Service Endpoints Integration

Public Endpoints

Public endpoints provide a connection to your deployment on the public network. At provision, a public endpoint is the default option for all deployments. Your environment needs to have internet access to connect to a deployment.

For enhanced security, it is recommended that users connect to their Cloud Databases deployments using private endpoints instead of public endpoints.

Private Endpoints

A deployment with a service endpoint on the private network gets an endpoint that is not accessible from the public internet. All traffic is routed to hardware dedicated to Cloud Databases deployments and remains on the IBM Cloud Private network. All traffic to and from this endpoint is free and unmetered on the condition that the traffic remains in IBM Cloud. After your environment has access to the IBM Cloud Private network, an internet connection is not required to connect to your deployment.

For more information, see Secure access to services using service endpoints.

Deployments with private endpoints are reachable from any account within the private network and access to each instance requires authentication. To restrict this access to specific IP addresses, or ranges of IP addresses, configure Context-based restrictions.

Enabling Service Endpoints

To use connections over the public internet, you do not have to enable Service Endpoints on your IBM Cloud account. To enable private networking on your deployments, follow the instructions at Enabling VRF and service endpoints.

Currently, enabling virtual routing and forwarding (VRF) on your account in classic is a manual step that is handled by support ticket. VRF is automatically enabled for VPC. After you complete the request, check on the status of the ticket by going to your Support page on IBM Cloud.

Changing Service Endpoints

After you deploy, it is possible to change your public and private service endpoints configuration, except for Databases for MongoDB.

Credentials for Private Endpoints

Use either public or private connection strings with any set of credentials that you make on your deployment. By default, the connection strings for a set of credentials are filled with strings for connecting over a public endpoint. If you are using private endpoints, specify connection strings that contain the private endpoint be generated instead.

When you create credentials in the Service Credentials UI, use either the { "service-endpoints": "public" } or the { "service-endpoints": "private" } parameter to specify which endpoint gets filled into the connection strings.

In the API, use the /deployments/{id}/users/{userid}/connections/{endpoint_type} to retrieve connection strings for both public or private endpoints.

If you have only private endpoints on your deployments, then all new credentials have private endpoints in the connection strings.

Connecting Through Private Endpoints

Cloud Databases offers both private and public cloud service endpoints. To run your application or access the end point from a browser that is not on the private network, take these additional steps:

• Ensure your Cloud IaaS or SL account is enabled for private endpoints.
• Create a virtual machine (VSI) that runs Linux.
• Configure a user account with SSH access.
• From your workstation, run ssh -D 2345 user@vsi-host to start an SSH session and open a SOCKS proxy on port 2345 that forwards all traffic through the VSI.
• Configure your browser or application to use a SOCKS5 proxy on localhost:2345.
• Run your application or open the preferred private-endpoint in your browser (for example, a management UI).

Using Virtual Private Endpoints

For more information, see Virtual Private Endpoints.