IBM Cloud® Virtual Private Cloud (VPC) Infrastructure environment introduction
An Infrastructure-as-a-Service (IaaS) environment consists of many components - primarily compute, storage, and network from a specified region (such as the US) and a designated site location (also referred to as a zone), which is a data center site.
Deployment and management
IBM Cloud VPC Infrastructure offerings, such as virtual or bare metal servers, are deployed through the IBM Cloud VPC Infrastructure console.
Alternatively, deployments can be made and managed by using:
- IBM Cloud CLI
- IBM Cloud VPC Infrastructure API calls that use an IBM Cloud API key
- Terraform Provider for IBM Cloud by using an IBM Cloud API key
For more information, see Managing VPC Infrastructure (IAM).
Locations - availability zones
With availability zones across North and South America, Europe, Asia, and Australia, you can provision cloud resources where (and when) you need them. Many regions are available globally, with multiple availability zones in each region. Each availability zone is connected to the IBM Cloud global private network, making data transfers faster and more efficient anywhere in the world.
For more information about IBM Cloud availability zones, data centers, and Points of Presence (PoPs), see the global regions, availability zones, and data centers map.
Compute Resources
Two types of compute resource can be deployed in IBM Cloud VPC Infrastructure environment:
- Intel Virtual Server Instances (VSIs)
- Intel Bare Metal Servers
These compute resources are offered in different profiles that define CPU and RAM combinations.
For more information, see Infrastructure certified for SAP.
Networking
The IBM Cloud VPC infrastructure network, is robust, secure, and flexible; powered by the latest in networking hardware, with the best networking capabilities. It allows definable isolation and creation of a network within the cloud.
IBM Cloud VPC Infrastructure network |
---|
Global |
Resource Group |
Region |
VPC |
Availability zone (with address prefix) |
Subnet |
Every IBM Cloud® Virtual Private Cloud is created for a region, and spans multiple availability zones.
When you deploy a VPC in an availability zone, an address prefix is used for that specified zone.
Each VPC Zone (and the address prefix) contains one or more subnets. You can define each subnet manually by choosing the IP range and the subnet mask, or you can choose the number of IP addresses needed. A newly created compute resource is deployed into this subnet and can also be attached to further subnets.
Networking connectivity
IBM Cloud® Virtual Private Cloud network overview demonstrates the connectivity for the environment. Issues with network connectivity can cause delays for your project if you do not plan properly, regardless of how you plan to use your system.
In general, IBM Cloud VPC has a highly available, high-bandwidth network that is connected to every compute resource, be it bare metal servers or physical servers, which, in the VSI case, serve a hypervisor. Each physical server (host), which serves a hypervisor, divides the network into virtual network interfaces (vNICs) that are attached to the virtual server.
Depending on the profile of your virtual server, the total available network bandwidth to the virtual server is in the range of 4 Gbps to 64 Gbps. It's important to consider that each vNIC has a maximum throughput of 16 Gbps, so to achieve maximum throughput, up to 4 additional vNICs must be attached to the virtual server (that is, a virtual server might have a maximum of 5 vNICs attached).
If you need to connect to your virtual or bare metal server through the public internet (also known as inbound to a server), you can order a Floating IP and attach to the server's vNIC, in other words: you can attach one Floating IP per server.
If you want to connect to the public internet from your server (also known as outbound from a server), you need to attach a Public Gateway to the VPC. This gateway provides access to the internet for an entire subnet.
The following inter-connectivity options are available:
- VPC zone to zone,
- VPC to VPC,
- VPC to Classic Infrastructure,
- VPC to IBM Power Systems Infrastructure,
- VPC to on-premises data centers by using a VPC VPN Gateway
When a connection to the public internet is not acceptable because of security measures, you can deploy an IPsec Gateway into your VPC to connect to your server. For more information, see Connectivity to your SAP system landscape - VPC VPN Gateway. Or, you can have an even closer integration into your backbone infrastructure by an IBM Cloud Direct Link. For more information, see Connectivity to your SAP system landscape - IBM Cloud Direct Link.
Server resources that are in IBM Cloud Classic Infrastructure can be connected through Transit Gateways. These virtual devices are used to connect your private VLAN subnets in the Classic Infrastructure to your VPC subnets.
For more information, see About Networking for VPC and Setting up access to classic infrastructure.
Extra requirements exist in Classic Infrastructure networking to enable the Transit Gateway, be sure to review documentation before you change your Classic Infrastructure or VPC Infrastructure networking topology and configuration.
It is advised that your networking department contact IBM Cloud Support after determining the layout of your landscape and the connectivity that is required on the SAP application layer.
Networking protection
IBM Cloud® offers further protection mechanisms that can provide your Virtual Servers for VPC with a layer of security that you can configure and adapt anytime. Two key principles are:
- Network Access Control Lists (ACL): Available for use by all subnets in all zones. ACLs attach to a subnet and provide subnet-level protection by limiting a subnet's inbound and outbound traffic.
- Security Groups: Available for use by all subnets on all zones that are attached to a vNIC of any server that provides instance-level protection by acting as a firewall to restrict a vNIC inbound and outbound traffic.
For more information, see Security in your VPC.
Subnets to separate traffic
If you want to separate different network traffic types in your landscape, either because of security restrictions or because of throughput considerations, you can configure and attach multiple subnets to your VPC and make them available to your compute resources, too.
Network Access Control List
Network Access Control Lists (ACLs) are used to manage allow
and deny
rules on a subnet level. ACLs are used to manage network traffic between subnets, too. The default ACL for a subnet opens the subnet for all
traffic. If you wanted more strict security measures, you would need to add rules to the ACL. When you add rules, keep in mind that required services like DNS or OS patch and packages downloads might be affected by those rules. For more
information, see Security in your VPC.
Security Groups
A Security Group is a set of allow-only firewall rules. You can apply these rules to one or more bare metal servers or VSIs. You can also create a default Security Group with Secure Shell (SSH) and ICMP (ping) during VPC creation, which allows ICMP and SSH from any IP address. These rules need to restrict the IPs or IP ranges from which you are planning to access the VPC.
Storage
Block storage is provided with your virtual servers and uses input/output operations per second (IOPS) to determine storage needs. It is ideal for storage-intensive applications with high I/O needs, such as an OS, and database and application software. This option is the perfect companion for SAP HANA workloads.
All Block storage is selected based on capacity (GB) and performance (IOPS) measurements and is required to meet a specific SAP Workload.
IOPS values are measured based on 16 KB block size with a 50-50 read/write mix. To achieve a maximum I/O throughput, it's advisable to look at the tier and custom profiles available for storage and find the optimal combination of size and IOPS.
Storage volumes differ in performance, depending on their IOPS tier. You can select among 3, 5, and 10 IOPS/GB (see Tiered IOPS profiles). You can also select a custom size (in GB and IOPS) that is based on the size of the storage.
If you need more than the initially provisioned storage in your server, you can attach extra volumes to a it later. Contact IBM Cloud Support for extension options if the attached storage is insufficient for your workload.