IBM Cloud Docs
Connectivity options on IBM Cloud

Connectivity options on IBM Cloud

IBM® Db2® Warehouse on Cloud offers multiple secure connectivity options for your application connection requirements.

Connecting to a public endpoint (default option)

As with any public cloud service, you can connect your application by way of a public host name that is provided to you at the time that your service is provisioned. Access to your data is protected by strong authentication, vast Db2 authorization options and access controls, encryption over the wire and at rest, and IBM security and compliance practices for development and operations. Optional IP allowlisting is offered. Create an IBM Support case if you want to enable IP allowlisting.

For application connections, do not use IP addresses to connect to the Db2 Warehouse on Cloud instance, as the IP addresses resolved from the hostname may change.

How to connect to a public endpoint:

You can also obtain your host name and credentials in the following way:

  1. Log in to IBM Cloud and click your service instance.
  2. Click Service credentials.
  3. Click New credential, then click Add.
  4. After the credentials are created, under the Actions column, click View credentials.
  5. In the following JSON document example, note the contents of the hostname, password, and username fields. You use these three components to make the public endpoint connection:
   {
    "apikey": "abcdefghijklmnopqrstuvwxyz0123456789",
    "db": "BLUDB",
    "host": "db2w-abcdefg.eu-de.db2w.cloud.ibm.com",
    "hostname": "db2w-abcdefg.eu-de.db2w.cloud.ibm.com",
    "https_url": "https://db2w-abcdefg.eu-de.db2w.cloud.ibm.com",
    "iam_apikey_description": "Auto-generated for key crn:v1:bluemix:public:dashdb:eu-de:a/abc62e1447e5587cfcff971d4aa7d473:c1cac901-755b-489c-a742-f41295cb5dd8:resource-key:11f5e7e5-4759-439e-8291-7febc09382ce",
    "iam_apikey_name": "Service credentials-1",
    "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
    "iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/abc62e1447e5587cfcff971d4aa7d473::serviceid:ServiceId-aecb72c2-b048-4800-a0d3-263d7bfe4e6a",
    "parameters": {
    "role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
    "serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/abc62e1447e5587cfcff971d4aa7d473::serviceid:ServiceId-aecb72c2-b048-4800-a0d3-263d7bfe4e6a"
    },
    "password": "hereisthepassword123",
    "port": 50001,
    "ssldsn": "DATABASE=BLUDB;HOSTNAME=db2w.abcdefg.eu-de.db2w.cloud.ibm.com;PORT=50001;PROTOCOL=TCPIP;UID=bluadmin;PWD=hereisthepassword123;Security=SSL;",
    "ssljdbcurl": "jdbc:db2://db2w-abcdefg.eu-de.db2w.cloud.ibm.com:50001/BLUDB:sslConnection=true;",
    "uri": "db2://bluadmin:hereisthepassword123@db2w-abcdefg.eu-de.db2w.cloud.ibm.com:50001/BLUDB?ssl=true;",
    "username": "bluadmin"
    }

Public network access to IBM Cloud
Figure 1. Public network access to IBM Cloud

Connecting to a private endpoint: IBM Cloud service endpoint

Db2 Warehouse on Cloud supports private connectivity through an IBM Cloud service endpoint. IBM Cloud service endpoints securely route network traffic between different IBM Cloud services through the IBM Cloud private backplane network. When you configure your Db2 Warehouse on Cloud instance with IBM Cloud service endpoint connectivity, traffic between your cloud data warehouse and applications deployed on your IBM Cloud account will not traverse any public networks.

For application connections, do not use IP addresses to connect to the Db2 Warehouse on Cloud instance, as the IP addresses resolved from the hostname may change.

How to configure IBM Cloud service endpoint connectivity

Complete the following steps to enable IBM Cloud service endpoint connectivity for your Db2 Warehouse on Cloud instance:

  1. Enable your IBM Cloud account to use virtual routing and forwarding (VRF) and IBM Cloud service endpoints. To enable both of these items, see Enabling VRF and service endpoints.

  2. Configure your Db2 Warehouse on Cloud instance for service endpoint connectivity.

    • If you provisioned your Db2 Warehouse on Cloud instance through the IBM Cloud catalog: Create a case to request the configuration of your Db2 Warehouse on Cloud instance for IBM Cloud service endpoint connectivity. After this is complete, your Db2 Warehouse on Cloud instance will be served on a new, non-internet-routable IP address. Information about how to access your Db2 Warehouse on Cloud instance by using this newly configured private endpoint will be sent to you.

    • If you purchased your Db2 Warehouse on Cloud instance through IBM Sales: If you requested private endpoint connectivity, your Db2 Warehouse on Cloud instance will be provisioned with IBM Cloud service endpoint connectivity. No further action is required.

After you've configured IBM Cloud service endpoint connectivity for your Db2 Warehouse on Cloud instance, it will only be accessible through a private endpoint. You will not be able to access your instance through a public endpoint.

To learn more about the IBM Cloud service endpoint service, see Secure access to services using service endpoints.

Connecting to a virtual private network (VPN) endpoint

If you have an application that is deployed on a private network that is outside of the IBM Cloud without access to the public internet and you want to connect it to your database over a virtual private network (VPN) connection, you can make the request at the time that you order the service or by opening an IBM Support case. IBM network engineers will assist your network engineers to set up the VPN tunnel between your private network and the IBM Cloud.

How to connect to a VPN endpoint

To establish a VPN connection to your cloud data warehouse behind a public endpoint, create an IBM Cloud Support case that includes the following details:

  • Type of support: Technical

  • Category: Databases

  • Offering: select your Db2 Warehouse on Cloud instance

  • Subject: VPN Connection Request

  • Description: provide the following required information

    • Customer-side VPN Peer Address (your VPN endpoint): <IP Address>
    • Customer-side Encryption Domain (be specific about what is required – 10.0.0.0/8 is unworkable because 10 addressing is also used within the IBM Cloud for back-end services): <Domain>
    • Customer-side VPN Hardware & Version: <Hardware and Version number>
    • Customer-side VPN Contact (technical contact name and email address):
    • <Name>
    • <Title>
    • <Email Address>

    Optional (change only if the following default values are not suitable):

    IKE/ISAKMP Parameters (Phase I)

    • Encryption Method: IKEv1
    • IKE Encryption / Encryption Algorithm: AES-256
    • Authentication Algorithm: SHA1
    • DH-Group: Group 5
    • Security Association Lifetime (seconds): 1d (86400 seconds)

    IPSec Parameters (Phase II)

    • IPSec Encryption / Encryption Algorithm: AES-256
    • Authentication Algorithm: SHA1
    • DH-Group (if using PF-Secrecy): Group 5
    • Security Association Lifetime (seconds): 3600 seconds

After receipt of your request, IBM Cloud technicians will open the appropriate firewall ports and allowlist the provided IP address. Communication and resolution to the request is made through the IBM Cloud Support case ticket.

Public network access to IBM Cloud through a VPN
Figure 2. Public network access to IBM Cloud through a VPN