Enabling VRF and service endpoints
When using the classic infrastructure, you connect to resources in your account over the IBM Cloud® public network by default. You can enable virtual routing and forwarding (VRF) to move IP routing for your account and all of its resources into a separate routing table. If VRF is enabled, you can then enable IBM Cloud service endpoints to connect directly to resources without using the public network.
Virtual Private Clouds (VPCs) are automatically enabled for virtual routing and forwarding (VRF). To enable service endpoints for your VPC, continue to Enabling service endpoints.
By default, classic accounts that were established before 30 November 2023, are included in the IBM Cloud general routing table. Previously, if you wanted to convert a classic account to a VRF-style account, you were required to open a support case with IBM® Support. Beginning 30 November 2023, any new classic account or any existing classic account that is "empty" (for example, without any provisioned VLANs), will be automatically converted to a VRF-style account the next time that account initiates a private network connection. For more information, see FAQs about VRF account migration.
Before you begin
Before you begin, ensure that you meet the following criteria:
- You need a billable account to enable virtual routing and forwarding and IBM Cloud service endpoints.
- You must have access to IBM Cloud infrastructure in your account. Go to the Navigation Menu icon
> Classic Infrastructure to verify that you have access.
Enabling VRF in the console
VRF allows multiple instances of a routing table to exist in a router and to work simultaneously. When you enable VRF, a separate routing table is created for your account, and connections to and from your account's resources are routed separately on the IBM Cloud network. VRF is enabled at the account level, so all resources are affected by this networking change. For more information about VRF technology and how it affects your account's network routing, see Virtual routing and forwarding on IBM Cloud.
Enabling VRF permanently alters the networking for your account. Be sure that you understand the impact to your account and resources. After you enable VRF, it cannot be disabled.
To enable VRF:
- In the console, go to Manage > Account, then click Account settings.
- Go to Virtual routing and forwarding, and click On.
For most accounts, this action immediately converts the private network to VRF. For a select few accounts, coordination with IBM Cloud support might be required. To create the support case, complete the following steps:
-
Click Create case. You must have a Pay-As-You-Go or Subscription account.
-
In the case description, enter your classic infrastructure account number.
-
Click the Submit button.
Don't change the rest of the populated support case information. The information is tailored to ensure that your request is handled as quickly as possible.
The IBM Cloud network engineering team will contact the case owner to schedule a time for your account's networking to be converted to VRF. During the conversion process, connections to resources in your account might be unstable due to packet loss. The conversion takes roughly 15 - 30 minutes, depending on the complexity of your account. If your account has legacy IBM Cloud® Direct Link connections, it might take more time.
Changing an empty account to VRF modifies the behavior of the future resources with no interruption. A short intermittent connectivity loss can occur between your existing servers on the private network during the migration process, which is scheduled at a convenient time for you.
The migration does not make any changes to the public network configuration of your VLANs or subnetworks. However, if you have any web or application servers that provide a public-facing service that relies on a private network connection to reach a database, application, or other type of server, be aware that the public-facing service might be disrupted.
VRF is not compatible with IPSec VPN services and limits SSL VPN connections to the resources in the data center of the connection. Alternatively, you can purchase IBM Cloud® Direct Link products for management of your servers, or run your own VPN solution that can be configured with different types of VPNs.
Enabling service endpoints
When IBM Cloud service endpoints are enabled in your account, you can choose to expose a private network endpoint when you create a resource. You can then connect directly to this endpoint over the IBM Cloud private network rather than the public network. Because resources that use private network endpoints don't have an internet-routable IP address, connections to these resources are more secure. For more information, see Secure access to services using service endpoints.
Before you can enable service endpoints, VRF must be enabled for your account. Virtual Private Clouds (VPCs) are automatically enabled for VRF.
Enabling service endpoints in the console
-
In the console, go to Manage > Account, then click Account settings.
-
From the Service endpoints section, click On.
If you can't click On, VRF might not be enabled for your account. Verify that it's enabled by checking the virtual routing and forwarding section.
-
Review the impacts to your account, and click On.
It might take a few minutes for this change to take effect.
Enabling service endpoints in the CLI
To enable service endpoints from the IBM Cloud CLI, you need version 0.13 or later.
-
Check whether service endpoints are already enabled in your account.
ibmcloud account showIf
Service Endpoint Enabledisfalseas shown in the following example, service endpoints are not enabled.Retrieving account Mia Example's Account of m.example@example.com... OK Account ID: abc123d0bc2edefthyufffc9b5ca318 Currently Targeted Account: true Linked Softlayer Account: 0123456 Service Endpoint Enabled: false -
Enable service endpoints by running the following command.
ibmcloud account update --service-endpoint-enable trueIt might take a few minutes for this change to take effect. After the command completes, you can run the
ibmcloud account showcommand again to verify.If VRF isn't enabled for your account, running this command prompts you to create a case to enable it. Enter
yto create the support case. After VRF is enabled in the account, run the command again to enable service endpoint connectivity in your account.Service Endpoint is not available in linked Softlayer Account 1008967. Enable VRF(Virtual Routing and Forwarding) first to proceed. Learn more about VRF here - https://cloud.ibm.com/docs/infrastructure/direct-link/vrf-on-ibm-cloud.html. Do you want to open a ticket to enable it?[y/N]> y Ticket 70729615 was opened successfully. Follow the link https://control.softlayer.com/support/tickets/70729876 to check the details and track the status of the ticket. You will be required to login to view this ticket. Account ID: 1008967 Ticket: Private Network Question
After service endpoints are enabled, you can create resources that connect over the IBM Cloud private network. For a list of services that support service endpoints and more information, see Enabling VRF and service endpoints.
Using service endpoints
After you enable the VRF and service endpoint account settings, you can create resources from the catalog that support service endpoints. The following table lists the services that support using service endpoints.
To find the endpoints for each service, refer to the Endpoint URLs section of the API documentation for the specific service.