IBM Cloud Docs
Working with outbound connectivity in Code Engine

Working with outbound connectivity in Code Engine

The IBM Cloud® Code Engine outbound connections feature supports defining reachable endpoints for your Code Engine projects.

  • Use allowed destination IP address ranges for outbound connections in CIDR notation. The allowed destinations ensure that outbound traffic is restricted to addresses you define as safe. Therefore, you prevent unwanted access to the internet, and enhance compliance and security.
  • Connect your Code Engine project with IBM Cloud VPC Private Path services by using the Code Engine console or CLI. Private Path allows connections between an IBM Cloud service like Code Engine and your VPC without compromising security or putting your VPC at risk. See Enabling an IBM Cloud service to connect to a provider's VPC.

CIDR range specifications do not affect project-internal communication, private path connections, or private service connections, all of which are always allowed destinations. In consequence, restricting outbound traffic based on CIDR ranges does not prevent applications within your Code Engine project from communicating with each other, or communicating with a connected private path service, or with a private endpoint of an IBM Cloud Service API.

Your use case can determine your outbound connection specifications. Typical use cases are as follows:

  • Specifying no rules (that is, no allowed IP addresses), if Code Engine applications within a project are not supposed to reach any external endpoints.
  • Specifying a single allowed destination IP address range (0.0.0.0/0) to allow all possible endpoints. By default, there is a rule, named allow-all, set with an IP range of 0.0.0.0/0.
  • Specifying a rule with an allowed destination IP address range that allows the workload within your Code Engine project to reach only your specified range of endpoints (for example, to your on-premises data center).

You can create outbound connections by using the console or the CLI.

Private Service Connections

Connecting to private endpoints of a set of common IBM Cloud platform services is enabled as part of the allowed outbound destinations of all Code Engine projects. The set of enabled platform services varies by region as detailed in the following table.

Platform services with enabled private endpoints per region
Platform service Private endpoint available in regions
Global Search (Endpoint URL) and Global Tagging (Endpoint URL) au-syd, br-sao, ca-tor, eu-de, eu-es, eu-gb, jp-osa, jp-tok, us-east, us-south
Global Catalog (Endpoint URL) au-syd, br-sao, eu-de, jp-osa, us-east, us-south
Account Management (Endpoint URL (https://private.accounts.cloud.ibm.com)) eu-de, us-east, us-south
Usage Metering (Endpoint URL) eu-de, us-east, us-south
Enterprise Management (Endpoint URL) eu-de, us-east, us-south
Resource Controller (Endpoint URL) eu-de, us-east, us-south
User Management (Endpoint URL) eu-de, us-east, us-south

Managing allowed outbound destinations by using the console

Adding an allowed destination IP address range for outbound connectivity

You can create allowed destination IP address ranges to limit where your workload can connect to over an external network.

  1. Go to the Connectivity page:
    1. Select your project from the Projects page in the Code Engine console.
    2. Click Project settings > Connectivity > CIDR ranges tab to see a list of existing allowed destination IP address ranges.
  2. Click Add to create an allowed destination IP address range.
  3. Provide a name.
  4. Provide an IP address range in CIDR notation.
  5. Confirm your configuration.

Adding a private path connection for outbound connectivity

You can establish a Private Path connection between your Code Engine project and your VPC.

This diagram illustrates how to establish a Private Path service with connections to the VPE gateway of a Code Engine application and your VPC. First, the Code Engine application connects to the VPE gateway within the Code Engine's VPC. Then, the VPE gateway connects to the Private Path NLB in the provider's VPC. In turn, the Private Path NLB connects to the provider's application. The provider's application then responds to the request. This Private Path service activity is completely contained in a single region (e.g. us-south) in an IBM Cloud private network.

Use Private Path to connect your Code Engine project to your VPC over private network.
Use Private Path to connect your Code Engine project to your VPC over private network.

Once the connection to VPC is created, the Private Path service owner will receive a connection request. The owner can review, permit or deny this connection request. Use the consumer Code Engine account ID and VPE gateway creation timestamp displayed in the private path connection details view to identify the respective connection request within the Private Path service.

