Enforcing private endpoints to configure Activity Tracker Event Routing resources
Use this tutorial to learn how to enforce the use of private endpoints to configure Activity Tracker Event Routing resources in your account.
You can use the Activity Tracker Event Routing CLI or the Activity Tracker Event Routing REST API to define the type of endpoints that are allowed to configure Activity Tracker Event Routing resources in the account.
Prerequisites
-
You need a user ID that is a member, or an owner of, an IBM Cloud account. To get an IBM Cloud user ID, go to: Create an account.
-
If you prefer to work with the command line, you must install the IBM Cloud CLI. For more information, see Installing the IBM Cloud CLI.
-
Your user ID needs administrator platform permissions to manage the IBM Cloud Activity Tracker service. Contact the account owner. The account owner can grant another user access to the account for the purposes of managing user access, and managing account resources. Learn more.
Check your account is VRF enabled
By default, public endpoints are enabled in your account. To allow the usage of private endpoints in your account, you must enable the account for virtual routing and forwarding (VRF).
-
When using the classic infrastructure, you connect to resources in your account over the IBM Cloud public network by default. You can enable virtual routing and forwarding (VRF) to move IP routing for your account and all of its resources into a separate routing table. If VRF is enabled, you can then enable IBM Cloud service endpoints to connect directly to resources without using the public network. Enabling VRF and service endpoints.
-
Virtual Private Clouds (VPCs) are automatically enabled for virtual routing and forwarding (VRF). To enable service endpoints for your VPC, continue to Enabling service endpoints.
For example, to check if the account is VRF enabled, run the following command:
ibmcloud account show
To enable private endpoints, run the following command:
ibmcloud account update --service-endpoint-enable true
Disable public endpoints in the account
To disable public endpoints, run the following command:
ibmcloud atracker setting update --private-api-endpoint-only TRUE
Check you have access to private endpoints
After you disable public endpoints, you must configure Activity Tracker Event Routing within the private network.
For example, to configure Activity Tracker Event Routing in your account, you can provision a VPC VSI. Then, from a terminal, you can run cURL commands to create a target and a route.
Complete the following steps to provision a VPC VSI so that you can run cURL commands to create a target and a route in your account:
-
Create a VSI in your account.
-
Connect to the VSI from a terminal in your local environment.
-
After you ssh into the VSI, install the IBM Cloud CLI. Run the following command:
curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
You can run the following command to check that you can access the private endpoints:
ping private.{region}.atracker.cloud.ibm.com
For example, you can run the following command to check access to the Dallas region:
ping private.us-south.atracker.cloud.ibm.com