Interconnecting your VPC using IBM Cloud offerings
Given that VPCs are regional constructs, the following questions quickly arise:
- How can I interconnect my VPCs with my on-premises network?
- How can I interconnect my VPCs?
Interconnecting with on-premises networks
IBM has the following offerings that can help you interconnect a VPC with an on-premises network.
-
IBM Cloud Direct Link
You can interconnect a VPC with an on-prem network through both Direct Link Dedicated and Connect offerings. Keep in mind that you can connect direct links to either a local or remote IBM Cloud Transit Gateway, which allows the on-prem network to access all networks connected to the transit gateway.
-
IBM Cloud Direct Link Dedicated provides low-latency, high-throughput connections between IBM Cloud VPC networks direct to a service provider-managed WAN, or a client-managed cloud backbone. You can optimize egress traffic from your VPC network and reduce your egress costs. If you can’t connect at an IBM Cloud data center, or don’t need more than 5 Gbps of bandwidth on a Virtual Network Connection, you can use IBM Cloud Direct Link Connect to connect to IBM Cloud through a supported service provider.
With IBM Cloud Direct Link Global Routing capabilities, you can connect to all IBM Cloud regions worldwide from a single IBM Cloud Direct Link connection. You can also take advantage of IBM Cloud Direct Link service provider partners to establish more secure hybrid connections for your workloads across the globe, as well as easily provision multiple connections as your capacity requirements increase.
Example Direct Link on-premises interconnect use case -
IBM Cloud Direct Link Connect provides connectivity between your on-premises and IBM Cloud VPC networks through a supported service provider. A service provider connection is useful if your data center is in a physical location that can't reach a dedicated colocation facility, or if your data needs don't warrant a 5 Gbps+ connection. Connect service providers are often used to facilitate multicloud connectivity (public clouds from multiple vendors) through their network. Connect service providers offer layer 2 connectivity, layer 3 connectivity, or both. Work with your service provider to understand their offerings and requirements.
-
-
VPN for VPC can securely connect your virtual private cloud to another private network. You can use VPN to set up an IPsec site-to-site tunnel between your VPC and your on-premises private network or another VPC. See Connecting to your on-premises network using a VPN gateway for details.
Interconnecting VPCs
IBM Cloud Transit Gateway provisions and defines connections between resources on the IBM Cloud network, providing private interconnectivity between IBM Cloud data centers worldwide. IBM Cloud Transit Gateway provides a central hub for connectivity, making it easier to provision and manage your networks. With IBM Cloud Transit Gateway, you can create a single transit gateway or multiple transit gateways to connect IBM Cloud VPCs. You can also connect your IBM Cloud classic infrastructure to a transit gateway to provide seamless communication with classic infrastructure resources. Any new resource that you connect to a transit gateway is automatically made available to every other resource connected to it. All data remains within the private IBM Cloud backbone and is optimized for performance.
| IP | Origin |
|---|---|
10.100.0.0/24 |
from VPC A subnet |
13.100.0.0/24 |
from VPC A subnet |
10.101.0.0/24 |
from VPC B through Transit Gateway (local) |
13.101.0.0/24 |
from VPC B through Transit Gateway (local) |
10.111.0.0/24 |
from VPC Z through Transit Gateway (global) |
13.111.0.0/24 |
from VPC Z through Transit Gateway (global) |
| IP | Origin |
|---|---|
10.101.0.0/24 |
from VPC B subnet |
13.101.0.0/24 |
from VPC B subnet |
10.100.0.0/24 |
from VPC A through Transit Gateway (local) |
13.100.0.0/24 |
from VPC A through Transit Gateway (local) |
| IP | Origin |
|---|---|
10.111.0.0/24 |
from VPC Z subnet |
13.111.0.0/24 |
from VPC Z subnet |
10.100.0.0/24 |
from VPC A through Transit Gateway (global) |
13.100.0.0/24 |
from VPC A through Transit Gateway (global) |
Benefits of using these IBM Cloud options
Benefits of these interconnectivity offerings include:
- Traffic between your on-premises network and your VPC network doesn't traverse the public internet. Traffic traverses a dedicated connection, or through a service provider with a dedicated connection.
- By bypassing the public internet, your traffic takes fewer hops, so there are fewer points of failure where your traffic might get dropped or disrupted.
- Move data to and from your on-premises data centers into the IBM Cloud with uninterrupted, consistent network performance while protecting sensitive, business-critical data.
- Save on data transfer rates to and from servers in every IBM Cloud data center across our private network, avoiding bandwidth fees.
Routing considerations for IANA-registered IP assignments
IBM Cloud VPC supports the use of RFC-1918 and Regional Internet Registry (RIR) assigned addresses privately as VPC subnets. The following use cases require additional route configurations to designate the Internet Assigned Numbers Authority (IANA) assigned ranges for use in a VPC when a floating IP or a public gateway is attached to a resource within the VPC.
- Use case 1: VPC is connected to your Enterprise with IBM Cloud Direct Link and requires communication with IANA-assigned networks on that Enterprise.
- Use case 2: VPC is connected to another VPC through IBM Cloud Transit Gateway and requires communication to IANA-assigned networks in the connected VPCs.
- Use case 3: VPC is connected to a classic infrastructure network by using BCR peering to announce IANA-assigned ranges to the classic network.
