IBM Cloud Docs
Working with subnet pool connectivity in Code Engine

Working with subnet pool connectivity in Code Engine

The IBM Cloud® Code Engine subnet pool connections feature supports to manage VPC subnet pool references, including security groups. You create a subnet pool to specify the VPC subnets and availability zones where your workload will be processed. For example, you can create a subnet pool with a single subnet in zone eu-de-1 or a subnet pool with multiple subnets to span all 3 zones in eu-de. In addition, you can specify the security group that your workload should be attached to. A subnet pool can be referenced when creating a fleet to specify into which network zone the Code Engine fleet workers get deployed.

IBM Cloud® Virtual Private Cloud (VPC) is a virtual network that is linked to your customer account. It gives you cloud security, with the ability to scale dynamically, by providing fine-grained control over your virtual infrastructure and your network traffic segmentation. Subnets in your VPC offer private connectivity. Subnets in your VPC can connect to the public internet through an optional public gateway. You can keep your VPC and workloads secure by controlling network traffic using security groups. See About networking and Security in your VPC for further reading.

You can manage subnet pools by using the console or the CLI.

Managing subnet pools by using the console

Adding a subnet pool

  1. Go to the Connectivity page:
    1. Select your project from the Projects page in the Code Engine console.
    2. Click Project settings > Connectivity and navigate to the Subnet pools for network placement section to see a list of existing subnet pools.
  2. Click Create to create a subnet pool.
  3. Provide a name.
  4. Select Specify by name.
    1. Select the VPC.
    2. Select the VPC subnet you want to specify for network placement
    3. Optional: Select one or more VPC security group to attach to the subnet. If you do not specify any security group, the default security group of the VPC is used.
    4. Click Add to subnet pool to add the subnet CRN and optionally its security group CRN to the subnet pool. Repeat this step if the subnet pool should allow network placement to multiple subnets.
  5. Confirm your configuration by clicking Create.

Adding a subnet pool by CRN

  1. Go to the Connectivity page:
    1. Select your project from the Projects page in the Code Engine console.
    2. Click Project settings > Connectivity and navigate to the Subnet pools for network placement section to see a list of existing subnet pools.
  2. Click Create subnet pool to create a subnet pool.
  3. Provide a name.
  4. Select Specify by CRN and provide a VPC subnet CRN. Optionally, provide a VPC security group CRN. Click Add security group if you want to attach more than one security group to the subnet. If you do not specify any security group, the default security group of the VPC is used. Click Add to subnet pool to add the subnet CRN and optionally its security group CRN to the subnet pool. Repeat this step if the subnet pool should allow network placement to multiple subnets.
  5. Confirm your configuration by clicking Create.

Deleting a subnet pool

You can delete previously defined subnet pools if you no longer use them.

To run a fleet, you need at least one subnet pool configured within a project.

  1. Go to the Connectivity page:
    1. Select your project from the Projects page in the Code Engine console.
    2. Click Project settings > Connectivity and navigate to the Subnet pools section to see a list of existing subnet pools.
  2. Go to the row with the subnet pool that you want to remove and click the three dots row actions icon. Click Delete.
  3. Confirm the deletion when prompted.

Managing subnet pools by using the CLI

To work with subnet pools by using CLI commands, log in to your IBM Cloud account and select the Code Engine account and resource group.

Gather subnet information for network placement

This step is required if you want to specify a subnet pool for network placement by providing the CRN of one or more VPC subnets.

Run the commands to get the CRN of up to three subnets that you want your fleet workers to attach to. These subnets must reside in the same region as the Code Engine project you want to run your fleets in. In the output, find the CRN, which has a format similar to the following: crn:v1:bluemix:public:is:us-east-2:a/1af204bc1def56171eed1a8100b1cc121::subnet:1345-16e10cc-ba18-19ee-de1b0-1213aa1a41a0156. These CRNs are referenced later in the subnet pool.

To list all subnets.

ibmcloud is subnets

To get the details of a single subnet.

ibmcloud is subnet <subnet_id>

Gather security group information for each subnet (optional)

If you want to apply existing custom security groups to the subnets attached to your fleet workers, run the commands to get the CRN of all security groups for each subnet you found in the previous step. In the output for each security group, find the CRN, which has the following format: crn:v1:bluemix:public:is:us-east:a/1af204bc1def56171eed1a8100b1cc121::security-group:6789-16e10cc-ba18-19ee-de1b0-1213aa1a41a0156. These CRNs are referenced later in the subnet pool. If you do not specify a security group, the default security group of the VPC is used.

To list all security groups

ibmcloud is sgs

To get the details of a single security group.

ibmcloud is sg <securitygroup_id>

Adding a subnet pool

For Code Engine connectivity subnetpool CLI commands, you can specify the --name, --subnet-crn, and optionally --security-group-crn options to configure subnet pools. Follow these guidelines:

  • Do not use duplicate --name values within a project.
  • Do not use duplicate --subnet-crn values within one subnet pool.

  1. Select your Code Engine project. For example:

    ibmcloud ce project select --name myproject

  2. Create a subnet pool by specifying the --name, --subnet-crn, and optionally --security-group-crn options. The --subnet-crn and --security-group-crn options can be specified multiple times. To correlate --security-group-crn values with their --subnet-crn value, use an arbitrary identifier as key. Refer to this example, which uses keys S1 and IDx:

    ibmcloud ce connectivity outbound subnetpool create --name my-other-pool \
    --subnet-crn S1=crn:v1:bluemix:public:is:eu-de-3:a/abcdefabcdefabcdefabcd1234567890::subnet:1a1a-2b2b2b2b-3c3c-4d4d-5e5e-6f6f6f6f6f21 \
    --security-group-crn S1=crn:v1:bluemix:public:is:eu-de:a/abcdefabcdefabcdefabcd1234567890::security-group:2b2b-3c3c3c3c-4d4d-5e5e-6f6f-7g7g7g7g7g7g \
    --subnet-crn IDx=crn:v1:bluemix:public:is:eu-de-3:a/abcdefabcdefabcdefabcd1234567890::subnet:1a1a-2b2b2b2b-3c3c-4d4d-5e5e-6f6f6f6f6f22 \
    --security-group-crn IDx=crn:v1:bluemix:public:is:eu-de:a/abcdefabcdefabcdefabcd1234567890::security-group:2b2b-3c3c3c3c-4d4d-5e5e-6f6f-7g7g7g7g7g7g \
    --security-group-crn IDx=crn:v1:bluemix:public:is:eu-de:a/abcdefabcdefabcdefabcd1234567890::security-group:2b2b-3c3c3c3c-4d4d-5e5e-6f6f-7g7g7g7g7g8h

Showing existing subnet pools

To show a specific subnet pool, specify the name or ID. For example:

ibmcloud ce connectivity subnetpool get --name my-other-pool

To show all subnet pools, run:

ibmcloud ce connectivity subnetpool list

Deleting a subnet pool

You can delete previously defined subnet pools if you no longer use them.

To run a fleet, you need at least one subnet pool configured within a project.

To delete a subnet pool with confirmation, specify the name or ID. For example:

ibmcloud ce connectivity subnetpool delete --name my-other-pool

To delete a subnet pool forcefully (that is, without confirmation), run:

ibmcloud ce connectivity subnetpool delete --name my-other-pool --force