingress.hostname'`
```
  - Host Machine: if you install the connector in a VM or Physical machine, you need:
    - Host machine addresses
      - If your Connection direction is Secure Tunnel in private network initializes connection to connector in public network,* it must include the External address of host machine and Port and Default address of host machine .(Optionally, specify a default IP address when a host machine includes multiple addresses).
      - If your connection direction is Connector in private network initializes connection to Secure Tunnel in public network it must include Default address of host machine (optionally, specify a default IP address when a host machine includes multiple addresses.)
      - Common DNS name for all inbound traffic (optional): required, in this case. Specify a DNS name for all inbound (connector to tunnel) traffic. When multiple host machines are present, you can enter a DNS name or the external IP address or hostname of the machine hosting the reverse proxy/load balancer. Note: do not complete this field unless you have at least one host machine address.
      - Host machine for reverse proxy / load balancer (optional): required, in this case. All inbound (connector to tunnel) traffic is routed to an NGINX-based reverse proxy/load balancer deployed to this host machine during installation of the connector.
  - Connector replicas: configure the tunnel connector replicas to set High Availability.
- In the Secure Tunnel setting, configure the tunnel worker replicas to set High Availability, limit: 1-16.
- HTTPS proxy: optional. Specify a forward proxy to enable the Secure Tunnel to reach the connector in the other network, such as username:password@hostname:port.
  
  Note: It is necessary to enter the HTTPS proxy information when Secure Tunnel is in an air-gapped environment. If your Secure Tunnel is in an air-gapped environment without internet connectivity, you need to prepare a host machine (virtual machine or physical machine), and ensure that the host machine can be accessed from the IBM Cloud Pak for Watson AIOps cluster and also can connect to the internet. Then, install an HTTPS proxy server in the host machine, and set the HTTPS proxy server in the HTTPS proxy field.
- Allowed list: Specify the IP addresses and ports that are exposed across this connection through application mappings. You can specify address ranges and port ranges. If you do not define an allowed list, the application mapping URL is inaccessible. To expose the IBM Cloud Pak for Watson AIOps instance, input IBM Cloud Pak for Watson AIOps instance address: internal-nginx-svc 12443
- Click Create connection to initiate a custom connection. In the Next steps page, you install a connector and create application mappings.
Follow the Install Secure Tunnel Connector guide to enable the connection.
1. Create Application Mapping to expose the applications to another network (Secure Tunnel side to connector side, or opposite). Set application mappings to expose the IBM Cloud Pak for Watson AIOps instance. Go to the Secure Tunnel Console on the Manage connections tab page, and click the Application mappings of the tunnel connection list. You are redirected to the Application mappings page. You have two ways to create a connection, one is Create from scratch, the other is Copy from template.

Click Create to open the wizard panel to create an application mapping from scratch.
- In the Name and Tags section, provide a name and tags for this application mapping:
  - Application mapping name: required. The name of the application mapping name can include lowercase alphanumeric characters and '-', and must start and end with a lowercase alphanumeric character.
    - New tag: optional. The tag of the application. Add a tag chatops=true in our example.
- In Direction, specify how you expose the application from connector side to Secure Tunnel side or from Secure Tunnel side to connector side. Because the IBM Cloud Pak for Watson AIOps instance is in Secure Tunnel side, in this case, choose from Secure Tunnel side to connector side.
- In the Application details section,
  - Specify the address of the application and the ports that you want to expose. The address and ports must be included in the allowed list for the connection. Configure DNS so that the application can be accessed by using the original address or the application mapping address (optional) . Input the IBM Cloud Pak for Watson AIOps instance address: internal-nginx-svc, and port: 12443, and the exposed mapping port (default is 12443. Change as you need.). Note: Before you add an IP address or hostname, check the existing application mappings from the Application mappings page in the IBM Cloud Pak Automation console. Check for an existing application mapping. If one is available, check whether the original address is the same IP address or hostname as the new one that you want to specify. Edit the existing mapping to add the new port value instead of creating another application mapping.
  - DNS: Configure DNS so that application can be accessed by using the original address or application mapping address.
  - If you choose to expose the application from the connector side to the Secure Tunnel side in the Direction section, you can optionally configure the Reverse proxy. Toggle each switch to Yes to enable the following:
    - Origin application uses HTTP/HTTPS, and server will check hostname or respond to other URLs of application through HTTP response payload (for example, Falcon LogScale)
    - Origin application uses HTTPS (for example, OpenStack)
    - Origin application responds to other URLs of application through HTTP response payload (for example, OpenStack)
- In Access rule, you can use access rules to control the traffic flow at the IP address or port level for particular applications in your cluster. The default network policy allows all ingress and egress traffic for each application mapping. Network policy: Network policies help you specify how a pod is allowed to communicate with various network "entities" over the network. Network policies apply to a connection with a pod on one or both ends, and are not relevant to other connections.

