IBM Cloud Docs
Using service endpoints to privately connect to CIS

Using service endpoints to privately connect to CIS

To help ensure that you have enhanced control and security over your configuration when you use IBM Cloud® Internet Services, you can use private routes to IBM Cloud® service endpoints. Private routes are not accessible or reachable over the internet. By using the IBM Cloud private service endpoints feature, you can protect your configuration from threats from the public network and logically extend your private network.

When you use the CIS private endpoint, any DNS records or global load balancers can be reached on the public network.

Before you begin

To get started, enable virtual routing and forwarding (VRF) and service endpoints for your infrastructure account. After you enable VRF for your account, you can connect to CIS by using a private IP that is accessible only through the IBM Cloud private network.

To learn more about private connections on IBM Cloud, see Service endpoints for private connections.

Setting up service endpoints for CIS

These service endpoints are only for managing the configuration of an instance with the API or CLI, the control plane. Using the IBM Cloud private service endpoints feature does not affect the data plane, and the public endpoints remain available. For information on the control plane and data plane, see Learning about CIS architecture and workload isolation.

Targeting private endpoints

Before you target a private endpoint for CIS:

  1. Make sure that your IBM Cloud infrastructure account is enabled for virtual routing and forwarding (VRF).

    When you enable VRF, a separate routing table is created for your account, and connections to and from your account's resources are routed separately on the IBM Cloud network. To learn more about VRF technology, see Virtual routing and forwarding on IBM Cloud.

    Enabling VRF permanently alters the networking for your account. Be sure that you understand the impact to your account and resources. After you enable VRF, it can't be disabled.

  2. Make sure that your IBM Cloud infrastructure account is enabled for service endpoints.

    After you enable VRF and service endpoints for your account, all existing and future CIS resources and instances become available from both the public and private endpoints.

Using the CLI

Step 1. Configure the IBM Cloud private network on your virtual server

Prepare your virtual server instance or test server by configuring your routing table for the IBM Cloud private network.

  1. To route traffic to the IBM Cloud private network, run the following command on your virtual server instance:

    route add -net 166.9.0.0/16 gw <gateway> dev <gateway_interface>

    Replace <gateway> (for example, 10.x.x.x) and <gateway_interface> (for example, eth10) with the appropriate values.

  2. Optional: Verify that the route was added successfully by displaying your new routing table.

    route -n

Step 2. Target the CIS private endpoint

After you configure your virtual server instance to accept IBM Cloud private network traffic, you can target the private endpoint for CIS by using the CIS API or CIS CLI plug-in.

  1. Log in to the IBM Cloud console.

    ibmcloud login

    If the login fails, run the ibmcloud login --sso command to try again. The --sso parameter is required when you log in with a federated ID. If you use this option, go to the link listed in the CLI output to generate a one-time passcode.

  2. Optional: Make sure that your account is enabled for VRF and service endpoints.

    ibmcloud account show

    The following CLI output shows the account details of a VRF and service endpoint-enabled account.

    Retrieving account John Doe's Account of john.doe@email.com...
OK

Account ID:                   d154dfbd0bc2edefthyufffc9b5ca318
Currently Targeted Account:   true
Linked Softlayer Account:     1008967
VRF Enabled:                  true
Service Endpoint Enabled:     true

    To learn how to set up your account for connecting to a private network, see Enabling VRF and service endpoints.

Step 3. Create a CIS resource on the private network

Test your private network connection by using the CIS CLI plug-in.

  1. Log in to a CIS private endpoint instance.

    ibmcloud login -a private.cloud.ibm.com

Using the API

Use the service endpoint's FQDN api.private.cis.cloud.ibm.com in the URL to access the service, as shown in the following example.

curl https://api.private.cis.cloud.ibm.com/v1/:crn/zones -H 'content-type: application/json' -H 'accept: application/json' -H 'x-auth-user-token: Bearer xxxxxx'