Virtual Private Endpoints
This document covers all the IBM Cloud Databases: Databases for DataStax, Databases for Elasticsearch, Databases for EnterpriseDB, Databases for etcd, Databases for MongoDB, Databases for PostgreSQL, Databases for Redis, IBM Cloud® Databases for MySQL, and Messages for RabbitMQ.
IBM Cloud® Virtual Private Endpoint (VPE) for IBM Cloud® Virtual Private Cloud provides connection points to IBM services on the IBM private network from your VPC network.
Using Virtual Private Endpoints
Virtual Private Endpoints (VPEs) are generally available in all regions.
Before you begin
- You need to have an IBM Cloud account
- And a Cloud Databases deployment. You can provision one from the IBM Cloud catalog. Give your deployment a memorable name that appears in your account's Resource List.
Setting up your VPE
-
Create an IBM Cloud® Virtual Private Cloud. Follow the
Getting started
instructions here. -
Make sure that your VPC has at least one VSI (virtual server instance), and can connect to the VSI. You can use the UI, CLI, and API to quickly provision IBM Cloud® Virtual Private Cloud from the Virtual server instances page in IBM Cloud console:
- Use this information when you're creating generation 1 virtual server instances.
- Use this information when you're creating generation 2 virtual server instances.
-
Make sure your Cloud Databases deployment's private endpoint is enabled.
-
In the IBM Cloud console, click the menu icon and select -> VPC Infrastructure -> Network -> Virtual private endpoint gateways. Create a VPE for your Cloud Databases instances with the following instruction.
-
After you create your VPE, it might take a few minutes for the new VPE and pDNS to complete the process and begin working for your VPC. Completion is confirmed when you see an IP address set in the details view of the VPE.
-
To make sure pDNS is functioning for your VPE,
ssh
into your VSI and runnslookup <instance_hostname>
. The following example shows the output from runningnslookup
on instance hostnames ofhost-0.private.databases.appdomain.cloud
,host-1.private.databases.appdomain.cloud
, andhost-2.private.databases.appdomain.cloud
:root@test-vpc-vsi:~# nslookup host-0.private.databases.appdomain.cloud Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: host-0.private.databases.appdomain.cloud Address: 10.240.64.6
root@test-vpc-vsi:~# nslookup host-1.private.databases.appdomain.cloud Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: host-1.private.databases.appdomain.cloud Address: 10.240.64.6
root@test-vpc-vsi:~# nslookup host-2.private.databases.appdomain.cloud Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: host-2.private.databases.appdomain.cloud Address: 10.240.64.6 < ---- your VPE IP address
-
You can now use your instance in the VSI. For example,
mongo -u $USERNAME -p $PASSWORD --tls --tlsCAFile /root/ c--authenticationDatabase admin --host replset/host-0.private.databaseappdomain. cloud:30066,host-1.private.databases.appdomain.cloud:30066,host-private. databases.appdomain.cloud:30066
VPE Discoverability
Following the previous steps results in a database instance with private endpoints that is reachable with the Virtual Private Endpoints from your VPC network.
Database instances with private endpoints are reachable from any account within the private network and access to each instance requires authentication. To restrict this access to specific IP addresses, or ranges of IP addresses, configure allowlisting.
A MongoDB deployment cannot support both public and private endpoints simultaneously. This cannot be changed after provisioning.
For more information, see Secure access to services by using service endpoints.
More resources
- Planning for virtual private endpoint gateways
- Creating an endpoint gateway
- For further assistance, see the FAQs for virtual private endpoints here, and the
Troubleshooting VPE gateways
documentation that includes how to fix communications issues here.