logo

How to Connect to IBM Public Cloud Secretly and Control Network Traffic

Posted by Marbenz Antonio on November 29, 2022

What is Cloud Computing Architecture? - AUCloud

There are numerous secure connections to IBM public cloud services available for customer data centers and on-premises equipment.

Some of the most popular offerings include the following:

The other two products are provided as a service and are managed by IBM with dedicated configuration capabilities, in contrast to the virtual or physical network appliances, which are housed in IBM Cloud Classic Infrastructure and give the customer full control over their network management. Customers usually choose Virtual Private Clouds (VPCs) over Classic Infrastructure because they provide next-generation features and high-efficiency hardware updates.

They also place high importance on the network appliance of a Classic Infrastructure. Unfortunately, by default, those network appliances are unable to manage the traffic in a virtual private cloud. However, IBM Cloud Direct Link can connect to Classic Infrastructure and VPCs.

Another service called IBM Cloud Transit Gateway allows customers to link IBM Cloud resources, such as VPCs, Classic Infrastructure, and even cross-account resources, in addition to the different options for connecting customer on-site infrastructure to IBM Public Cloud.

It is possible to establish a very secure IP connection to IBM Cloud VPC and Classic Infrastructure using a mix of the following three services while still having complete network and traffic control. It establishes a single point of entry for all communications relating to the workload (in a high availability scenario, there are, of course, two points of entry). Three stages are required to set this up, and they are described in considerable detail below.

Architecture overview

The total configuration, which combines Direct Link with Classic Infrastructure, a Transit Gateway, and a VPC, is shown in the diagram below:

The following diagram shows the overall configuration, combining Direct Link with Classic Infrastructure, a Transit Gateway and a VPC:

Step 1: Setting up IBM Cloud Direct Link

To connect privately and directly to IBM Cloud infrastructure without having to transit packages via the public network, the Direct Link creates the underlay network for the entire solution. The customer can access the private network of IBM Classic Infrastructure as soon as the Direct Link connection has been made and IBM Classic Infrastructure has been connected to Direct Link.

All attached routes are automatically announced to the counterpart, which is often a customer-controlled appliance, through IBM Cloud Direct Link. The customer should install a filter to the counterpart device for the scenario described in this article so that only the private IPs associated with the network appliance located in Classic Infrastructure are allowed (as shown in the architecture overview).

Step 2: Establishing private connectivity to network appliances

The customer can access the private endpoints of the network appliances stored in Classic Infrastructure once the Direct Link setup is complete. The overlay network of the solution may then be built using those endpoints to set up a private GRE (Generic Routing Encapsulation) tunnel in conjunction with BGP (Border Gateway Protocol), which is not routed across the public network. The exchange of overlay routes between the devices is done via BGP.

Step 3: Connecting an IBM Cloud Transit Gateway with network appliances

The network appliance must then be connected to a Transit Gateway, which controls the connection to one or more VPCs, as the last step. The Classic Infrastructure connection should first be limited so that only the prefix of the gateway appliance is allowed by using the possibilities of a prefix filter.

After that, a GRE tunnel is used to connect IBM Cloud Classic Infrastructure devices using the Transit Gateway capability. Both on the virtual gateway appliance and in the Transit Gateway UI, this capability needs to be manually configured. Tunnel IPs, gateway IPs, and BGP autonomous system numbers are included in the setup. The IBM Cloud Docs contain comprehensive configuration instructions for setting up a Transit Gateway GRE tunnel.

Depending on the type of equipment used, the configuration will differ. The VPC routes connected to the Transit Gateway are instantly promoted to the network appliance as soon as the connection has been made. Similarly to that, the network appliance can inform the Transit Gateway about its attached routes. The routes mentioned depend on how the appliance is set up. All configured routes are exchanged between the involved network nodes in this final stage.

Customers can now direct all access to public cloud resources through the gateway appliance and manage them there.

High availability

It is also possible to build this architecture in a high availability architecture for use in production applications, as indicated in the following figure:

For production scenarios, it is also possible to build this architecture in a high availability architecture, as shown in the following figure:

Conclusion

All customers with stringent security needs now have new options for network design within the IBM Cloud thanks to the GRE capability of the IBM Cloud Transit Gateway. Network connections between VPCs and on-premises infrastructures could previously only be partially managed and controlled. Customers may now create fine-grained network configurations and manage any network flows thanks to the connection between a Transit Gateway and a Classic Infrastructure gateway appliance.

 


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights