IBM Cloud® Monitoring

Virtual Private Endpoints

This document covers all the IBM Cloud Databases: Databases for PostgreSQL, Databases for MongoDB, Databases for Redis, Databases for Elasticsearch, IBM Cloud® Databases for MySQL, Messages for RabbitMQ, Databases for EnterpriseDB and Databases for etcd.

IBM Cloud® Virtual Private Endpoint (VPE) provides connection points to IBM services on the IBM private network from your VPC network.

Using Virtual Private Endpoints

Virtual Private Endpoints (VPEs) are generally available in all regions.

Before you begin

Log in to the IBM Cloud console.
You need to have a Cloud Databases deployment. You can provision one from the IBM Cloud catalog. Give your deployment a memorable name that appears in your account's Resource List.

Setting up your VPE

Create an IBM Cloud® Virtual Private Cloud. Follow the getting started instructions.
Make sure that your VPC has at least one virtual server instance (VSI), and that the VPC can connect to the VSI. You can use the UI, CLI, and API to provision a VSI. Follow the getting started instructions.
Make sure your Cloud Databases deployment's private endpoint is enabled.
In the IBM Cloud console, click the menu icon and select -> VPC Infrastructure -> Network -> Virtual private endpoint gateways. Create a VPE for your Cloud Databases instances with these instructions.
After you create your VPE, it might take a few minutes for the new VPE and pDNS to complete the process and begin working for your VPC. Completion is confirmed when you see an IP address set in the details view of the VPE.

To make sure pDNS is functioning for your VPE, ssh into your VSI and run the following:

nslookup <instance_hostname>

The following example shows the output from running nslookup on instance hostnames of host-0.private.databases.appdomain.cloud, host-1.private.databases.appdomain.cloud, and host-2.private.databases.appdomain.cloud:

root@test-vpc-vsi:~# nslookup host-0.private.databases.appdomain.cloud
Server:		127.0.0.53
Address:	127.0.0.53#53
Non-authoritative answer:
Name:	host-0.private.databases.appdomain.cloud
Address: 10.240.64.6

root@test-vpc-vsi:~# nslookup host-1.private.databases.appdomain.cloud
Server:		127.0.0.53
Address:	127.0.0.53#53
Non-authoritative answer:
Name:	host-1.private.databases.appdomain.cloud
Address: 10.240.64.6

root@test-vpc-vsi:~# nslookup host-2.private.databases.appdomain.cloud
Server:		127.0.0.53
Address:	127.0.0.53#53
Non-authoritative answer:
Name:	host-2.private.databases.appdomain.cloud
Address: 10.240.64.6    < ---- your VPE IP address

You can now use your instance in the VSI. See the following example:

mongo -u $USERNAME -p $PASSWORD --tls --tlsCAFile /root/   c--authenticationDatabase admin --host replset/host-0.private.databaseappdomain.   cloud:30066,host-1.private.databases.appdomain.cloud:30066,host-private.   databases.appdomain.cloud:30066

VPE discoverability

Following the previous steps results in a database instance with private endpoints that is reachable with the Virtual Private Endpoints from your VPC network.

Database instances with private endpoints are reachable from any account within the private network and access to each instance requires authentication. To restrict this access to specific IP addresses, or ranges of IP addresses, configure Context-based restrictions or allowlisting.

A MongoDB deployment cannot support both public and private endpoints simultaneously. This cannot be changed after provisioning.

For more information, see Secure access to services by using service endpoints.

More resources

Planning for virtual private endpoint gateways.
Creating an endpoint gateway.
For further assistance, see the FAQs for virtual private endpoints, and the Troubleshooting VPE gateways documentation that includes how to fix communications issues.