Creating a cross-account endpoint gateway

You can create an endpoint gateway for a supported IBM Cloud® or third-party service or application that you want to access on your private VPC network. You can use the console, CLI, API, or Terraform.

Before you begin

Before creating an endpoint gateway, ensure that you review Planning for virtual private endpoint gateways and have met the following prerequisites:

Make sure that your target service supports cross-account VPEs. Check the service's documentation for details.
A VPC
A subnet in at least one availability zone if you intend on binding an IP address at the same time you provision the endpoint gateway
An instance of the service
Appropriate IAM permissions to create an endpoint gateway, create or bind a reserved IP, and view or list the target service.
Make sure that you have the necessary IAM permissions and Context-Based Restriction (CBR) policies to authorize access.
You must obtain the Cloud Resource Name (CRN) of the target service instance.
To authorize a VPE in your accessor account to use the target service instance that resides in a different IBM Cloud account, you must create a service-to-service authorization policy as described in the next section.

Creating service authorization for cross-account VPE in the console

Before you create a cross-account VPE, you must create a service-to-service authorization policy as follows:

In the IBM Cloud console, click Manage > Access (IAM), then select Authorizations.
Click Create.
Select a Source account:
- If you're setting up authorization in your account, select This account.
- If you're setting up authorization in the enterprise account, select Other account.
For the source Service, select VPC Infrastructure Services.
For source Resources, select Specific resources. Then, select Resource type as the attribute and Virtual Private Endpoint for VPC as the value.
For the target Service, select the service that hosts the target resource.
For target Resources, select All instances.
For target Roles, select the Viewer role to grant the VPE service read access to the target resource. Then, click Review.
Click Authorize.

Creating service authorization for cross-account VPE from the CLI

Before you create a cross-account VPE, you must create a service-to-service authorization policy as follows:

ibmcloud iam authorization-policy-create is endpoint-gateway TARGET_SERVICE_NAME TARGET_RESOURCE_TYPE \
  --source-account ACCESSOR_ACCOUNT_ID \
  --target-account TARGET_ACCOUNT_ID \
  --roles Viewer

Where:

endpoint-gateway: Identifies the VPE gateway resource type that will access the target service.
TARGET_SERVICE_NAME: The name of the IBM Cloud service that owns the target resource, such as cloud-object-storage.
TARGET_RESOURCE_TYPE: The type of resource within the target service. Common values include service-instance.
--source-account ACCESSOR_ACCOUNT_ID: The account ID that will create and own the VPE connection (the accessor account).
--target-account TARGET_ACCOUNT_ID: The account ID that owns the target resource (the target account).

The following example allows VPE (is.endpoint-gateway) in account 1234567890 to read Cloud Object Storage resources in account 0987654321:

  ibmcloud iam authorization-policy-create \
  is endpoint-gateway \
  cloud-object-storage service-instance \
  --source-account 1234567890 \
  --target-account 0987654321 \
  --roles Viewer

This policy allows VPEs created in the accessor account to target service instances in the specified target account by CRN.

Creating service authorization for cross-account VPE with the API

To allow VPEs in one account to access service instances in another account, you must create a service-to-service (S2S) IAM authorization policy using the IBM Cloud IAM API.

Set up your API environment with the required variables, including your IAM token:

export iam_token=<your_IAM_token>
export iam_api_endpoint="https://iam.cloud.ibm.com/v1"

Store any additional variables for the target and accessor accounts:
- AccessorAccountId - IBM Cloud account ID where the VPE will be created.
- TargetAccountId - IBM Cloud account ID that owns the service instance.
- TargetServiceName - Name of the target service (for example, cloud-object-storage).
- TargetResourceType - Resource type of the service instance (for example, service-instance).
```
export AccessorAccountId=1234567890
export TargetAccountId=0987654321
export TargetServiceName=cloud-object-storage
export TargetResourceType=service-instance
```

Create the authorization policy:

curl -X POST "$iam_api_endpoint/authorization-policies" \
  -H "Authorization: Bearer $iam_token" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "authorization",
    "subjects": [
      {
        "attributes": [
          { "name": "accountId", "value": "'$AccessorAccountId'" },
          { "name": "serviceName", "value": "is" },
          { "name": "resourceType", "value": "endpoint-gateway" }
        ]
      }
    ],
    "roles": [
      { "role_id": "crn:v1:bluemix:public:iam::::role:Viewer" }
    ],
    "resources": [
      {
        "attributes": [
          { "name": "accountId", "operator": "stringEquals", "value": "'$TargetAccountId'" },
          { "name": "serviceName", "operator": "stringEquals", "value": "'$TargetServiceName'" },
          { "name": "resource", "operator": "stringEquals", "value": "'$TargetResourceType'" }
        ]
      }
    ]
  }'

This API call creates a policy that allows the VPE service in the accessor account to read the target service instance in the target account, which is required before creating a cross-account VPE.

