Virtual Private Endpoints

This document covers all the IBM Cloud Databases: Databases for DataStax, Databases for Elasticsearch, Databases for EnterpriseDB, Databases for etcd, Databases for MongoDB, Databases for PostgreSQL, Databases for Redis, IBM Cloud® Databases for MySQL, and Messages for RabbitMQ.

IBM Cloud® Virtual Private Endpoint (VPE) for IBM Cloud® Virtual Private Cloud provides connection points to IBM services on the IBM private network from your VPC network.

Using Virtual Private Endpoints

Virtual Private Endpoints (VPEs) are generally available in all regions.

Before you begin

You need to have an IBM Cloud account
And a Cloud Databases deployment. You can provision one from the IBM Cloud catalog. Give your deployment a memorable name that appears in your account's Resource List.

Setting up your VPE

Create an IBM Cloud® Virtual Private Cloud. Follow the Getting started instructions here.
Make sure that your VPC has at least one VSI (virtual server instance), and can connect to the VSI. You can use the UI, CLI, and API to quickly provision IBM Cloud® Virtual Private Cloud from the Virtual server instances page in IBM Cloud console:
1. Use this information when you're creating generation 1 virtual server instances.
2. Use this information when you're creating generation 2 virtual server instances.
Make sure your Cloud Databases deployment's private endpoint is enabled.
In the IBM Cloud console, click the menu icon and select -> VPC Infrastructure -> Network -> Virtual private endpoint gateways. Create a VPE for your Cloud Databases instances with the following instruction.
After you create your VPE, it might take a few minutes for the new VPE and pDNS to complete the process and begin working for your VPC. Completion is confirmed when you see an IP address set in the details view of the VPE.

To make sure pDNS is functioning for your VPE, ssh into your VSI and run nslookup <instance_hostname>. The following example shows the output from running nslookup on instance hostnames of host-0.private.databases.appdomain.cloud, host-1.private.databases.appdomain.cloud, and host-2.private.databases.appdomain.cloud:

root@test-vpc-vsi:~# nslookup host-0.private.databases.appdomain.cloud
Server:		127.0.0.53
Address:	127.0.0.53#53
Non-authoritative answer:
Name:	host-0.private.databases.appdomain.cloud
Address: 10.240.64.6

root@test-vpc-vsi:~# nslookup host-1.private.databases.appdomain.cloud
Server:		127.0.0.53
Address:	127.0.0.53#53
Non-authoritative answer:
Name:	host-1.private.databases.appdomain.cloud
Address: 10.240.64.6

root@test-vpc-vsi:~# nslookup host-2.private.databases.appdomain.cloud
Server:		127.0.0.53
Address:	127.0.0.53#53
Non-authoritative answer:
Name:	host-2.private.databases.appdomain.cloud
Address: 10.240.64.6    < ---- your VPE IP address

You can now use your instance in the VSI. For example,

mongo -u $USERNAME -p $PASSWORD --tls --tlsCAFile /root/   c--authenticationDatabase admin --host replset/host-0.private.databaseappdomain.   cloud:30066,host-1.private.databases.appdomain.cloud:30066,host-private.   databases.appdomain.cloud:30066

VPE Discoverability

Following the previous steps results in a database instance with private endpoints that is reachable with the Virtual Private Endpoints from your VPC network.

Database instances with private endpoints are reachable from any account within the private network and access to each instance requires authentication. To restrict this access to specific IP addresses, or ranges of IP addresses, configure allowlisting.

A MongoDB deployment cannot support both public and private endpoints simultaneously. This cannot be changed after provisioning.

For more information, see Secure access to services by using service endpoints.

More resources

Planning for virtual private endpoint gateways
Creating an endpoint gateway
For further assistance, see the FAQs for virtual private endpoints here, and the Troubleshooting VPE gateways documentation that includes how to fix communications issues here.