Connectivity options on Amazon Web Services

IBM® Db2® Warehouse on Cloud offers secure connectivity options for your application connection requirements.

For application connections, do not use IP addresses to connect to the Db2 Warehouse on Cloud instance, as the IP addresses resolved from the hostname may change. Use hostnames to reference your connection properties where it is available.

Connecting to Db2 Warehouse on Cloud with Amazon Web Services PrivateLink

Amazon Web Services (AWS) PrivateLink gives you the ability to securely and privately connect to a Db2 Warehouse on Cloud instance that is deployed on AWS from your own AWS VPCs, services, and applications. With AWS PrivateLink, traffic between Db2 Warehouse on Cloud and your AWS VPCs, services, and applications does not traverse the public internet.

If you'd like to use AWS PrivateLink with Db2 Warehouse on Cloud, complete the following steps:

Create an AWS principal to access Db2 Warehouse on Cloud. The AWS principal can be AWS accounts, IAM users, or IAM roles.
Open a support ticket with IBM Cloud to enable AWS PrivateLink, and provide the Amazon Resource Name (ARN) of the AWS principal that was created in the previous step. The principal is granted permission to access your Db2 Warehouse on Cloud instance.
After the principal is granted permission, create an interface endpoint on your VPC to connect to the Db2 Warehouse on Cloud service. See Creating an Interface Endpoint. Ensure that TCP traffic is allowed through ports 50001, 443, and 8443 on the VPC, and set rules to allow traffic from the CIDR range associated with the VPC.

Connecting to the private web console of Db2 Warehouse on Cloud

When you enable private endpoint, the private web console becomes available. When private endpoint is enabled, you can still access a lite version of the web console to get connection information.
Should you want to use the private web console, use the same AWS endpoint created from the above steps, but ensure that TCP traffic is allowed through port 8443 on your VPC.

Considerations and limitations

AWS PrivateLink currently supports only TCP traffic. Tools that rely on UDP traffic are not supported by PrivateLink. To load data, load directly from Amazon S3 into Db2 Warehouse on Cloud. See Loading data from Amazon S3.

Extra charges might apply when you transfer data by using the public endpoint.
You must create the Endpoint Service for accessing Db2 Warehouse on Cloud in the same AWS region where the Db2 Warehouse on Cloud instance is deployed. To access your instance from other AWS regions, you can use VPC Peering. See Example: Services Using AWS PrivateLink and VPC Peering.
For the current generation of plans on AWS, connectivity to the web UI is available only over the public network, even if you have enabled PrivateLink. This restriction is temporary, and will be removed in an upcoming update.

For more information about AWS PrivateLink, see Interface VPC Endpoints (AWS PrivateLink).