Configuring Private Links for Amazon AWS

The process to configure private links involves multiple manual actions on both the customer and IBM side, with time gaps in between actions due to timezone differences and customer and IBM team availability. Be sure to read the information in this section to become familiar with all actions, and plan well ahead. Target dates must be agreed upon with the IBM team that will perform the configuration. You will not experience any downtime during the process.

Note: If you have more than one spoke, you will need to follow this procedure for each spoke separately, and you should plan for different dates for each spoke.

Configuring Supporting Infrastructure for AWS

As noted in the Required Supporting Infrastructure topic:

  • Create a VPC in the same region that hosts your environments, or at least within the same geography. AWS private Links are cross-regional, but keeping the VPC in the same geography is recommended for optimal performance.
  • Create an NLB with three availability zones and attach it to the VPC endpoint service. Enable cross-zone load balancing by going to Attributes and selecting the Cross-zone load balancing option.
  • Configure a router.
  • Create custom domain names.
Note: IBM cannot configure your infrastructure; you will need a certified network or cloud security engineer, or an expert in Microsoft Azure, to take care of the configuration.

Configure the Outbound Private Link for AWS Spoke

Create a VPC endpoint service by following the instructions in Create a service powered by AWS PrivateLink - Amazon Virtual Private Cloud.

  • For Require acceptance for endpoint, select Acceptance that is required.
  • For Supported IP address types, select IPV4 or Both IPV4 and IPV6.
  • Go to Allow principals and add the AWS Principal arn:aws:iam::707972782358:root.
  • To manage permissions for your endpoint service by using the console, see Create a service powered by AWS PrivateLink - Amazon Virtual Private Cloud.

Create an IBM support case titled Configure Outbound Private Link for <your_company> and provide the information below.

  • URL for each environment in the spoke.
  • Outbound private link custom domain name. See the guidelines in the Private Link Custom Domain Names topic.
  • Customer ports or range of ports to receive traffic from IBM webMethods iPaaS. for example, 43, 443, or 443-447.
  • AWS endpoint service name.
  • If you have a strict firewall policy that restricts connections from other IPs, state this in the support case.

IBM will set up a private hosted zone with the domain, map it to the Private Link Endpoint, and request your approval to connect to your Private Link Service. You will be notified via the IBM support case when the request is available for you to approve. In your Azure Portal, go to Private Link > Settings > Private endpoint connections, select Approve, and then select Yes.

If you stated that you have a strict firewall policy, IBM will provide the private outbound endpoint IP addresses via the IBM support case. Add the provided endpoint IP addresses from IBM to your allowed list.

Configure the Inbound Private Link for AWS Spoke

Create an IBM support case titled Configure Inbound Private Link for <your_company> and provide the following information. IBM will create the AWS Private Links endpoint service specific to your spoke and provide the endpoint service name.

  • URL for each environment in the spoke
  • AWS Principal for the AWS Account that connects to the IBM webMethods iPaaS endpoint service

Create the AWS Private Links endpoint to connect to the IBM webMethods iPaaS AWS Private Links endpoint service using the instructions in Access a service network through a service-network endpoint - Amazon Virtual Private Cloud. IBM accepts your endpoint connection request.

Validate the connection.

Create an IBM support case titled Set up Inbound Private Link Custom Domain and Certificate for <your_company> and provide the following information.

  • Inbound Private Link custom domain name.
  • If you have IBM webMethods Managed File Transfer, provide an additional, separate private link custom domain name for the dedicated Managed File Transfer inbound private link.
  • Provide the certificate signing request (CSR) inputs below. IBM will create a CSR and provide the CSR details on the IBM support case.
    • Whether you want to protect a single domain, multiple subdomains of a domain, or multiple domain names
    • Common name (fully qualified domain name [FQDN] your certificate will secure)
    • O (full legal company name as registered in your locality)
    • OU (Organization unit - department in your organization the certificate is for, such as IT or Marketing)
    • L (locality - full name, such as California or Barcelona)
    • C (country - two-digit code)
    • ST (state)

Create the CNAME record for your inbound Private Link custom domain name and map it to your Private Link endpoint.

Based on the CSR, get the SSL certificates from a Certificate Authority (CA). On the IBM support case, provide the following information. IBM confirms the SSL certificate formats and configures them to support the Private Link custom domain SSL.

  • SSL certificate in Base64 .cer or .crt format. The file will start with "--------------BEGIN CERTIFICATE--------------" and end with "--------------END CERTIFICATE--------------".
  • Key in Base64 .key format. The file will start with "--------------BEGIN PRIVATE KEY--------------" and end with "--------------END PRIVATE KEY--------------".