IBM Cloud Docs
Enabling VRF and service endpoints

Enabling VRF and service endpoints

When using the classic infrastructure, you connect to resources in your account over the IBM Cloud® public network by default. You can enable virtual routing and forwarding (VRF) to move IP routing for your account and all of its resources into a separate routing table. If VRF is enabled, you can then enable IBM Cloud service endpoints to connect directly to resources without using the public network.

Virtual Private Clouds (VPCs) are automatically enabled for virtual routing and forwarding (VRF). To enable service endpoints for your VPC, continue to Enabling service endpoints.

By default, classic accounts that were established before 30 November 2023, are included in the IBM Cloud general routing table. Previously, if you wanted to convert a classic account to a VRF-style account, you were required to open a support case with IBM® Support. Beginning 30 November 2023, any new classic account or any existing classic account that is "empty" (for example, without any provisioned VLANs), will be automatically converted to a VRF-style account the next time that account initiates a private network connection. For more information, see FAQs about VRF account migration.

Before you begin

Before you begin, ensure that you meet the following criteria:

  • You need a billable account to enable virtual routing and forwarding and IBM Cloud service endpoints.
  • You must have access to IBM Cloud infrastructure in your account. Go to the Navigation Menu icon Navigation Menu icon > Classic Infrastructure to verify that you have access.

Enabling VRF in the console

VRF allows multiple instances of a routing table to exist in a router and to work simultaneously. When you enable VRF, a separate routing table is created for your account, and connections to and from your account's resources are routed separately on the IBM Cloud network. VRF is enabled at the account level, so all resources are affected by this networking change. For more information about VRF technology and how it affects your account's network routing, see Virtual routing and forwarding on IBM Cloud.

Enabling VRF permanently alters the networking for your account. Be sure that you understand the impact to your account and resources. After you enable VRF, it cannot be disabled.

To enable VRF, create a support case with your request. This option applies only to billable accounts.

  1. In the console, go to Manage > Account, then click Account settings.

  2. In the Virtual routing and forwarding section, click Create case.

  3. In the case description, enter your classic infrastructure account number, and click Submit.

    Don't change the rest of the prefilled support case information. The information is tailored to make sure that your request is handled as quickly as possible.

The IBM Cloud network engineering team will contact the case owner to schedule a time for your account's networking to be converted to VRF. During the conversion process, connections to resources in your account might be unstable due to packet loss. The conversion takes roughly 15 - 30 minutes, depending on the complexity of your account. If your account has legacy IBM Cloud® Direct Link connections, it might take more time.

Changing an empty account to VRF modifies the behavior of the future resources with no interruption. A short intermittent connectivity loss can occur between your existing servers on the private network during the migration process, which is scheduled at a convenient time for you.

The migration does not make any changes to the public network configuration of your VLANs or subnetworks. However, if you have any web or application servers that provide a public-facing service that relies on a private network connection to reach a database, application, or other type of server, be aware that the public-facing service might be disrupted.

VRF is not compatible with IPSec VPN services and limits SSL VPN connections to the resources in the data center of the connection. Alternatively, you can purchase IBM Cloud® Direct Link products for management of your servers, or run your own VPN solution that can be configured with different types of VPNs.

Enabling service endpoints

When IBM Cloud service endpoints are enabled in your account, you can choose to expose a private network endpoint when you create a resource. You can then connect directly to this endpoint over the IBM Cloud private network rather than the public network. Because resources that use private network endpoints don't have an internet-routable IP address, connections to these resources are more secure. For more information, see Secure access to services using service endpoints.

Before you can enable service endpoints, VRF must be enabled for your account. Virtual Private Clouds (VPCs) are automatically enabled for VRF.

Enabling service endpoints in the console

  1. In the console, go to Manage > Account, then click Account settings.

  2. In the Service endpoints section, click On.

    If you can't click the button, VRF might not be enabled for your account. Verify that it's enabled by checking the virtual routing and forwarding section, which is the preceding section in your account settings.

  3. Review the impacts to your account, and click On.

It might take a few minutes for this change to take effect.

Enabling service endpoints in the CLI

To enable service endpoints from the IBM Cloud CLI, you need version 0.13 or later.