Creating service authorization for cross-account VPE with Terraform

The following Terraform configuration demonstrates how to create a service-to-service (S2S) IAM authorization policy that allows VPEs in one IBM Cloud account to access service instances in another account.

This policy must be created before creating the cross-account VPE. The Viewer role grants the VPE service read access to the target resource metadata, enabling secure connectivity between accounts.

provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
}

# Create a cross-account IAM authorization policy
resource "ibm_iam_authorization_policy" "cross_account_vpe" {
  # The source is the VPE service in the accessor account
  source_service_name  = "is"
  source_resource_type = "endpoint-gateway"
  source_account       = var.accessor_account_id

  # The target is the service instance in another account
  target_service_name  = "cloud-object-storage"
  target_resource_type = "service-instance"
  target_account       = var.target_account_id

  # The Viewer role allows the VPE service to read target resource metadata
  roles = ["Viewer"]
}

# Optional: Output the policy ID
output "authorization_policy_id" {
  value = ibm_iam_authorization_policy.cross_account_vpe.id
}

For more information, see the Terraform registry.

Creating an endpoint gateway in the console

To create an endpoint gateway in the IBM Cloud console, follow these steps:

From the IBM Cloud console, select the Navigation menu , then click Infrastructure > Network > Virtual private endpoint gateways. The Virtual private endpoint gateways for VPC page appears.
Click Create to go to the provisioning page.
In the Details section, enter values for the following fields:
- Name - Type a unique name for your endpoint gateway.
- Resource group - Select a resource group for the endpoint gateway. You can use the default group for this endpoint gateway, or choose from the list. For more information, see Best practices for organizing resources in a resource group.
- Tags - Optionally, add tags to organize, track usage costs, or manage access to your resources.
- Access management tags - You can also optionally add access management tags to resources to help organize access control relationships. The only supported format for access management tags is key:value. For more information, see Controlling access to resources by using tags.
- Virtual private cloud - Select the VPC where you need the VPE IP address. Based on the region of the VPC you selected, the system provides you with a list of IBM services that you can access to associate with the endpoint gateway. If the target service is not offered in the region of the VPC you selected, you can change the region to select the service in another region.
If the intended service or service instance does not appear, revalidate your IAM permissions. You can also choose to allocate a reserved IP address to bind to the gateway, or specify a VPC subnet to allocate a reserved IP address for binding to the gateway.
In the Security groups section, select the checkboxes of the security groups that you want to attach from the security group table. You can then manage these security groups and tighten their security rules for inbound traffic toward your endpoint gateways.

When you create an endpoint gateway without specifying a security group, the VPC default security group is attached to the endpoint gateway. For more information, see Configuring ACLs and security groups for use with endpoint gateways.

Endpoint gateways created prior to the support for security groups do not have an attached security group. They also allow all inbound traffic. If you attach a security group to a VPE that does not have any attached security groups, you cannot revert that VPE back to a state where is has no security groups. You can revert to the previous "allow all inbound traffic" behavior by attaching a security group with rules for allowing all inbound traffic. However, this rule is inherently less secure than having a more restrictive security group in place and is not recommended.
In the Request connection to a service section, select either an IBM Cloud or non-IBM Cloud service to access using this endpoint gateway.
- For IBM Cloud services, select an available IBM Cloud service offering from the menu, then select its region. A region is pre-selected to optimize performance.
- For non-IBM Cloud services, enter the cloud resource name (CRN) of the Private Path service (obtained from your service provider).
  
  Your connection request is sent to the service provider for review.
  
