Securing access to services by using service endpoints

IBM services’ architecture provides private network connectivity through service endpoints. With IBM Cloud® service endpoints, you can connect to IBM Cloud services over the IBM Cloud private network.

Moving these workloads from the public network offers two advantages:

Services are no longer served on an internet routable IP address. It is becoming increasingly common for cloud consumers to want limited or no access to the public internet from any of their services. Now with the service endpoint feature, service teams can create an interface over the private network for their service that customers can use to connect. Internet access is no longer a requirement for you to connect to IBM Cloud services.
There is no billable or metered bandwidth charges on the private network. In the past, you were billed for egress bandwidth when talking to an IBM Cloud service.

The following figure shows how traffic is routed through IBM Cloud's private network when accessing cloud services through service endpoints:

IBM Cloud Service Endpoint — Figure 1. Traffic routed through a service endpoint

If you are using classic infrastructure, you must enable virtual routing and forwarding (VRF) in your account first. Then, you can enable the use of service endpoints. After both options are enabled, you can start creating services that support the use of VRF and service endpoints from the catalog. If you are using IBM Cloud® Virtual Private Cloud, then you don't need to enable VRF for your cloud account.

For information on how service endpoints work and which services support using service endpoints, see Enabling VRF and service endpoints and VPC Virtual private endpoint gateways.