Learning about CIS architecture and workload isolation
Review the following sample architecture for IBM Cloud® Internet Services, and learn about different isolation levels so that you can choose the solution that best meets the requirements of the workloads that you want to run in the cloud.
CIS architecture and workload isolation
Cloud Internet Services (CIS) is a public, global, multitenant service offered in partnership with Cloudflare. It offers DNS name resolution, global load balancing, and security and CDN services, for zones or domains delegated to this service.
In the control plane, you can configure your zone and the services that are applied to traffic to your site through the UI, CLI, or API. All access authorization and authentication to your zone or domain is managed through Identity and Access Management (IAM) access policies.
All configuration requests eventually reach the multitenant Cloud Internet Services (CIS) control plane on IBM Cloud® as API calls to an SSL-secured API endpoint. The control plane interacts with the platform IAM service to authenticate the user and authorize the action. The original request targets the customer's Cloud Internet Services (CIS) instance. Each Cloud Internet Services (CIS) instance is uniquely mapped to an anonymized subaccount in Cloudflare's system. The request is converted to a Cloudflare API request that targets the subaccount and is delivered via HTTPS to the Cloudflare API endpoint. Zones and domains from different customers are isolated and maintained in separate subaccounts within the Cloud Internet Services (CIS) account at Cloudflare. Access to the account at Cloudflare is strictly controlled and limited. Access to the Cloud Internet Services (CIS) control plane infrastructure is also strictly controlled and limited to essential maintenance personnel only.
Data that is stored at Cloudflare is encrypted except when it is required to be publicly accessible. For example, in the case of DNS records, the control plane is separate from the data plane.
The data plane for your site is handled exclusively by Cloudflare. All proxied traffic is resolved to an IP address owned by Cloudflare and routed through Cloudflare's Anycast network to the nearest data center capable of processing the request. The request is processed by Cloudflare based on the zone's configuration. After all configured services (such as firewall rules, WAF rules, rate limits, global load balancing, and so on) are applied, Cloudflare replies to the request from its cache, or by requesting the necessary resources from the website's origin, which is controlled by the customer.
Non-proxied requests go directly from the client to the requested resource's origin. In this case, only DNS resolution is done by Cloudflare. The request data flows through the public internet.
CIS workload isolation and deployment model
CIS is a public multitenant solution. Both control and data plane are shared between tenants, and accessed through public endpoints. Some data is required to be publicly accessible. In all other cases data is encrypted, at rest and in transit, using TLS.
Dependencies to other IBM Cloud services
Review the IBM Cloud services that IBM Cloud® Internet Services connects to or uses.
Critical dependencies
The following dependencies of IBM Cloud Internet Services are considered critical. Any loss of connectivity or service of one of these dependencies results in a functional impact to the customer on IBM Cloud Internet Services.
| Service name | Description |
|---|---|
| IBM Cloud Resource Controller API and IBM Cloud catalog API | Used to load required information about your service instance and offering plan. |
| Global Search and Tagging (Ghost) | Used to look up information about other IBM Cloud services. For example, if you set up a job to push edge logs to your own IBM Cloud Object Storage bucket, the available instances and buckets are searched with Ghost. |
| IBM Cloud Kubernetes Service | Provides the infrastructure that IBM Cloud Internet Services is running on. |
| Business Support Services for IBM Cloud (BSS) | Used to access information about the IBM Cloud account, service subscription, service usage, and billing. |
| IBM Cloud Command Line (CLI) | Used to run commands from a command prompt. When IBM Cloud Internet Services runs commands, the service connects to the service API endpoint over the public service endpoint. |
| IBM Log Analysis | IBM Cloud Internet Services sends service logs to IBM Log Analysis. The service team uses these logs for analysis to identify issues and malicious activity. |
| IBM Cloud Activity Tracker | IBM Cloud Internet Services integrates with IBM Cloud Activity Tracker to forward auditable events to the IBM Cloud Activity Tracker service instance that is set up and owned by the user. For more information, see Auditing events for CIS. This service is also use by IBM Cloud Internet Services to store auditable events. |
| Identity and Access Management (IAM) | IBM Cloud Internet Services authenticates requests and determines authorization for all user actions based on platform and service access roles and policies in IAM. To learn more, see Managing access for CIS. |
| Object Storage (COS) | Used to store edge logs for a customer's data path traffic. You can also use this service to store operational logs of IBM Cloud Internet Services itself. |
Other dependencies
| Service name | Description |
|---|---|
| Certificate Manager | Used to store the TLS certificates for IBM Cloud Internet Services. |
| IBM Cloud Container Registry | Used to store the images that IBM Cloud Internet Services uses to run the service. |
| IBM Cloud Monitoring | IBM Cloud Internet Services sends service metrics to IBM Cloud Monitoring. The service team uses these metrics to identify capacity and performance issues of the service and monitor the operational health of the service. |
Dependencies to third-party services
Review the list of third-party services that IBM Cloud Kubernetes Service connects to over the public network.
Critical dependencies
| Service name | Description |
|---|---|
| Cloudflare | Cloudflare is the third party provider for all data path services that are offered by IBM Cloud Internet Services, such as WAF, DDoS protection, and global load balancing. |
Other dependencies
| Service name | Description |
|---|---|
| PagerDuty | PagerDuty is used to notify on-call support of emergency and non-emergency issues that are related to operating IBM Cloud Internet Services or its support. |