Using virtual private endpoints for VPC to privately connect to CIS

IBM Cloud® Virtual Private Endpoints (VPE) for VPC enables private connectivity from your VPC network to CIS by using the IP addresses of your choosing that are allocated from a subnet within your VPC.

VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis (depending on the service operation model). VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis (depending on the service operation model). The endpoint gateway is a virtualized component that scales horizontally, is redundant, highly available, and spans all availability zones in your VPC. VPE gateways enable communication between virtual server instances in your VPC and cloud services. VPE for VPC gives you the experience of controlling all the private addressing within your cloud. For more information, see About virtual private endpoint gateways.

Before you begin

Before you target a VPE for CIS, you must complete the following tasks.

Ensure that a Virtual Private Cloud is created.
Make a plan for your virtual private endpoints.
Ensure that correct access controls are set for your VPE.
Review VPE limitations.

Setting up a VPE for CIS

When you create a VPE by using the CLI or API, use the following CRN information.

Region availability and Cloud Resource Names (CRNs) for connecting CIS over IBM Cloud private networks
Location	Region	Cloud Resource Name (CRN)
Global	`global`	`crn:v1:bluemix:public:internet-svcs:global::::`

Configuring an endpoint gateway

To configure a VPE gateway, follow these steps:

List the available services, including IBM Cloud infrastructure services that are available by default to all VPC users.
Create an endpoint gateway for CIS that you want to be privately available to the VPC.
Bind a reserved IP address to the endpoint gateway.
View the created VPE gateways associated with the CIS instance. For more information, see Viewing details of an endpoint gateway.

Now your virtual server instances in the VPC can privately access your CIS instance through the VPE gateway.

Using an endpoint gateway for CIS

After you create a VPE for CIS, follow these steps:

Using an endpoint gateway from the CLI

To update to the latest version of the CLI and the CIS plug-in, follow these steps:

Update the IBM Cloud CLI to the latest version:
```
ibmcloud update
```

Update the CIS CLI plug-in:

ibmcloud plugin update cloud-internet-services

Log in by using the private IBM Cloud endpoint at private.cloud.ibm.com. For more information about logging into the private cloud, see Securing your connection when using the IBM Cloud CLI.

Using an endpoint gateway with the VPC API

After you create a VPE for CIS, use the service endpoint FQDN api.private.cis.cloud.ibm.com in the URL to access the service. For example:

curl https://api.private.cis.cloud.ibm.com/v1/internet-svcs -H "Authorization: Bearer $iam_token"

Using an endpoint gateway with the SDK

After you create a VPE for CIS, you must use the private endpoint FQDN when you set the service endpoint during construction of the CIS gateway service object.

api.private.cis.cloud.ibm.com

For examples of setting the service's FQDN for the specific SDK language, see SDK API examples.

Using an endpoint gateway with Terraform

If you plan to access CIS with Terraform, make sure to set the IBMCLOUD_PRIVATE_CIS_API_ENDPOINT environment variable to api.private.cis.cloud.ibm.com. For example:

export IBMCLOUD_PRIVATE_CIS_API_ENDPOINT=api.private.cis.cloud.ibm.com

For more information, see Getting started with Terraform on IBM Cloud.