Configuring Private Links for Microsoft Azure

The process to configure private links involves multiple manual actions on both the customer and IBM side, with time gaps in between actions due to timezone differences and customer and IBM team availability. Be sure to read the information in this section to become familiar with all actions, and plan ahead. Target dates must be agreed upon with the IBM team that will perform the configuration. You will not experience any downtime during the process.

Note: If you have more than one spoke, you will need to follow this procedure for each spoke separately, and you should plan for different dates for each spoke.

Configuring Supporting Infrastructure for Azure

As mentioned in the Required Supporting Infrastructure topic:

  • Create a VNet in the same region that hosts your environments, or at least within the same geography. Azure Private Links are cross-regional, but keeping the VNet in the same geography is recommended for optimal performance.
  • Create an Azure Standard Load Balancer using the instructions in What is Azure Private Link service?
  • Configure a router.
  • Create custom domain names.
Important: IBM cannot configure your infrastructure; you will need a certified network or cloud security engineer, or an expert in Microsoft Azure, to take care of the configuration.

Configuring the Outbound Private Link for an Azure Spoke

Create the Private Link Service using the instructions in Quickstart - Create a Private Link service - Azure portal - Azure Private Link.

The following are the key points:

  • In the Access security section, for the Who can request access to your service? option, select Restricted by subscription. You will be asked for your subscription ID, which is accessible via the Home page of your Azure Portal. Add your subscription ID with Auto-approve set to No.
  • Complete the configuration as per your corporate requirements.
  • Private Endpoints can connect to Azure PaaS resources across the supported Azure regions.

Create an IBM support case titled Configure Outbound Private Link for <your_company> and provide the following information.

  • URL for each environment in the spoke.
  • Outbound private link custom domain name. See the guidelines in the Private Link Custom Domain Names topic.
  • Customer ports or range of ports to receive traffic from IBM webMethods iPaaS, for example, 43, 443, or 443-447.
  • Resource ID. To get the resource ID, go to your Azure terminal and run the following command:
    -az network private-link-service show --name <your_privatelink_name> --resource-group <your_resource_group_name> --output json
    The resource ID will be returned as follows:
     /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
  • If you have a strict firewall policy that restricts connections from other IPs, state this in the IBM support case.

IBM will set up a private hosted zone with the domain, map it to the Private Link Endpoint, and request your approval to connect to your Private Link Service. You will be notified via the IBM support case when the request is available for you to approve. In your Azure Portal, go to Private Link > Settings > Private endpoint connections, select Approve, and then select Yes.

If you stated that you have a strict firewall policy, IBM will provide the private outbound endpoint IP addresses via the IBM support case. Add the provided endpoint IP addresses from IBM to your allowed list.

Configuring the Inbound Private Link for an Azure Spoke

Create an IBM support case titled Configure Inbound Private Link for <your_company> and provide the URL for each environment in the spoke. IBM will create a private link service in Azure specific to your spoke and provide the private link service name along with the globally unique named moniker called alias on the IBM support case.

Create the Azure private link endpoint to connect to the IBM webMethods iPaaS Azure private link endpoint service using the instructions in Quickstart: Create a private endpoint - Azure portal - Azure Private Link. IBM will accept your endpoint connection request.

Validate the connection.

Create an IBM support case titled Set up Inbound Private Link Custom Domain and Certificate for <your_company> and provide the following information.

  • Inbound Private Link custom domain name.
  • If you have IBM webMethods Managed File Transfer, provide an additional, separate private link custom domain name for the dedicated Managed File Transfer inbound private link.
  • Provide the certificate signing request (CSR) inputs below. IBM will create a CSR and provide the CSR details on the IBM support case.
    • Whether you want to protect a single domain, multiple subdomains of a domain, or multiple domain names
    • Common name (fully qualified domain name [FQDN] your certificate will secure)
    • O (full legal company name as registered in your locality)
    • OU (Organization unit - department in your organization the certificate is for, such as IT or Marketing)
    • L (locality - full name, such as California or Barcelona)
    • C (country - two-digit code)
    • ST (state)

Create the CNAME record for your inbound Private Link custom domain name and map it to your Private Link endpoint.

Based on the CSR, get the SSL certificates from a Certificate Authority (CA). On the IBM support case, provide the following information. IBM confirms the SSL certificate formats and configures them to support the Private Link custom domain SSL.

  • SSL certificate in Base64 .cer or .crt format. The file will start with "--------------BEGIN CERTIFICATE--------------" and end with "--------------END CERTIFICATE--------------".
  • Key in Base64 .key format. The file will start with "--------------BEGIN PRIVATE KEY--------------" and end with "--------------END PRIVATE KEY--------------".