  1. Check whether service endpoints are already enabled in your account.

    ibmcloud account show
    

    If Service Endpoint Enabled is false as shown in the following example, service endpoints are not enabled.

    Retrieving account Mia Example's Account of m.example@example.com...
    OK
    
    Account ID:                   abc123d0bc2edefthyufffc9b5ca318
    Currently Targeted Account:   true
    Linked Softlayer Account:     0123456
    Service Endpoint Enabled:     false
    
  2. Enable service endpoints by running the following command.

    ibmcloud account update --service-endpoint-enable true
    

    It might take a few minutes for this change to take effect. After the command completes, you can run the ibmcloud account show command again to verify.

    If VRF isn't enabled for your account, running this command prompts you to create a case to enable it. Enter y to create the support case. After VRF is enabled in the account, run the command again to enable service endpoint connectivity in your account.

    Service Endpoint is not available in linked Softlayer Account 1008967.
    Enable VRF(Virtual Routing and Forwarding) first to proceed.
    Learn more about VRF here - https://cloud.ibm.com/docs/infrastructure/direct-link/vrf-on-ibm-cloud.html.
    
    Do you want to open a ticket to enable it?[y/N]> y
    Ticket 70729615 was opened successfully. Follow the link https://control.softlayer.com/support/tickets/70729876 to check the details and track the status of the ticket. You will be required to login to view this ticket.
    Account ID:    1008967
    Ticket:        Private Network Question
    

After service endpoints are enabled, you can create resources that connect over the IBM Cloud private network. For a list of services that support service endpoints and more information, see Enabling VRF and service endpoints.

Using service endpoints

After you enable the VRF and service endpoint account settings, you can create resources from the catalog that support service endpoints. The following table lists the services that support using service endpoints.

To find the endpoints for each service, refer to the Endpoint URLs section of the API documentation for the specific service.

Table 1. Services that support using service endpoints
Service Documentation
App Configuration Regions and endpoints
Certificate Manager Regions and endpoints
Container Registry Kubernetes Service clusters with private service endpoints only pull container images by using the Container Registry service endpoint.
Continuous Delivery Regions and endpoints
Databases for Elasticsearch Databases for Elasticsearch service endpoints integration
Databases for etcd Databases for etcd service endpoints integration
Databases for MongoDB Databases for MongoDB service endpoints integration
Databases for PostgreSQL Databases for PostgreSQL service endpoints integration
Databases for Redis Databases for Redis service endpoints integration
Db2 on Cloud Connectivity options
Db2® Warehouse on Cloud Connecting to a private endpoint
Event Notifications Regions and endpoints
Event Streams Restricting network access using the Enterprise plan
Hyper Protect Crypto Services Hyper Protect Crypto Services service endpoints integration
Hyper Protect DBaaS for MongoDB Securing your connection to Hyper Protect DBaaS for MongoDB
Hyper Protect DBaaS for PostgreSQL Securing your connection to Hyper Protect DBaaS for PostgreSQL
IBM Cloudant Available for all dedicated hardware plans deployed after 1 January 2019
Key Protect Connecting to Key Protect on the IBM Cloud private network
KMIP for VMware on IBM Cloud KMIP for VMware on IBM Cloud documentation
Kubernetes Service Public and private service endpoints for Kubernetes Service
IBM® Log Analysis IBM Log Analysis service endpoints integration
Messages for RabbitMQ Messages for RabbitMQ service endpoints integration
IBM Cloud Monitoring IBM Cloud Monitoring service endpoints integration
Object Storage Object Storage endpoints and storage locations
Schematics Using private endpoints
IBM Watson Annotator for Clinical Data Public and private network endpoints with Annotator for Clinical Data
watsonx Assistant Securing your assistant with watsonx Assistant
IBM Watson Discovery Public and private network endpoints with Discovery
IBM Watson Knowledge Studio Public and private network endpoints with Knowledge Studio
IBM Watson Language Translator Public and private network endpoints with Language Translator
IBM Watson Machine Learning Public and private network endpoints with Machine Learning
IBM Watson Natural Language Understanding Public and private network endpoints with Natural Language Understanding
IBM Watson Speech to Text Public and private network endpoints with Speech to Text
IBM Watson Text to Speech Public and private network endpoints with Text to Speech