IBM Cloud Docs
Connectivity options

Connectivity options

IBM® Db2® on Cloud offers multiple secure connectivity options that depend on your application connection requirements.

Connecting to a public endpoint (default option)

As with any public cloud service, you can connect your application by way of a public host name that is provided to you at the time that your service is provisioned. Access to your data is protected by strong authentication, vast Db2 authorization options and access controls, encryption over the wire and at rest, and IBM security and compliance practices for development and operations.

How to connect to a public endpoint:

For application connections, do not use IP addresses to connect to the Db2 on Cloud instance, as the IP addresses resolved from the hostname may change. Use hostnames to reference your connection properties where it is available. In cases where hostnames cannot be used such as firewall rules, please see https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-firewall-allowlist on suggestions for opening firewalls with subnet information.

The easiest way to connect to your data is by way of the public host name that was provided in your welcome letter. You can also obtain your host name and credentials in the following ways:

From the console

  1. Log in to Db2 on Cloud and click your service instance.
  2. Click Manage.
  3. Click Open Console, then click Administration.
  4. Select Connections.
  5. The public and private endpoints will be displayed under Connection Configuration Resources by selecting the respective radio button.

From service credentials

  1. Log in to Db2 on Cloud and click your service instance.
  2. Click Service credentials.
  3. Click New credential, then click Add.
  4. After the credentials are created, click the down arrow beside the credential names to view the credentials.
  5. In the following JSON document example, note the contents of the hostname, port, password, and username fields. You use these four components to make the public endpoint connection:

Current plans connection string breakdown

Db2 on Cloud section

The "db2" section contains information that is suited to applications that make connections to Db2 on Cloud.

Table 1. Db2 on Cloud / URI connection information
Field Name Index Description
Type Type of connection - "URI"
Scheme Scheme for a URI - "db2"
Path Path for a URI - Database name. The default is bludb.
Authentication Username The user name that you use to connect
Authentication Password A password for the user
Authentication Method How authentication takes place; "direct" authentication is handled by the driver
Hosts 0... A host name and port to connect to
Composed 0... A URI combining Scheme, Authentication, Host, and Path
Certificate Name The allocated name for the self-signed certificate for database deployment
Certificate Base64 A base64 encoded version of the certificate
Host_ROS A host name and port to connect to read on standby

0... indicates that there might be one or more of these entries in an array.

CLI section

The "cli" section contains information that is suited for connecting with db2.

Table 2. psql / cli connection information
Field Name Index Description
Bin The recommended binary to create a connection; in this case it is db2
Composed A formatted command to establish a connection to your deployment. The command combines the Bin executable, Environment variable settings, and uses Arguments as command line parameters.
Environment A list of key/values you set as environment variables
Arguments 0... The information that is passed as arguments to the command shown in the Bin field
Certificate Base64 A self-signed certificate that is used to confirm that an application is connecting to the appropriate server. It is base64 encoded.
Certificate Name The allocated name for the self-signed certificate
Type The type of package that uses this connection information; in this case cli

0... indicates that there might be one or more of these entries in an array.

Enterprise and Standard plans

The following VCAP Services json file can be used to make connections to your Enterprise and Standard plans database instances:

{
  "apikey": "<apikey>",
  "connection": {
    "cli": {
      "arguments": [
        [
          "-u",
          "ipa8emxc",
          "-p",
          "e2haTt1FJ7m3UQXY",
          "--ssl",
          "--sslCAFile",
          "2ac5a4d3-1307-40f5-99a4-043e278fb084",
          "--authenticationDatabase",
          "admin",
          "--host",
          "a1d53ce7-166c-42d1-af26-7809dexxxxxx.yyyyyy.databases.appdomain.cloud:32447"
        ]
      ],
      "bin": "db2",
      "certificate": {
        "certificate_base64": "<certificate_code>",
        "name": "2ac5a4d3-1307-40f5-99a4-043e278fb084"
      },
      "composed": [
        "db2 -u ipa8emxc -p e2haTt1FJ7m3UQXY --ssl --sslCAFile 2ac5a4d3-1307-40f5-99a4-043e278fb084 --authenticationDatabase admin --host a1d53ce7-166c-42d1-af26-7809dexxxxxx.yyyyyy.databases.appdomain.cloud:32447"
      ],
      "environment": {},
      "type": "cli"
    },
    "db2": {
      "authentication": {
        "method": "direct",
        "password": "<password>",
        "username": "<user_name>"
      },
      "certificate": {
        "certificate_base64": "<certificate_code>",
        "name": "2ac5a4d3-1307-40f5-99a4-043e278fb084"
      },
      "composed": [
        "db2://ipa8emxc:e2haTt1FJ7m3UQXY@a1d53ce7-166c-42d1-af26-7809dexxxxxx.yyyyyy.databases.appdomain.cloud:32447/bludb?authSource=admin&replicaSet=replset"
      ],
      "database": "bludb",
      "host_ros": [
        "a1d53ce7-166c-42d1-af26-7809dexxxxxx.yyyyyy.databases.appdomain.cloud:31196"
      ],
      "hosts": [
        {
          "hostname": "a1d53ce7-166c-42d1-af26-7809dexxxxxx.yyyyyy.databases.appdomain.cloud",
          "port": 32447
        }
      ],
      "jdbc_url": [
        "jdbc:db2://a1d53ce7-166c-42d1-af26-7809dexxxxxx.yyyyyy.databases.appdomain.cloud:32447/bludb:user=<userid>;password=<your_password>;sslConnection=true;"
      ],
      "path": "/bludb",
      "query_options": {
        "authSource": "admin",
        "replicaSet": "replset"
      },
      "replica_set": "replset",
      "scheme": "db2",
      "type": "uri"
    }
  },
}

Public network access to IBM Cloud
Figure 1. Public network access to IBM Cloud

Non-admin users can also use allowlisting available in the Db2 on Cloud web console under Settings > Manage Users.

Connecting to a private endpoint: IBM Cloud service endpoint

Db2 on Cloud supports private connectivity through an IBM Cloud service endpoint. IBM Cloud service endpoints securely route network traffic between different IBM Cloud services through the IBM Cloud private backplane network. When you configure your Db2 on Cloud instance with IBM Cloud service endpoint connectivity, traffic between your cloud database and applications deployed on your IBM Cloud account will not traverse any public networks.

How to configure IBM Cloud private endpoint connectivity

Complete the following steps to enable IBM Cloud private endpoint connectivity for your Db2 on Cloud instance:

Enable your IBM Cloud account to use virtual routing and forwarding (VRF) and IBM Cloud service endpoints. To enable both of these items, see Enabling VRF and service endpoints.

  • For Enterprise and Standard plans

    1. On the console, click Administration.
    2. Click Access restriction.
    3. Select Private endpoints or Public-and-private endpoints and click Update to enable private endpoints.

    Configuring private endpionts IBM Cloud
    Figure 2. Configuring private endpoints on IBM® Db2® on Cloud

After you've configured IBM Cloud private endpoint connectivity for your Db2 on Cloud instance, it will only be accessible through a private endpoint. You will not be able to access your instance through a public endpoint.

To learn more about the IBM Cloud endpoint service, see Secure access to services using service endpoints.