Connectivity options on Amazon Web Services
IBM® Db2® Warehouse as a Service offers secure connectivity options for your application connection requirements.
For application connections, do not use IP addresses to connect to the IBM Db2 Warehouse SaaS instance, as the IP addresses resolved from the hostname may change. Use hostnames to reference your connection properties where it is available.
Connecting to Db2 Warehouse SaaS with Amazon Web Services PrivateLink
Amazon Web Services (AWS) PrivateLink gives you the ability to securely and privately connect to a IBM Db2 Warehouse SaaS instance that is deployed on AWS from your own AWS VPCs, services, and applications. With AWS PrivateLink, traffic between IBM Db2 Warehouse SaaS and your AWS VPCs, services, and applications does not traverse the public internet.
If you'd like to use AWS PrivateLink with IBM Db2 Warehouse SaaS, complete the following steps:
-
Create an AWS principal to access IBM Db2 Warehouse SaaS. The AWS principal can be AWS accounts, IAM users, or IAM roles.
-
Open a support ticket with IBM Cloud to enable AWS PrivateLink, and provide the Amazon Resource Name (ARN) of the AWS principal that was created in the previous step. The principal is granted permission to access your IBM Db2 Warehouse SaaS instance.
-
After the principal is granted permission, create an interface endpoint on your VPC to connect to the IBM Db2 Warehouse SaaS service. See Creating an Interface Endpoint. Ensure that TCP traffic is allowed through ports 50001, 443, and 8443 on the VPC, and set rules to allow traffic from the CIDR range associated with the VPC.
Connecting to the private web console of IBM Db2 Warehouse SaaS
- When you enable private endpoint, the private web console becomes available. When private endpoint is enabled, you can still access a lite version of the web console to get connection information.
- Should you want to use the private web console, use the same AWS endpoint created from the above steps, but ensure that TCP traffic is allowed through port 8443 on your VPC.
Considerations and limitations
-
AWS PrivateLink currently supports only TCP traffic. Tools that rely on UDP traffic are not supported by PrivateLink. To load data, load directly from Amazon S3 into IBM Db2 Warehouse SaaS. See Loading data from Amazon S3.
Extra charges might apply when you transfer data by using the public endpoint.
-
You must create the Endpoint Service for accessing IBM Db2 Warehouse SaaS in the same AWS region where the IBM Db2 Warehouse SaaS instance is deployed. To access your instance from other AWS regions, you can use VPC Peering. See Example: Services Using AWS PrivateLink and VPC Peering.
-
For the current generation of plans on AWS, connectivity to the web UI is available only over the public network, even if you have enabled PrivateLink. This restriction is temporary, and will be removed in an upcoming update.
For more information about AWS PrivateLink, see Interface VPC Endpoints (AWS PrivateLink).