  1. Go to the Connectivity page:
    1. Select your project from the Projects page in the Code Engine console.
    2. Click Project settings > Connectivity > Private Path connections tab to see a list of existing private path connections.
  2. Click Add to create a private path connection.
  3. Provide a name.
  4. You specify the Private Path service instance to connect to by name or by CRN.
    1. By Name, select the Private Path service instance from the drop-down list.
    2. By CRN, provide the Private Path service instance CRN.
  5. Confirm your configuration.

Updating an allowed destination IP address range for outbound connectivity

You can change allowed destination IP address ranges to disallow your workload to connect to unintended endpoints (for example, to connect to public internet).

  1. Go to the Connectivity page:
    1. Select your project from the Projects page in the Code Engine console.
    2. Click Project settings > Connectivity > CIDR ranges tab to see a list of existing allowed destination IP address ranges.
  2. Click the row with the allowed destination IP address range that you want to edit.
  3. Provide the updated IP address range and save your changes.

When you update the outbound connectivity rules, note:

  • Allowed destination IP address ranges do not conflict; they are additive. When you define multiple ranges, the allowed destinations create a union of all specified ranges so that the order of adding ranges does not affect the resulting allowed destinations. If you add a second range that is already covered by an existing range, the system rejects the creation as it is redundant.

  • Specifying the IP address range 0.0.0.0/0 removes all existing rules and opens up full connectivity.

  • After you restrict outbound connectivity rules, it can take some time for your workload to pick up the rules. For example, if the HTTP client that is used in your code establishes a connection before you update the outbound connectivity rule, it can open a connection to that endpoint. To make sure that your outbound connectivity rules are applied immediately, reset all connections. You can reset by redeploying your workloads or by handling such situations in your code.

  • After you restrict outbound connections from your Code Engine project, you can see unintended side effects such as failing build runs because no external requests can be made.

Deleting an allowed outbound destination for outbound connectivity

You can delete previously defined allowed outbound destinations, if you no longer want them defined for outbound connectivity.

Deleting allowed destination IP address ranges blocks outbound traffic for Code Engine applications, function, and jobs within a project.

  1. Go to the Connectivity page:
    1. Select your project from the Projects page in the Code Engine console.
    2. Click Project settings > Connectivity > CIDR ranges tab to see a list of existing allowed destination IP address ranges, or Private Path connections tab to see a list of existing private path connections.
  2. Go to the row with the allowed outbound destination that you want to remove and click the delete (trash can) icon.
  3. Confirm the deletion when prompted.

Managing allowed outbound destinations by using the CLI

To work with allowed outbound destinations by using CLI commands, log in to your IBM Cloud account and select the Code Engine account and resource group.

Adding an allowed destination IP address range for outbound connectivity

For Code Engine connectivity outbound CLI commands, you can specify the --name and --cidr values to configure allowed destination IP address ranges. Follow these CIDR guidelines:

  • Do not use an IP range from the reserved IP ranges.
  • Do not use duplicate --name and --cidr values.
  • Do not use an unsupported CIDR name.
  • Do not use an unsupported IP address range. Follow CIDR notation.

You can create allowed destination IP address ranges to limit where your workload can connect to over an external network.

  1. Select your Code Engine project. For example:

    ibmcloud ce project select --name myproject

  2. Create an allowed destination IP address range by specifying the --name and --cidr options. Provide a valid name and IP address. Refer to these examples:

    ibmcloud ce connectivity outbound create --name mycidr1 --cidr 192.68.5.0/24

ibmcloud ce connectivity outbound create --name mycidr2-allow-all --cidr 0.0.0.0/0

ibmcloud ce connectivity outbound create --name mycidr2-allow-all --cidr 0.0.0.0/0 --force

Adding a private path connection for outbound connectivity

For Code Engine connectivity outbound CLI commands, you can specify the --name, --format, and --pps-crn values to establish a Private Path connections between your Code Engine project and your VPC.

