IBM Cloud Docs
Using service endpoints with Code Engine

Using service endpoints with Code Engine

All IBM Cloud® Code Engine projects offer integration with IBM Cloud® service endpoints. This support gives you the ability to connect from your classic infrastructure to Code Engine workloads and stay within the IBM Cloud network.

You can control the visibility of Code Engine workloads and specify whether to expose the application or function to public or private endpoints. An application or function that is configured for visibility = private, is accessed through service endpoints. Applications or functions that are accessed through a service endpoint do not leave the IBM network and stay within the IBM Cloud network.

Public endpoints

Public endpoints provide a connection to your deployment on the public network. At provision time, a public endpoint is the default option for all deployments. Your environment needs to have internet access to connect to a deployment.

Private endpoints

A deployment with a service endpoint on the private network gets an endpoint that is not accessible from the public internet. All traffic is routed to hardware dedicated to Code Engine deployments and remains on the IBM Cloud private network. All traffic to and from this endpoint is free and does not incur charges on the condition that the traffic remains in IBM Cloud. After your environment has access to the IBM Cloud private network, an internet connection is not required to connect to your deployment.

Code Engine application deployments with private endpoints are reachable from any account within the private network and access to each instance requires authentication. To restrict this access to specific IP addresses, ranges of IP addresses, IBM Cloud services, or VPCs, configure context-based restriction rules.

Managing Code Engine resources securely by using service endpoints

  1. Specify a Code Engine project to use the private endpoint. You can configure a Code Engine project to use the private endpoint only with the CLI. To create a project, use the ibmcloud ce project create command with the --endpoint=private option.

    ibmcloud ce project create --name myproject --endpoint=private
    

    Wait until the project is in active status. With the CLI, you can confirm the project status by using the ibmcloud ce project get command.

    If you want an existing Code Engine project to use the private endpoint, use the ibmcloud ce project select command with the --endpoint=private option.

    ibmcloud ce project select --name myproject --endpoint=private
    

    For the project create and project select commands, if the --endpoint option is not explicitly specified, the behavior is determined by the system. If the IBM Cloud CLI is connected to private.cloud.ibm.com, the Code Engine project behaves as if --endpoint is private. If the IBM Cloud CLI is connected to cloud.ibm.com, the Code Engine project behaves as if --endpoint is public.

  2. If you did not create a new project and you selected an existing project, and you want your application to only be visible to the private endpoint, confirm the existing project supports applications with private visibility. Use the ibmcloud ce project get command to verify the output for Application Private Visibility Supported is set to true. If the value is false, contact IBM support to enable this capability within your existing project.

    ibmcloud ce project get -n myproject
    

    Example output

    Getting project 'myproject'...
    OK
    
    Name:                                      myproject
    ID:                         abcdabcd-abcd-abcd-abcd-f1de4aab5d5d
    Status:                                    active
    Enabled:                                   true
    Application Private Visibility Supported:  false
    Selected:                                  true
    Region:                                    us-south
    Resource Group:             default
    Service Binding Service ID: ServiceId-1234abcd-abcd-abcd-1111-1a2b3c4d5e6f
    Age:                        52d
    Created:                                   Tue, 28 Sep 2021 05:12:16 -0500
    Updated:                                   Tue, 28 Sep 2021 05:12:19 -0500
    
    Quotas:
    Category                                  Used  Limit
    App revisions                             1     60
    Apps                                      1     20
    Build runs                                1     100
    Builds                                    2     100
    Configmaps                                2     100
    CPU                                       0     64
    Ephemeral storage                         0     256G
    Instances (active)                        0     250
    Instances (total)                         0     2500
    Job runs                                  0     100
    Jobs                                      0     100
    Memory                                    0     256G
    Secrets                                   6     100
    Subscriptions (cron)                      0     100
    Subscriptions (IBM Cloud Object Storage)  0     100
    Subscriptions (Kafka)                     0     100
    
  3. Create an application or function that is only visible to the private endpoint. Use the ibmcloud ce application create or the ibmcloud ce function create command with the --visibility=private option. Alternatively, you can use the console to create or update an application or function and set the visibility of your app.

    ibmcloud ce application create -n myapp --visibility=private
    

Accessing your application securely with service endpoints

  1. From your Code Engine project, confirm that your application is configured with a visibility=private setting. See Deploying your application with a private endpoint.

  2. Retrieve the URL of the Code Engine application that is exposed to the private network. The URL is in the following format: <app>.<uuid>.private.<region>.codeengine.appdomain.cloud.

    • From the Code Engine console, go to the Domain mappings tab for your application to view the visibility of an application and its available URLs.

    • From the Code Engine CLI, use the ibmcloud ce application get command with the --option url option. In the following example, because the visibility of the myapp is set to visibility=private, specifying --option url with this command outputs the URL to the private network.

      ibmcloud ce application get -n myapp -output url
      

      Example output

      http://myapp.4svg40kna19.private.us-south.codeengine.appdomain.cloud
      
  3. Call the application from within the IBM Cloud private network (for instance, by calling the application from the IBM Cloud Shell).

    The myapp application is a simple Hello World application. When you execute the myapp application using cURL, Hello World is returned. For example, from the IBM Cloud Shell, run:

    curl http://myapp.4svg40kna19.private.us-south.codeengine.appdomain.cloud
    

Accessing your function securely with service endpoints

  1. From your Code Engine project, confirm that your function is configured with a visibility=private setting. See Deploying your function with a private endpoint.

  2. Retrieve the URL of the Code Engine function that is exposed to the private network. The URL is in the following format: <function>.<uuid>.private.<region>.codeengine.appdomain.cloud.

    • From the Code Engine console, go to the Domain mappings tab for your function to view the visibility of the function and its available URLs.

    • From the Code Engine CLI, use the ibmcloud ce function get command. In the following example, because the visibility of the myfunction is set to visibility=private, this command outputs the URL to the private network.

      ibmcloud ce function get -n myfunction
      

      Example output

      http://myfunction.1abc23def19.private.us-south.codeengine.appdomain.cloud