Extending your enterprise network to IBM Cloud

This reference architecture is used to force all network traffic to flow through the classic firewall or gateway appliance for inspection before going to the downstream workloads within IBM Cloud.

Architecture diagram

This architecture describes on-premises data centers connectivity into IBM Cloud classic, with workloads in classic, Power Virtual Server, and Virtual Private Cloud (VPC). The diagram includes examples to show where workload compute instances, proxy servers, and jump servers are located. The following diagram identifies numbers indicating key components in the description.

Illustrates Classic edge gateway solution architecture — Classic edge gateway solution architecture

Client network connectivity from on-premises using redundant Direct Links.
The gateway provides routing and security functions.
An optional network path is accomplished through a site-to-site VPN terminated on a classic gateway.
Power Virtual Server workspace with Power Edge Router (PER), subnets, and resources.
The GREa tunnel allows BYOIP to be advertised between classic and on-premises.
The GREb tunnel allows BYOIP to be advertised between classic and the PowerVS and VPC environments.
The GREc tunnel allows BYOIP to be advertised between classic environments in separate regions.
Virtual Bastion host for remote administrative access.
DNS services.
A proxy server is used as an intermediary between on-premises and cloud services.
Cloud Internet Services (CIS) is used to enhance the security, performance, and reliability of internet-facing applications and websites.
A compute instance in a Virtual Private Cloud.
A virtual private endpoint for VPC.
An application load balancer.

Design scope

Following the Architecture Design Framework, the classic edge gateway network pattern covers design considerations and architecture decisions for the following aspects and domains:

Compute: Virtual Servers
Networking: Enterprise Connectivity, BYOIP/Edge Gateways, Network Segmentation, Cloud Native Connectivity, Load Balancing, and DNS
Security: Identity and Access Management (IAM)
Resiliency: High Availability, Disaster Recovery
Service management: Monitoring, Logging, Auditing, Alerting, Event Management

illustrates a detailed network and component architecture for a Classic edge gateway solution architecture — Classic edge gateway design scope

The Architecture Framework provides a consistent approach to design cloud solutions by addressing requirements across a set of "aspects" and "domains", which are technology-agnostic architectural areas that need to be considered for any enterprise solution. For more information, see Introduction to the Architecture Design Framework.

Requirements

The following aspects represent a baseline set of requirements that are applicable to most clients and critical to a successful classic edge gateway network deployment.

Classic edge gateway requirements
Aspect	Requirement
Compute	Secure remote administrative support of all devices within the IBM Cloud environment.
Network	Private enterprise connectivity from customer data centers to IBM Cloud for access to applications, data, and services.
	Private administrative and management connectivity.
	Provide network isolation with the ability to separate applications based on attributes such as data classification, public versus private traffic flows, and internal application function.
	Provide the ability to use Bring Your Own IP (BYOIP)
Security	Firewalls must be restrictively configured to provide advanced security features and prevent all traffic, both inbound and outbound, except that which is required, documented, and approved and optionally include Intrusion Protection System (IPS) and Intrusion Detection System (IDS) services.
	Distributed Denial of Service (DDoS) and Web Application Firewall (WAF) security capabilities required
	Secure access for administration and management of the environment
Resiliency	Multi-region capability to support a disaster recovery strategy and solution that allows all production applications to be included by using cloud infrastructure disaster recovery strategies.
Service management	Provide health and system monitoring with ability to monitor and correlate performance metrics and events and provide alerting across applications and infrastructure.
	Ability to diagnose issues and exceptions and identify error source

Components

Classic edge gateway solution components
Aspect	Component	How the component is used
Compute	Virtual Server on Classic Bastion host	The bastion host is deployed on a virtual server instance within classic and is used for remote administrative support.
	Virtual Server on Classic Proxy server	Acts as an intermediary between the on-premises network and IBM Cloud services.
Networking	Virtual Private Network (VPN)	Provides a secured connection into IBM Cloud over the Internet. VPN can be used for migrations, administrative access, and backup connectivity.
	Gateway Appliance in Classic vSRX Virtual Router Appliance FortiGate FSA 10 Gbps FortiGate vFSA Bring Your Own Gateway (BYOG) Bare Metal for options such as Checkpoint, Cisco, and Palo Alto	Provides router, firewall, and VPN gateway functions for secure and reliable connectivity to cloud resources.
	Generic Routing Encapsulation (GRE) tunnels	Supports Bring Your Own IP (BYOIP) communication between on-premises, Classic Infrastructure, and PowerVS.
	Direct Link Direct Link Connect	Connect on-premises networks to the IBM Cloud using physical telco connections or virtual exchange services.
	Load balancers Application load balancer	Application load balancing for web servers, app servers, and database servers
	Private service endpoints	Connect directly to cloud services without using the public network
	Cloud Internet Services (CIS)	Public load balancing of web server traffic across regions
	DNS services	The Domain Name System (DNS) to associate human-friendly domain names with IP addresses
Security	Identity and Access Management	IBM Cloud Identity and Access Management
	Cloud Internet Services (CIS)	DDoS protection and Web Application Firewall (WAF) for public connectivity
	Gateway Appliance in Classic	Advanced firewall capabilities such as Intrusion Detection System (IDS) and Intrusion Protection System (IPS) services.
	Bastion Host	The Bastion host is deployed on a virtual server instance within classic and is used for remote administrative support
Resiliency	Multi-region deployment	Allows for disaster recovery in secondary region
	Multiple Direct Link connections	Allows for network resiliency for failover and recovery
Service management	Health dashboard	Apps and operational monitoring
	IBM Cloud monitoring	Used to gain operational visibility into the performance and health of your applications, services, and platforms.
	IBM Cloud Log Analysis	Used to manage the operating system logs, application logs, and platform logs in the IBM Cloud
	IBM Cloud Activity Tracker	Used to capture and monitor activities in your IBM Cloud account
	IBM Cloud Logs	Logging service providing users with capabilities for querying, tailing, and visualizing logs.