Connectivity options on IBM Cloud
IBM® Db2® Warehouse as a Service offers multiple secure connectivity options for your application connection requirements.
Connecting to a public endpoint (default option)
As with any public cloud service, you can connect your application by way of a public host name that is provided to you at the time that your service is provisioned. Access to your data is protected by strong authentication, vast Db2 authorization options and access controls, encryption over the wire and at rest, and IBM security and compliance practices for development and operations. Optional IP allowlisting is offered. Create an IBM Support case if you want to enable IP allowlisting.
For application connections, do not use IP addresses to connect to the IBM Db2 Warehouse SaaS instance, as the IP addresses resolved from the hostname may change.
How to connect to a public endpoint:
You can also obtain your host name and credentials in the following way:
- Log in to IBM Cloud and click your service instance.
- Click Service credentials.
- Click New credential, then click Add.
- After the credentials are created, under the
Actionscolumn, click View credentials. - In the following JSON document example, note the contents of the hostname, password, and username fields. You use these three components to make the public endpoint connection:
{
"apikey": "abcdefghijklmnopqrstuvwxyz0123456789",
"db": "BLUDB",
"host": "db2w-abcdefg.eu-de.db2w.cloud.ibm.com",
"hostname": "db2w-abcdefg.eu-de.db2w.cloud.ibm.com",
"https_url": "https://db2w-abcdefg.eu-de.db2w.cloud.ibm.com",
"iam_apikey_description": "Auto-generated for key crn:v1:bluemix:public:dashdb:eu-de:a/abc62e1447e5587cfcff971d4aa7d473:c1cac901-755b-489c-a742-f41295cb5dd8:resource-key:11f5e7e5-4759-439e-8291-7febc09382ce",
"iam_apikey_name": "Service credentials-1",
"iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
"iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/abc62e1447e5587cfcff971d4aa7d473::serviceid:ServiceId-aecb72c2-b048-4800-a0d3-263d7bfe4e6a",
"parameters": {
"role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
"serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/abc62e1447e5587cfcff971d4aa7d473::serviceid:ServiceId-aecb72c2-b048-4800-a0d3-263d7bfe4e6a"
},
"password": "hereisthepassword123",
"port": 50001,
"ssldsn": "DATABASE=BLUDB;HOSTNAME=db2w.abcdefg.eu-de.db2w.cloud.ibm.com;PORT=50001;PROTOCOL=TCPIP;UID=bluadmin;PWD=hereisthepassword123;Security=SSL;",
"ssljdbcurl": "jdbc:db2://db2w-abcdefg.eu-de.db2w.cloud.ibm.com:50001/BLUDB:sslConnection=true;",
"uri": "db2://bluadmin:hereisthepassword123@db2w-abcdefg.eu-de.db2w.cloud.ibm.com:50001/BLUDB?ssl=true;",
"username": "bluadmin"
}
Connecting to a private endpoint: IBM Cloud service endpoint
IBM Db2 Warehouse SaaS supports private connectivity through an IBM Cloud service endpoint. IBM Cloud service endpoints securely route network traffic between different IBM Cloud services through the IBM Cloud private backplane network. When you configure your IBM Db2 Warehouse SaaS instance with IBM Cloud service endpoint connectivity, traffic between your cloud data warehouse and applications deployed on your IBM Cloud account will not traverse any public networks.
For application connections, do not use IP addresses to connect to the IBM Db2 Warehouse SaaS instance, as the IP addresses resolved from the hostname may change.
How to configure IBM Cloud service endpoint connectivity
Complete the following steps to enable IBM Cloud service endpoint connectivity for your IBM Db2 Warehouse SaaS instance:
-
Enable your IBM Cloud account to use virtual routing and forwarding (VRF) and IBM Cloud service endpoints. To enable both of these items, see Enabling VRF and service endpoints.
-
Configure your IBM Db2 Warehouse SaaS instance for service endpoint connectivity.
-
If you provisioned your IBM Db2 Warehouse SaaS instance through the IBM Cloud catalog: Create a case to request the configuration of your IBM Db2 Warehouse SaaS instance for IBM Cloud service endpoint connectivity. After this is complete, your IBM Db2 Warehouse SaaS instance will be served on a new, non-internet-routable IP address. Information about how to access your IBM Db2 Warehouse SaaS instance by using this newly configured private endpoint will be sent to you.
-
If you purchased your IBM Db2 Warehouse SaaS instance through IBM Sales: If you requested private endpoint connectivity, your IBM Db2 Warehouse SaaS instance will be provisioned with IBM Cloud service endpoint connectivity. No further action is required.
