About public address ranges

Public Address Ranges for VPC is only available for evaluation and testing purposes for users with special access.

A public address range is a contiguous set of public IPs that you can reserve and bind to a VPC in an availability zone.

The IPs in the range can be routed to a Virtual Network Function (VNF) appliance in the VPC by configuring public ingress routing to route the destination IP range to a VNF appliance next-hop. Response traffic from the VNF appliance retains the source IP as it egresses, ensuring traffic isn't dropped.

For more information about configuring ingress routing, see About routing tables and routes.

Key capabilities and benefits

The following key benefits highlight how the Public Address Ranges for VPC service supports scalable, secure, and highly available networks.

Contiguous IP Range: A public address range provides a continuous set of IBM-provided public IPs for scalable and manageable routing and security policies.
Resource Management: Public address ranges can simplify access control and security while enabling a single public ingress route to inspect traffic from multiple endpoints and secure enterprise applications on the VPC.
Scalability: When you need more public IPs, you can reserve a larger prefix without needing to manually manage individual addresses.
High Availability: In regions with availability zones, you can create zone-redundant public IP ranges to distribute IP addresses for high availability. These public address ranges are regional and can be moved between VPCs in the same or different availability zones.

Planning considerations

Review the following considerations before creating a public address range:

Make sure that you have the appropriate IAM permissions.
Review public address range limitations.
You can bind multiple public address ranges to a VPC.
You can't divide public address ranges into subranges and bind it to multiple VPCs or zones.
You can't change the size of the address range after it is reserved. Make sure to reserve a public address range size large enough to meet your needs.

IPs in different public address ranges aren't guaranteed to be contiguous.
You can limit the use of a public address range to specific resources within the VPC by configuring network ACLs, security groups, or a combination of both.
When a public address range is bound to a zone in a VPC, traffic originating from any virtual server or bare metal server in that zone in the VPC, and using a source IP from the public address range, can communicate with the public and private destinations. To limit this, you can:
- Configure security groups to limit which resources can send or receive traffic with IP addresses from the public address range.
- Configure network ACLs to allow or deny traffic at the subnet level.
- Configure VPC egress routes to explicitly direct outbound traffic and avoid unintended paths.
When setting up these network traffic controls, keep in mind that some users might lack the necessary IAM permissions to secure resources properly.
You can reserve a public address range with the following prefix sizes. For more information, review public address range quotas and service limits.
- /28 = 16 addresses
- /29 = 8 addresses
- /30 = 4 addresses
- /31 = 2 addresses
- /32 = 1 address
If there is an overlap between a public address range and the private address prefix in a VPC, the private address prefix takes precedence.

Getting started with public address ranges

To get started with using public address ranges, follow these steps:

Ensure that you have created a VPC and all the needed resources (if not already present).
Create your public address range.
Bind, unbind,and move public address ranges after creating a public address range.
Configure an ingress routing table for your VPC by adding routes that direct traffic to the next-hop IP of the target appliance, using the public IP address range as the destination. These routes direct public internet traffic to a next-hop within the VPC, such as a Network Functions Virtualization (NFV) instance, router, firewall, or load balancer.

The next-hop IP must be an IP address that is bound to a network interface on a subnet in the route's zone for ingress routing.

IAM roles and actions

IBM Cloud Identity and Access Management (IAM) controls access to public address ranges for users in your account. Every user that accesses this service in your account must be assigned an access policy with an IAM role. Review the following available platform and service roles and the actions mapped to each to help you assign access.

If you're using the CLI or API to assign access, use is.public-address-range for the service name.

Platform roles - Public Address Ranges for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role	Description
Administrator	As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor	As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator	As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer	As a viewer, you can view service instances, but you can't modify them.

Service actions - Public Address Ranges for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action	Description	Roles
`is.public-address-range.public-address-range.read`	Read a public address range	Administrator, Editor, Operator, Viewer
`is.public-address-range.public-address-range.list`	List a public address range	Administrator, Editor, Operator, Viewer
`is.public-address-range.public-address-range.create`	Create a public address range	Administrator, Editor
`is.public-address-range.public-address-range.update`	Modify a public address range	Administrator, Editor
`is.public-address-range.public-address-range.operate` and `is.public-address-range.public-address-range.update`	Bind, unbind, or move a public address range	Administrator, Editor
`is.public-address-range.public-address-range.delete`	Delete a public address range	Administrator, Editor

Common use cases

Public address ranges help customers simplify the integration of network and security appliances into their network topology to run their workloads on a VPC. This provides more control over routing, security, and traffic management, enabling solutions that enhance network performance and security.

Securing your workloads in VPC

To manage access to sensitive data effectively, firewalls automatically detect and handle threats using policy-based routing for enhanced security. You can define public address ranges to expose specific services or applications, enabling controlled ingress into the VPC. Define routing rules for public endpoints to redirect ingress traffic to third-party appliances before it reaches the final destination. This approach simplifies the deployment of production-grade applications with the networking and security services required in a VPC.

Deploying highly-available and resilient workloads in VPC

To ensure workload resilience, you can use public address ranges to maintain consistent access to services during zonal failures. In the event of a zonal failure, internet traffic is rerouted to a virtual network function (VNF) appliance deployed in another zone for monitoring and inspection, maintaining high availability within the VPC.