IBM Cloud Docs
Reviewing Satellite Connector as a Secure Gateway replacement

Reviewing Satellite Connector as a Secure Gateway replacement

Secure Gateway is deprecated. For more information, see the deprecation details.

This tutorial is designed for Secure Gateway administrators who are considering migrating to Satellite Connector.

Goals

  • Familiarize users with Satellite Connector as a replacement for Secure Gateway.
  • Introduce you to the key Satellite Connector concepts.
  • Provide a terminology mapping, so that you can learn more about Connector through familiar Secure Gateway terms.
  • Explain how the Satellite Connector features compare to Secure Gateway.
  • Cover frequently asked questions about Satellite Connector.
  • Give an overview of the Satellite Connector requirements.

Learn the concepts

Connector
A connector provides a secure connection between a specific remote location and IBM Cloud.
Agent
Each connector needs an agent running on your location to establish the connection.
Endpoint
An endpoint allows you to securely connect to a server, service, or app that runs in your Satellite location from a client that is connected to the IBM Cloud private network.
Access control list
Access control list (ACL) controls which clients can access location endpoint resources. You can create ACL rules and use them to control which clients can use the endpoint to connect to the destination resource that runs in your location.

Compare the terms

Secure Gateway and Satellite Connector terminology.
Secure Gateway Satellite Connector Notes
Secure Gateways Satellite Connector and Agents Automatically created when you create a Satellite Connector.
Secure Gateway Client Satellite Connector Agent Satellite Connector is a containerized solution.
Secure Gateway Destination Satellite Connector Endpoint They are the same thing.
Secure Gateway API Satellite Connector API The constructs are similar.
Secure Gateway Endpoint Satellite Connector API Endpoint This term in Secure gateway refers to the API endpoint.
Secure Gateway Dashboard Satellite Connector Endpoints page in cloud.ibm.com

Compare the capabilities

In general, Satellite Connector has a number of improvements over Secure Gateway.

  • Supports the latest generation of VPC networking.
  • Supports only cloud private endpoints.
  • Supports several integrations including standard IBM Cloud tools like Activity Tracker, LogDNA, and Sysdig.
  • Supports more concurrent incoming connections than Secure Gateway.
  • Supports a higher number of client connections for client-side HA purposes.
  • Supports server-side HA for increased reliability and uptime.
  • Requires fewer exposed firewall ports which reduces need for proxy work arounds for very restrictive customer firewalls.
  • Supports new protocol for endpoints: HTTP-Tunnel (in addition to TCP/TLS/HTTP/HTTPS).
  • Has no bandwidth egress limits.

Review the following table for more information and a comparison of capabilities between Satellite Connector and Secure Gateway.

Secure Gateway and Satellite Connector key differences.
Topic Secure Gateway Satellite Connector Notes
Public internet access Cloud side of a destination is exposed on a public IP address. Cloud side of an endpoint is exposed only to the IBM Cloud private endpoint network so that it's reachable only from within IBM Cloud. Satellite Connector Access Control List sets the access.
Integrations N/A Integrated when you connect your Satellite Connector Agent location to Activity Tracker, LogDNA, and Sysdig. The agent itself runs on a container platform that isn’t integrated into the IBM Cloud tools. For example, Docker won’t send logs to logDNA.
Client access Secure Gateway Client supports Windows, Linux, Mac, Node.js module, and container. Satellite Connector supports container.
Clients per instance Limited to 4 client connections for high availability For high availability support, use 3 clients. Up to 9 clients allowed to scale containers over time.
Client requirements See Requirements to run the Client.
  • Host type: Most container hosts can run the client container image, including the Docker Community Edition.
  • Ports: Only requires port 443 to be opened.
Encryption (TLS support) TLS version supported is 1.2. Protocols supported are UDP, TCP, HTTP, and HTTPS. TCP, TLS (version 1.3), HTTP, HTTPS, and HTTP Tunnel. No UDP support.
Authentication Mutual authentication is supported. Provided by the target and can be configured with mutual authentication on the Satellite Connector parts.
Load balancing and high availability Can connect multiple instances of the Secure Gateway Service client to your gateway to automatically use built-in connection load balancing and connection fail-over if a client instance goes down. Can connect multiple Connector agents to your connector instance in Cloud to automatically use built-in load balancing and connection failover if an container goes down.

Review the requirements and FAQs

  1. Review the Connector overview and requirements.
  2. Review the Connector FAQs.

Next steps

Continue your evaluating and preparing for your migration by Reviewing your Secure Gateway instance details.