-
After you've configured IBM Cloud service endpoint connectivity for your IBM Db2 Warehouse SaaS instance, it will only be accessible through a private endpoint. You will not be able to access your instance through a public endpoint.
To learn more about the IBM Cloud service endpoint service, see Secure access to services using service endpoints.
Connecting to a virtual private network (VPN) endpoint
If you have an application that is deployed on a private network that is outside of the IBM Cloud without access to the public internet and you want to connect it to your database over a virtual private network (VPN) connection, you can make the request at the time that you order the service or by opening an IBM Support case. IBM network engineers will assist your network engineers to set up the VPN tunnel between your private network and the IBM Cloud.
How to connect to a VPN endpoint
To establish a VPN connection to your cloud data warehouse behind a public endpoint, create an IBM Cloud Support case that includes the following details:
-
Type of support: Technical
-
Category: Databases
-
Offering: select your IBM Db2 Warehouse SaaS instance
-
Subject: VPN Connection Request
-
Description: provide the following required information
- Customer-side VPN Peer Address (your VPN endpoint):
<IP Address> - Customer-side Encryption Domain (be specific about what is required – 10.0.0.0/8 is unworkable because 10 addressing is also used within the IBM Cloud for back-end services):
<Domain> - Customer-side VPN Hardware & Version:
<Hardware and Version number> - Customer-side VPN Contact (technical contact name and email address):
<Name><Title><Email Address>
Optional (change only if the following default values are not suitable):
IKE/ISAKMP Parameters (Phase I)
- Encryption Method: IKEv1
- IKE Encryption / Encryption Algorithm: AES-256
- Authentication Algorithm: SHA1
- DH-Group: Group 5
- Security Association Lifetime (seconds): 1d (86400 seconds)
IPSec Parameters (Phase II)
- IPSec Encryption / Encryption Algorithm: AES-256
- Authentication Algorithm: SHA1
- DH-Group (if using PF-Secrecy): Group 5
- Security Association Lifetime (seconds): 3600 seconds
- Customer-side VPN Peer Address (your VPN endpoint):
After receipt of your request, IBM Cloud technicians will open the appropriate firewall ports and allowlist the provided IP address. Communication and resolution to the request is made through the IBM Cloud Support case ticket.
Connecting to IBM® Db2® Warehouse as a Service with Private Link
IBM Cloud private link gives you the ability to securely and privately connect to a IBM® Db2® Warehouse as a Service instance from your own IBM Cloud VPCs. With the IBM Cloud Private Link, traffic between IBM® Db2® Warehouse as a Service and your IBM Cloud VPCs, it does not traverse the public internet.
Complete the following steps to connect IBM® Db2® Warehouse as a Service with private link:
-
Create an access to IBM Db2 Warehouse SaaS console. The IBM Db2 Warehouse SaaS console can be accessed with IAM users, or IAM roles.
-
In the console, navigate to the Settings --> Access restriction panel then enable private endpoints. You can optionally also disable public endpoints.
-
Navigate to the Connections tab in IBM® Db2® Warehouse as a Service console to get private endpoint service name and its details. Connect to DB using the connection details present in the connection’s private tab after creating ‘Virtual Private Endpoint Gateway’.
-
Create ‘Virtual Private Endpoint Gateway’ , navigate to VPC Infrastructure -> Virtual Private Endpoint Gateway then click on Create:
- Region - select the same region in which the VPC is created
- Name - Unique name for the VPE gateway
- Virtual private cloud - The VPC in which the gateway is to be created
- Cloud service offerings - Select “Db2 Warehouse” then opt the endpoint matching with the hostname present in “Private endpoints” tab from db2wh-console connections pages
- Ensure that TCP traffic is allowed through port on the VPC
- When you disable private connectivity, make sure to delete the VPE gateway
Once the VPE-endpoint-gateway is created successfully, you can connect to the Db2 database using the private connections details given in the IBM Db2 Warehouse SaaS console.
Consideration and Limitations
-
You must create the Virtual private endpoint gateway for accessing IBM Db2 Warehouse SaaS through private connectivity.
-
The details required for creating Virtual private endpoint gateway will be available on private connections details present in the IBM Db2 Warehouse SaaS console.
-
You must create the Virtual private endpoint gateway in the same region where the IBM Db2 Warehouse SaaS instance is deployed. To access your instance from other regions, you may have to setup VPN network.