Troubleshooting

Find answers to some of the most common questions on Private Links.

How do I configure Private Links for AWS and Microsoft Azure?

See the Configuring Private Links for Amazon AWS and Configuring Private Links for Microsoft Azure sections for information on how to configure Private Links.

How is high resilience ensured if say that the EU3 region goes down? Should there be any downtime during this period, and will a partner region be activated to maintain availability?

These environments support multi-AZ (Availability Zone) resilience to ensure high availability.

How long will shared tenants remain available once the private link setup activity begins?

After the spoke creation, the availability depends on the customer's preference. The migration is completed as per their readiness.

Is a backup required? How long does it take to set up the private link across all environments?

We do not expect any backup to be required from the customer's side. The setup of the spoke infrastructure takes around two days.

Once I open a service incident for creating a private link (inbound or outbound), what is the duration I can expect to have the private link successfully working?

Due to the manual approval processes involved with inbound and outbound private links, it usually requires several days to complete.

Will users experience downtime to set up a Private Link?

Users will not experience any downtime during this phase. Downtime occurs only during the migration to the spoke, which is expected to last around 30 minutes.

Are any additional certificates needed when setting up custom domain names?

If you need a custom domain, you must obtain SSL certificates from a Certificate Authority (CA) based on the CSR provided by IBM®, and send the SSL certificates to IBM.

My tenant has SSO enabled with a Microsoft AD configuration. Does the private link setup affect the SSO URL?

The URLs remain the same after migration to the spoke. However, if the customer chooses a custom domain, the URLs will change.

What is the endpoint policy that IBM webMethods iPaaS configures to authenticate the connection?

The connection acceptance for the first time is a manual activity that IBM approves once your setup is complete.

Do we need to have a separate spoke for each tenant for more security?

You can opt for different spokes for prod and non-prod to separate prod from non-prod environments to achieve maximum security and compliance.

Can a single spoke offer network isolation between various environments?

Namespace isolation is there between the environments although they are part of the same network. If network isolation is required, separate spokes should be used for each environment.

In our non-prod environment, we have three tenants in one spoke and only one single endpoint (PL) to be created. Can I use the following hostname conventions? There are nine targets connecting through the same endpoint. Is this correct?

[tenant-name].[service].io.is.abc.com
Tenant name: abcdev/abcqa/abcpreprd
Service:  agw/int/mft

Yes, all these can connect through the same endpoint.

How does the routing work if we need to connect to IBM webMethods iPaaS for outgoing traffic from multiple components in each environment? What endpoint address or private DNS can we use for this purpose?

The routing is based on the hostname. By default, IBM webMethods iPaaS uses [tenantname].private.[primary-domain]. For example, abc.private.aw-us.webmethods.io. IBM also supports custom domain for this case, but it should follow the required convention.

Is there a way to prevent invoking a different host from the IBM webMethods iPaaS side compared to internally at the customer's end? Could a split DNS setup be possible where the customer can create DNS entries in various landscapes that resolve to the Private Link host? For example, abc.test.xyz.nl would be a CNAME to the Private Link host where internally it would resolve correctly.

Yes, it is possible for inbound to IBM webMethods iPaaS from the customer's VPC.

Can we connect different VPCs using the same Private Link?

We can have a single private link for a VPC, which you can then peer with your other VPCs.

Does IBM webMethods Managed File Transfer inbound need a separate Private Link?

If you have IBM webMethods Managed File Transfer, there will be an additional inbound private link dedicated to just the IBM webMethods Managed File Transfer traffic.

For API Management customers on v11.0, will there be an additional outbound private link to access ElasticSearch?

Yes, API Gateway uses an additional outbound private link to access ElasticSearch.

Would changes at the customer's side, for example, adding a port to the NLB for another back end service, require a change at IBM webMethods iPaaS?

For outbound use cases from IBM webMethods iPaaS to the customer's VPC, the customer must specify the port they want to use for receiving the traffic. All the ports provided by the customer will be enabled on IBM webMethods iPaaS.

A customer wants to expose endpoints over Private Link to another network. Can a setup be done where the customer offers a VPC endpoint that is connected to an NLB that will then connect directly to other targets through port based routing, in particular to an ALB behind the NLB?

Yes

Is there a limit on how many Private Links can be set up at the webMethods iPaaS side?

One private link can be setup for Inbound and one for Outbound, although there is no limitation in terms of the number of endpoints.

Do we always need a router?

There are some scenarios where a router is redundant as the NLB can handle the task. For example, a router is not needed if using only TCP/UDP based protocols.

Can we use an ALB/CLB as a router?

Yes.

We are using Kubernetes (K8s). Do we need a separate router?

You can use the K8s Ingress (controller) as the router to access resources in your K8s environment.

Can we use path based routing?

Yes, this is a solution for a HTTP(s) Router (L7 Router). However, the challenge arises when dealing with the intricacies of demultiplexing the path.