Create application mappings by using an existing template: Click Copy from template button, and the wizard panel opens.
- Choose a template. You can see the application mappings in this template is displayed in the table.
- In the table, you can edit the Application Mapping name, Application original address, Application original Port and Application exposed port
- Click Copy mappings to create application mappings through this connection.

Now you have successfully exposed the application as you need. In our example, IBM Cloud Pak for Watson AIOps is exposed to the public network, so you can use the application mapping address to access IBM Cloud Pak for Watson AIOps.

Creating a Custom Instana connection

Prerequisite

An Instana server is installed and runs in an Red Hat OpenShift Container Platform cluster.
An IBM Cloud Pak for Watson AIOps cluster is installed and runs in a public cloud with Secure Tunnel enabled.

Create Secure Tunnel Connection for Instana

From the IBM Cloud Pak for Watson AIOps Automation console, expand the main navigation menu, and go to Administration -> Secure Tunnel.
In the Secure Tunnel page, click Create connection.
Then, click the Create connection link under Custom section, then click Get started.
In the Name and tags page, input a name in Connection name field, for example instana-via-tunnel, click Next.
Choose Connector in private network initializes connection to Secure Tunnel in public network in Direction, click Next.
In Connector settings page, choose Host machine , then input the hostname or IP address of the host machine where you installed Secure Tunnel connector. Click Add. Then, click Next.
In Secure Tunnel settings page, click Next.
In Allowed list page, input the IP address and port of Instana server, for example 9.46.108.75 and 443, then click Add button, then click Create connection.
Wait for the Next steps page display, then click Close.
Download the Secure Tunnel Connector Installation package:
- there are two ways to download the Secure Tunnel Connector Installation package:
  - If you are still in the Next steps page, you can download the installation package by clicking download link under Install a connector
  - If you are not in the Next steps page yet, go to Manage Connection page, find the to-instana-through-ocp row, and click the three dots in the Actions column, then click Install connector link. Then, you can download the installation package by clicking the download link in the open panel.

Install Secure Tunnel Connector to a host machine

refer to Install the Secure Tunnel Connector to a host machine (virtual machine or physical machine)
In the Secure Tunnel page, the Status column of instana-via-tunnel connection is green.

Create Application Mapping to expose Instana

In the Secure Tunnel page, click the Application mapping column on the row instana-via-tunnel.
In the Application mappings for instana-via-tunnel page, click Create button.
In the Create application mapping page, click Next.
In the Name and tags page, input a name, for example instana then click Next.
In Direction page, choose From connector side to Secure Tunnel side, then click Next.
In Application details page, input Instana server IP address and port, for example 9.46.108.75 and 443, then click Add button.
In Access rules (optional) page click Create.
In the Application mappings for instana-via-tunnel page, wait for a few minutes, then the Status column of instana row become Ready.
Then, in the Application mapping address column, click the information button(a circle with an i in it), and copy the address in the open message. For example, sre-tunnel-c60f3456bad94a10-svc.cp4waiops:443. Save to a note pad.

Create an Instana connection with the Automation console

From the IBM Cloud Pak for Watson AIOps Automation console, expand the main navigation menu, and go to Define > Data and tool connections.
On the Data and tool connections, click Add connections button.
On the Add connections page, click Add connection link under Instana icon, then click Connect button.
In the Instana page, in Add connections
- input Name, for example tunnel-2-instana-public
- input Description, for example Connect to an Instant in public cloud through the Secure Tunnel
- input Endpoint, by using the Application mapping address copied from Secure Tunnel Application Mapping, for example https://sre-tunnel-c60f3456bad94a10-svc.cp4waiops:443.
- input API Token, by using the API Token find from your Instana server, for example W6p9WimUT5aYQ_skNu0W9A
- Click Next
In the Collect topology data page, click Next.
In the Collect event data page, click Next.
In the Collect metric data page, click Done.
In the on the Data and tool connections, a message indicates that connection is completed.
Click Instana link, in the Instana page to see the tunnel-2-instana-public connection.

Verify Instana Connection

Go to Operate > AI model management.
On the AI Model Management, click Data assets tab.
Observe that tunnel-2-instana-public and its Data flow status column is Running.