  The review might be automated based on the provider's chosen account policy, or it could take days if the provider has chosen to manually review their requests. If your request is permitted, you will receive notification and can then access the service. If your request is denied, contact the service provider.
In the Share DNS section, select one of the following DNS resolution binding modes:
- Primary allows the VPE gateway's service endpoints in the DNS-shared VPC to be shared with the DNS hub VPC for name resolution.
- Disabled does not allow the VPE gateway's service endpoints to be shared for name resolution.
When the VPC is a DNS hub, DNS sharing is always set to Primary and the mode can't be changed.
In the Reserved IP section, select reserved IP addresses. You can choose:
- Select one for me - Enter a name prefix for the IP addresses, or one is chosen for you. Select one or more subnets (one subnet per zone is recommended) and enable the Auto-release toggle if you want this reserved IP to be deleted automatically if the endpoint gateway is deleted.
- Select from existing IPs - Choose from the list of existing IP addresses. If no IPs exist, click Reserve IP to reserve one.
  
  Only one reserved IP can be bound to a VPE gateway per AZ in a VPC. Ensure that no other bindings exist in the same AZ across all subnets within the VPC.
- Select one later - Select IP addresses at some point after creating the endpoint gateway.
Review the Order summary, then click Create virtual private endpoint gateway. The endpoint gateway is requested for use.

Creating an endpoint gateway from the CLI

Before you begin, set up your CLI environment.

To create an endpoint gateway from the CLI, follow these steps:

List the IBM Cloud service instances that are qualified to be set as endpoint gateway targets:
```
ibmcloud is endpoint-gateway-targets
```
Create an endpoint gateway by running the following command:<
```
ibmcloud is endpoint-gateway-create --target TARGET [--target-type private_path_service_gateway | provider_cloud_service | provider_infrastructure_service] [--vpc VPC] [--name NAME] [--rip RIP --subnet SUBNET | (--new-reserved-ip NEW_RESERVED_IP1 --new-reserved-ip NEW_RESERVED_IP2 ...)] [--allow-dns-resolution-binding false | true] [--sg SG] [--resource-group-id RESOURCE_GROUP_ID | --resource-group-name RESOURCE_GROUP_NAME] [--output JSON] [-q, --quiet]
```
Where:

--target-type:

Indicates the type of target for this endpoint gateway, and one of the following: private_path_service_gateway, provider_cloud_service, or provider_infrastructure_service.

--vpc:

Indicates ID or name of the VPC.

--target:

Indicates the name of the provider infrastructure service or the CRN for a provider cloud service instance. You can use the command ibmcloud is endpoint-gateway-targets to list the provider cloud and infrastructure services that are qualified to be set as the endpoint gateway target.

--name:

Indicates the new name of the endpoint gateway.

--rip:

Indicates the ID of the reserved IP to be bound to the endpoint gateway.

--subnet:

ID or name of the subnet. This name is required only if the supplied reserved IP is in name format.

--new-reserved-ip:

Indicates the new reserved IP configuration in JSON format or a JSON file, RESERVED_IP_JSON|@RESERVED_IP_JSON_FILE.

--sg:

Indicates the ID of the security group.

If you do not specify -sg, the VPC default security group is bound to the endpoint gateway.

--resource-group-id:

Indicates the ID of the resource group. This option is mutually exclusive with --resource-group-name.

--resource-group-name:

Indicates the name of the resource group. This option is mutually exclusive with --resource-group-id.

--output:

Indicates the output format. Only JSON is supported.

-q, --quiet:

Suppresses verbose output.

For more information and command examples, see the VPC CLI reference.

Creating an endpoint gateway with the API

To create an endpoint gateway with the API, follow these steps:

Set up your API environment.
Store the following values in variables to be used in the API command:
- ResourceGroupId - First, get your resource group and then populate the variable:
```
export ResourceGroupId=<your_resourcegroup_id>
```
- VpcId - Use the list vpc command (with the preceding variables) and then populate the variable based on the provided ID:
```
export VpcId=<your_VPC_id>
```
- TargetCrn - The name, or CRN, of the instance of the IBM Cloud service where you want to set the endpoint gateway.
You can use the command ibmcloud is endpoint-gateway-targets to list the IBM Cloud service instances that are qualified to be set as endpoint gateway targets.
```
export TargetCrn=<CRN of a target service>
```
- SubnetID (Optional) - The subnet ID.
```
export SubnetID=<your_subnet_id>
```
When all variables are initiated, do one of the following:
- Create an endpoint gateway for the specific VPC:
```
curl -X POST -sH "Authorization:${iam_token}" \
"$vpc_api_endpoint/v1/endpoint_gateways?version=$api_version&generation=2" \
-d {
"name": endpoint-gateway-1",
"vpc": {"id":"'$VpcId'"},
"target": {
"crn": "$TargetCrn",
"resource_type": "provider_cloud_service"
},
"security_groups": [
{"id": "'$sg'"}
]
}'
```
  When creating an endpoint gateway to connect to a Private Path service, make sure '"resource type" = "private_path_service_gateway"'.
  
