IBM Cloud Docs
Connectivity options on IBM Cloud

Connectivity options on IBM Cloud

IBM® Db2® Warehouse as a Service offers multiple secure connectivity options for your application connection requirements.

Connecting to a public endpoint (default option)

As with any public cloud service, you can connect your application by way of a public host name that is provided to you at the time that your service is provisioned. Access to your data is protected by strong authentication, vast Db2 authorization options and access controls, encryption over the wire and at rest, and IBM security and compliance practices for development and operations. Optional IP allowlisting is offered. Create an IBM Support case if you want to enable IP allowlisting.

For application connections, do not use IP addresses to connect to the IBM Db2 Warehouse SaaS instance, as the IP addresses resolved from the hostname may change.

How to connect to a public endpoint:

You can also obtain your host name and credentials in the following way:

  1. Log in to IBM Cloud and click your service instance.
  2. Click Service credentials.
  3. Click New credential, then click Add.
  4. After the credentials are created, under the Actions column, click View credentials.
  5. In the following JSON document example, note the contents of the hostname, password, and username fields. You use these three components to make the public endpoint connection:
   {
    "apikey": "abcdefghijklmnopqrstuvwxyz0123456789",
    "db": "BLUDB",
    "host": "db2w-abcdefg.eu-de.db2w.cloud.ibm.com",
    "hostname": "db2w-abcdefg.eu-de.db2w.cloud.ibm.com",
    "https_url": "https://db2w-abcdefg.eu-de.db2w.cloud.ibm.com",
    "iam_apikey_description": "Auto-generated for key crn:v1:bluemix:public:dashdb:eu-de:a/abc62e1447e5587cfcff971d4aa7d473:c1cac901-755b-489c-a742-f41295cb5dd8:resource-key:11f5e7e5-4759-439e-8291-7febc09382ce",
    "iam_apikey_name": "Service credentials-1",
    "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
    "iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/abc62e1447e5587cfcff971d4aa7d473::serviceid:ServiceId-aecb72c2-b048-4800-a0d3-263d7bfe4e6a",
    "parameters": {
    "role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
    "serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/abc62e1447e5587cfcff971d4aa7d473::serviceid:ServiceId-aecb72c2-b048-4800-a0d3-263d7bfe4e6a"
    },
    "password": "hereisthepassword123",
    "port": 50001,
    "ssldsn": "DATABASE=BLUDB;HOSTNAME=db2w.abcdefg.eu-de.db2w.cloud.ibm.com;PORT=50001;PROTOCOL=TCPIP;UID=bluadmin;PWD=hereisthepassword123;Security=SSL;",
    "ssljdbcurl": "jdbc:db2://db2w-abcdefg.eu-de.db2w.cloud.ibm.com:50001/BLUDB:sslConnection=true;",
    "uri": "db2://bluadmin:hereisthepassword123@db2w-abcdefg.eu-de.db2w.cloud.ibm.com:50001/BLUDB?ssl=true;",
    "username": "bluadmin"
    }

Public network access to IBM Cloud
Figure 1. Public network access to IBM Cloud

Connecting to a private endpoint: IBM Cloud service endpoint

IBM Db2 Warehouse SaaS supports private connectivity through an IBM Cloud service endpoint for current generation environments in IBM Cloud Classic. IBM Cloud service endpoints securely route network traffic between different IBM Cloud services through the IBM Cloud private backplane network. When you configure your IBM Db2 Warehouse SaaS instance with IBM Cloud service endpoint connectivity, traffic between your cloud data warehouse and applications deployed on your IBM Cloud account will not traverse any public networks.

IBM Cloud Service Endpoint in only supported on Previous Generation deployments.

For application connections, do not use IP addresses to connect to the IBM Db2 Warehouse SaaS instance, as the IP addresses resolved from the hostname may change.

How to configure IBM Cloud service endpoint connectivity

Complete the following steps to enable IBM Cloud service endpoint connectivity for your IBM Db2 Warehouse SaaS instance:

  1. Enable your IBM Cloud account to use virtual routing and forwarding (VRF) and IBM Cloud service endpoints. To enable both of these items, see Enabling VRF and service endpoints.