In these scenarios, each subnet in the VPC must have a routing table attached with routes designating the IANA-assigned ranges as targets for private routing, or all traffic to these publicly routable ranges is forwarded toward the public backbone, and not toward the intended private network destination. This applies to VPC subnets using RFC-1918 "and" IANA assigned prefixes. As with all custom route additions, the routing table must include a route for each Availability Zone (AZ) requiring connectivity.
Options include:
- If the VPC default (egress) routing table is attached to all VPC subnets, create a route for each IANA prefix or aggregate per zone in the VPC default table with the
Delegate-VPCaction. This defers to the VPC system routing table for forwarding action. - If you use custom routing tables, create a route for each IANA prefix or aggregate per zone in each custom routing table with the
Delegate-VPCaction.
Using IANA ranges works only with custom routes having the Delegate-VPC action, not Delegate. Both custom route actions of Delegate-VPC and Delegate defer to the VPC system routing table. The
only difference is that Delegate uses any floating IP or public gateway when forwarding traffic to IANA destinations; Delegate-VPC does not, and assumes that IANA destinations are in the VPC (not the internet).
Use case 1: VPC connected to an Enterprise with IBM Cloud Direct Link
| IP | Origin |
|---|---|
10.100.0.0/24 |
from VPC A subnet |
13.100.0.0/24 |
from VPC A subnet |
10.101.0.0/24 |
from VPC B through Transit Gateway (local) |
13.101.0.0/24 |
from VPC B through Transit Gateway (local) |
10.0.0.0/8 |
from an Enterprise through Direct Link |
172.16.0.0/12 |
from an Enterprise through Direct Link |
13.0.0.0/8 |
from an Enterprise through Direct Link |
| IP | Origin |
|---|---|
10.101.0.0/24 |
from VPC B subnet |
13.101.0.0/24 |
from VPC B subnet |
10.100.0.0/24 |
from VPC A through Transit Gateway (local) |
13.100.0.0/24 |
from VPC A through Transit Gateway (local) |
10.0.0.0/8 |
from an Enterprise through Direct Link |
172.16.0.0/12 |
from an Enterprise through Direct Link |
13.0.0.0/8 |
from an Enterprise through Direct Link |
| Destination | Action | Next Hop | Zone |
|---|---|---|---|
13.0.0.0/8 |
Delegate-VPC |
|
us-south-1 |
13.0.0.0/8 |
Delegate-VPC |
|
us-south-2 |
13.0.0.0/8 |
Delegate-VPC |
|
us-south-3 |
| Destination | Action | Next Hop | Zone |
|---|---|---|---|
13.0.0.0/8 |
Delegate-VPC |
|
us-south-1 |
13.0.0.0/8 |
Delegate-VPC |
|
us-south-2 |
13.0.0.0/8 |
Delegate-VPC |
|
us-south-3 |
Use case 2: VPC-to-VPC connected with IBM Cloud Transit Gateway
| IP | Origin |
|---|---|
10.100.0.0/24 |
from VPC A subnet |
13.100.0.0/24 |
from VPC A subnet |
10.101.0.0/24 |
from VPC B through Transit Gateway (local) |
13.101.0.0/24 |
from VPC B through Transit Gateway (local) |
10.111.0.0/24 |
from VPC Z through Transit Gateway (global) |
13.111.0.0/24 |
from VPC Z through Transit Gateway (global) |
| IP | Origin |
|---|---|
10.101.0.0/24 |
from VPC B subnet |
13.101.0.0/24 |
from VPC B subnet |
10.100.0.0/24 |
from VPC A through Transit Gateway (local) |
13.100.0.0/24 |
from VPC A through Transit Gateway (local) |
| IP | Origin |
|---|---|
10.111.0.0/24 |
from VPC Z subnet |
13.111.0.0/24 |
from VPC Z subnet |
10.100.0.0/24 |
from VPC A through Transit Gateway (global) |
13.100.0.0/24 |
from VPC A through Transit Gateway (global) |
| Destination | Action | Next Hop | Zone |
|---|---|---|---|
13.0.0.0/8 |
Delegate-VPC |
|
us-south-1 |
13.0.0.0/8 |
Delegate-VPC |
|
us-south-2 |
13.0.0.0/8 |
Delegate-VPC |
|
us-south-3 |
| Destination | Action | Next Hop | Zone |
|---|---|---|---|
13.0.0.0/8 |
Delegate-VPC |
|
us-south-1 |
13.0.0.0/8 |
Delegate-VPC |
|
us-south-2 |
13.0.0.0/8 |
Delegate-VPC |
|
us-south-3 |
| Destination | Action | Next Hop | Zone |
|---|---|---|---|
13.0.0.0/8 |
Delegate-VPC |
|
us-east-1 |
13.0.0.0/8 |
Delegate-VPC |
|
us-east-2 |
13.0.0.0/8 |
Delegate-VPC |
|
us-east-3 |
Use case 3: VPC-to-classic and BCR peering with IBM Cloud Transit Gateway
| IP | Origin |
|---|---|
10.100.0.0/24 |
from VPC A subnet |
13.100.0.0/24 |
from VPC A subnet |
13.111.0.0/24 |
from Classic through Transit Gateway |
| Destination | Action | Next Hop | Location |
|---|---|---|---|
13.0.0.0/8 |
Delegate-VPC |
|
us-south-1 |
13.0.0.0/8 |
Delegate-VPC |
|
us-south-2 |
13.0.0.0/8 |
Delegate-VPC |
|
us-south-3 |