Securing your connection when using the IBM Cloud CLI

To ensure that you have enhanced control and security over your data when you use the IBM Cloud® Command Line Interface, you have the option of using private routes to IBM Cloud endpoints. Private routes are not accessible or reachable over the internet. By using the IBM Cloud private endpoints feature, you can protect your data from threats from the public network and logically extend your private network.

The CLI uses the private endpoint support that is provided by the IBM Cloud platform. Platform services that are used by the core CLI, such as IAM, provide private endpoint support.

If your deployment uses the VPC environment of IBM Cloud, private endpoints are exposed through global endpoints. If your deployment uses the Classic environment, regional support is provided for a limited number of CLI commands. The following regions support private endpoints in Classic environments:

us-south
us-east

Enabling virtual routing and forwarding

First, enable virtual routing and forwarding in your account, and then you can enable the use of IBM Cloud private service endpoints. For more information about setting up your account to support the private connectivity option, see Enabling VRF and service endpoints.

To learn more about private connections on IBM Cloud, see Secure access to services using service endpoints.

You can log in to either a private endpoint for Classic or for VPC. To log in using Classic infrastructure, log in to a private endpoint by using the CLI by using the following command:

ibmcloud login -a private.cloud.ibm.com

To log in by using the VPC infrastructure, add the --vpc flag to the command:

ibmcloud login -a private.cloud.ibm.com --vpc

Targeting a supported region (required for Classic use)

To use private endpoints for deployments in the Classic environment, a region must be targeted when a private endpoint is set in the IBM Cloud CLI.

To target a supported region, use the following command:

ibmcloud target -r [region]

Creating a private endpoint gateway (required for VPC use)

To use private endpoints for deployments in the VPC environment, you must create a virtual private endpoint gateway. For more information, see About virtual private endpoint gateways.

A list of all IBM Cloud services that are configurable through a virtual private endpoint gateway is at VPE Supported Services.

To ensure basic CLI capability against the private endpoint, you must configure the gateway to include these services:

Account Management: Endpoint URL (https://private.accounts.cloud.ibm.com)
Cloud Object Storage (use direct): Endpoint URL
Identity and Access Management: Endpoint URL
Global Catalog: Endpoint URL
Global Search: Endpoint URL
Global Tagging: Endpoint URL
Usage Metering: Endpoint URL
Enterprise Management: Endpoint URL
Resource Controller: Endpoint URL
User Management: Endpoint URL

Determining which CLI plug-ins support private endpoints

The ibmcloud plugin list command reports whether an installed CLI plug-in supports private endpoints. If a plug-in that you use does not show private support, you must continue to use it with your API set to the public endpoint cloud.ibm.com.

Installing CLI plug-ins over a private connection

To configure the CLI to install plug-ins over a private connection, you must set up the API of the CLI. Follow the login instructions to set up the API and indicate VPC as applicable.

Determining which commands support private endpoints

The following commands support private endpoints:

api
login
target
logout

Most commands under the following namespaces work when you are using private endpoints:

account
billing
iam
resource
catalog

If the CLI is set to access private endpoints and you try to run a command or plug-in that does not yet support private endpoints, you might see an error.

The following core commands do not yet support private endpoints:

account
billing
  org-usage
catalog
  template-run
sl
  all commands
app (deprecated)
  all commands
service (deprecated)
  all commands