  After you create an endpoint gateway for your service instance and assign a reserved IP address, you must bind the IP addresses from your VPC network to the endpoint gateway. See Binding and unbinding a reserved IP address for details. These bound IP addresses become the VPE to access the service mapped to the endpoint gateway.
- Create an endpoint gateway with an associated reserved IP address:
```
curl -X POST -sH "Authorization:${iam_token}" \
"$vpc_api_endpoint/v1/endpoint_gateways?version=$api_version&generation=2" \
-d {
"name": endpoint-gateway-1",
"vpc": {"id":"'$VpcId'"},
"target": {
"crn": "$TargetCrn",
"resource_type": "provider_cloud_service"
},
"security_groups": [
{"id": "'$sg'"}
],
"ips": [
{"subnet": { "id": "$SubnetId" } }
],
}'
```
  When creating an endpoint gateway to connect to a Private Path service, make sure that '"resource type" is set to private_path_service_gateway.

After an endpoint gateway is created for an IBM Cloud service, it presents the endpoints associated with it. You can edit the endpoint gateway in various ways, such as binding/unbinding IPs, changing the resource group, and updating tags. If you need to change the service endpoints for any reason, you must delete and recreate the endpoint gateway.

Creating an endpoint gateway with Terraform

You can use Terraform to create an endpoint gateway.

To use Terraform, download the Terraform CLI and configure the IBM Cloud Provider plug-in. For more information, see Getting started with Terraform.

The following example creates a VPE gateway:

resource "ibm_is_virtual_endpoint_gateway" "example" {

  name = "example-endpoint-gateway"
  target {
    name          = "ibm-ntp-server"
    resource_type = "provider_infrastructure_service"
  }
  vpc            = ibm_is_vpc.example.id
  resource_group = data.ibm_resource_group.example.id
  security_groups = [ibm_is_security_group.example.id]
}

resource "ibm_is_virtual_endpoint_gateway" "example1" {
  name = "example-endpoint-gateway-1"
  target {
    name          = "ibm-ntp-server"
    resource_type = "provider_infrastructure_service"
  }
  vpc = ibm_is_vpc.example.id
  ips {
    subnet = ibm_is_subnet.example.id
    name   = "example-reserved-ip"
  }
  resource_group = data.ibm_resource_group.example.id
  security_groups = [ibm_is_security_group.example.id]
}

resource "ibm_is_virtual_endpoint_gateway" "example3" {
  name = "example-endpoint-gateway-2"
  target {
    name          = "ibm-ntp-server"
    resource_type = "provider_infrastructure_service"
  }
  vpc = ibm_is_vpc.example.id
  ips {
    subnet = ibm_is_subnet.example.id
    name   = "example-reserved-ip"
  }
  resource_group = data.ibm_resource_group.example.id
  security_groups = [ibm_is_security_group.example.id]
}

resource "ibm_is_virtual_endpoint_gateway" "example4" {
  name = "example-endpoint-gateway-3"
  target {
    crn           = "crn:v1:bluemix:public:cloud-object-storage:global:::endpoint:s3.direct.mil01.cloud-object-storage.appdomain.cloud"
    resource_type = "provider_cloud_service"
  }
  vpc            = ibm_is_vpc.example.id
  resource_group = data.ibm_resource_group.example.id
  security_groups = [ibm_is_security_group.example.id]
}

After creating a VPE gateway

If you return to the Virtual private endpoint gateways for VPC page, your endpoint gateway shows in the table.

For IBM Cloud services, the status of your endpoint gateway changes from Updating to Stable. You can click the Actions menu to rename, reserve or bind an IP, unbind an IP, or delete an endpoint gateway.
For non-IBM Cloud (third party) services, your endpoint gateway status is Pending until the service provider either permits or denies your connect request. The status changes to Stable when connectivity is established. You can click Track or expand the table row of the endpoint gateway to view the progress of your request.
Optionally, there is a DNS resolution binding switch in the table row of the VPE gateway that allows you to enable or disable DNS sharing for this endpoint gateway. For more information, see About DNS sharing for VPE gateways.