This diagram illustrates how to establish a Private Path service with connections to the VPE gateway of a Code Engine application and your VPC. First, the Code Engine application connects to the VPE gateway within the Code Engine's VPC. Then, the VPE gateway connects to the Private Path NLB in the provider's VPC. In turn, the Private Path NLB connects to the provider's application. The provider's application then responds to the request. This Private Path service activity is completely contained in a single region (e.g. us-south) in an IBM Cloud private network.

Use Private Path to connect your Code Engine project to your VPC over private network.
Use Private Path to connect your Code Engine project to your VPC over private network.

Once the connection to VPC is created, the Private Path service owner will receive a connection request. The owner can review, permit or deny this connection request. Use the consumer Code Engine account ID and VPE gateway creation timestamp details displayed in ibmcloud ce connectivity outbound get --name OUTBOUND_DESTINATION_NAME command to identify the respective connection request within the Private Path service.

  1. Select your Code Engine project. For example:

    ibmcloud ce project select --name myproject

  2. Create a private path connection for outbound connectivity by specifying the --name, --format, and --pps-crn options. Provide a valid name, format and CRN. Refer to this example:

    ibmcloud ce connectivity outbound create --name my-pps-connection --format pps --pps-crn crn:v1:bluemix:public:is:eu-de:a/abcdefabcdefabcdefabcd1234567890::private-path-service-gateway:r010-2b2b2b2b-3c3c-4d4d-5e5e-6f6f6f6f6f6f

Showing existing allowed destinations for outbound connectivity

To show a specific allowed outbound destination, specify the name. For example:

ibmcloud ce connectivity outbound get --name my-allowed-destination

To show all allowed outbound destinations, run:

ibmcloud ce connectivity outbound list

To show selected formats of allowed outbound destinations, run for example:

ibmcloud ce connectivity outbound list --format cidr,pps

ibmcloud ce connectivity outbound list --format cidr

ibmcloud ce connectivity outbound list --format pps

Updating an allowed destination IP address range for outbound connectivity

You can change allowed destination IP address ranges to disallow your workload to connect to unintended endpoints (for example, to connect to the public internet).

Update an allowed destination IP address range by specifying the --name and --cidr options. Provide a valid name and IP address. Refer to these examples:

ibmcloud ce connectivity outbound update --name mycidr1 --cidr 192.68.5.0/24

ibmcloud ce connectivity outbound update --name mycidr2-allow-all --cidr 0.0.0.0/0
Are you sure you want to update an allowed destination IP address range with '0.0.0.0/0'?, It will remove all other entries [y/N]>

ibmcloud ce connectivity outbound update --name mycidr2-allow-all --cidr 0.0.0.0/0 --force

When you update the outbound connectivity rules, note:

  • Allowed destination IP address ranges do not conflict; they are additive. When you define multiple ranges, the allowed destinations create a union of all specified ranges so that the order of adding ranges does not affect the resulting allowed destinations. If you add a second range that is already covered by an existing range, the system rejects the creation as it is redundant.

  • Specifying the IP address range 0.0.0.0/0 removes all existing rules and opens up full connectivity.

  • Even after you restrict outbound connectivity rules, it can take some time for your workload to pick up the rules. For example, if the HTTP client that is used in your code establishes a connection before you update the outbound connectivity rule, it can open a connection to that endpoint. To make sure that your outbound connectivity rules are applied immediately, reset all connections. You can reset by redeploying your workloads or by handling such situations in your code.

  • After you restrict outbound connections from your Code Engine project, you can see unintended side effects such as failing build runs because no external requests can be made.

Deleting an allowed outbound destination for outbound connectivity

You can delete previously defined allowed outbound destinations, if you no longer want them defined for outbound connectivity.

Deleting allowed destination IP address ranges blocks outbound traffic for Code Engine applications, function, and jobs within a project.

To delete an allowed outbound destination with confirmation, specify the name. For example:

ibmcloud ce connectivity outbound delete --name my-allowed-destination

To delete an allowed outbound destination forcefully (that is, without confirmation), run:

ibmcloud ce connectivity outbound delete --name my-allowed-destination --force