  2. Configure your IBM Db2 Warehouse SaaS instance for service endpoint connectivity.

    • If you provisioned your IBM Db2 Warehouse SaaS instance through the IBM Cloud catalog: Create a case to request the configuration of your IBM Db2 Warehouse SaaS instance for IBM Cloud service endpoint connectivity. After this is complete, your IBM Db2 Warehouse SaaS instance will be served on a new, non-internet-routable IP address. Information about how to access your IBM Db2 Warehouse SaaS instance by using this newly configured private endpoint will be sent to you.

    • If you purchased your IBM Db2 Warehouse SaaS instance through IBM Sales: If you requested private endpoint connectivity, your IBM Db2 Warehouse SaaS instance will be provisioned with IBM Cloud service endpoint connectivity. No further action is required.

After you've configured IBM Cloud service endpoint connectivity for your IBM Db2 Warehouse SaaS instance, it will only be accessible through a private endpoint. You will not be able to access your instance through a public endpoint.

To learn more about the IBM Cloud service endpoint service, see Secure access to services using service endpoints.

Connecting to a virtual private network (VPN) endpoint

If you have an application that is deployed on a private network that is outside of the IBM Cloud without access to the public internet and you want to connect it to your database over a virtual private network (VPN) connection, you can make the request at the time that you order the service or by opening an IBM Support case. IBM network engineers will assist your network engineers to set up the VPN tunnel between your private network and the IBM Cloud.

How to connect to a VPN endpoint

To establish a VPN connection to your cloud data warehouse behind a public endpoint, create an IBM Cloud Support case that includes the following details:

  • Type of support: Technical

  • Category: Databases

  • Offering: select your IBM Db2 Warehouse SaaS instance

  • Subject: VPN Connection Request

  • Description: provide the following required information

    • Customer-side VPN Peer Address (your VPN endpoint): <IP Address>
    • Customer-side Encryption Domain (be specific about what is required – 10.0.0.0/8 is unworkable because 10 addressing is also used within the IBM Cloud for back-end services): <Domain>
    • Customer-side VPN Hardware & Version: <Hardware and Version number>
    • Customer-side VPN Contact (technical contact name and email address):
    • <Name>
    • <Title>
    • <Email Address>

    Optional (change only if the following default values are not suitable):

    IKE/ISAKMP Parameters (Phase I)

    • Encryption Method: IKEv1
    • IKE Encryption / Encryption Algorithm: AES-256
    • Authentication Algorithm: SHA1
    • DH-Group: Group 5
    • Security Association Lifetime (seconds): 1d (86400 seconds)

    IPSec Parameters (Phase II)

    • IPSec Encryption / Encryption Algorithm: AES-256
    • Authentication Algorithm: SHA1
    • DH-Group (if using PF-Secrecy): Group 5
    • Security Association Lifetime (seconds): 3600 seconds

After receipt of your request, IBM Cloud technicians will open the appropriate firewall ports and allowlist the provided IP address. Communication and resolution to the request is made through the IBM Cloud Support case ticket.

Public network access to IBM Cloud through a VPN
Figure 2. Public network access to IBM Cloud through a VPN

Using IP Allowlists with your Instance

An allowlist is a security mechanism that specifies which IP addresses are allowed to access a resource. Any IP address not on the allowlist is blocked. This approach helps protect your environment by filtering traffic based on trusted sources.

You can use IP allowlists to restrict access to your formation. Once an allowlist is configured, only IP addresses included in the allowlist or within a specified range can connect.

Key Points:

  • Allowlists can be applied only to public endpoints.
  • If the allowlist is empty (no IPs are listed), the restriction is disabled and connections from any IP address are allowed.
  • Allowlists will regulate traffic only for DB connectivity (port 50001). There is no impact on web console access or rest API over port 443.

Setting an Allowlist Configuration

To enable IP allowlisting:

  1. Open a support ticket with IBM Cloud.
  2. Provide the IP address to be allowlisted.
  3. Include a short description for the allowlist entry.

IP Address Format

You can specify an IP in either of the following formats:

  • A single IP address (e.g., 170.225.223.5)
  • A CIDR block (e.g., 192.168.1.0/24 or 170.225.227.6/32)

Description

Each allowlist entry requires a description. This should be meaningful for identification—such as a customer name, project code, or employee ID.