IBM Cloud Docs
Why can't my VSIs access VPE gateway?

Virtual Private Cloud

Why can't my VSIs access VPE gateway?

Virtual Private Cloud 1.30 and later

Review the following scenarios for why your VSI can't access your VPE gateway.

  • You have a VSI that is able to communicate through your registry VPE gateway until a secure by default cluster is added to the VPC, then your VSI can no longer communicate through the gateway.
  • You already have a secure by default environment and when you create a new VSI, that VSI cannot communicate through the existing gateways.

If you provision a VSI in a VPC containing secure by default clusters several VPE gateways are created. In a secure by default environment these gateways are attached to a security group that, by default, only allows inbound traffic from IBM Cloud Kubernetes Service clusters in the VPC. Any standalone VSI will not have access.

Choose from one of the following options to resolve the issue.

  • Attach your kube-CLUSTERID security group to your VSI.

    • Each cluster in your VPC has a security group attached to its worker nodes. The name of this security group is kube-CLUSTERID.
    • This security group has already been configured to talk to your VPE gateway. - You can attach any kube-CLUSTERID security group to your VSI allows the VSI to communicate through the VPE gateway.
    • You can attach security groups to your VSIs from the VPC console.

  • Add an inbound security group rule from your VSI security group to your VPE gateway security group.

    1. Find the security group IDs for the current VSI and the kube-vpegw-<vpcID> security group.
      ibmcloud is security-groups
    2. Add the following remote rule to kube-vpegw-<vpcID> from your VSI's security group
      ibmcloud is sg-rulec <kube-vpegw-vpcID> inbound all --remote <your-VSI-SG-ID>
    3. Add a remote rule from your VSI security group to kube-vpegw-<vpcID>.
      ibmcloud is sg-rulec <your-VSI-SG> outbound all --remote  <ID of kube-vpegw-vpcID>

If the issue persists, contact support. Open a support case. In the case details, be sure to include any relevant log files, error messages, or command outputs.