Using service endpoints with Code Engine

All IBM Cloud® Code Engine projects offer integration with IBM Cloud® service endpoints. This support gives you the ability to connect from your classic infrastructure to Code Engine workloads and stay within the IBM Cloud network.

You can control the visibility of Code Engine workloads and specify whether to expose the application or function to public or private endpoints. An application or function that is configured for visibility = private, is accessed through service endpoints. Applications or functions that are accessed through a service endpoint do not leave the IBM network and stay within the IBM Cloud network.

Public endpoints

Public endpoints provide a connection to your deployment on the public network. At provision time, a public endpoint is the default option for all deployments. Your environment needs to have internet access to connect to a deployment.

Private endpoints

A deployment with a service endpoint on the private network gets an endpoint that is not accessible from the public internet. All traffic is routed to hardware dedicated to Code Engine deployments and remains on the IBM Cloud private network. All traffic to and from this endpoint is free and does not incur charges on the condition that the traffic remains in IBM Cloud. After your environment has access to the IBM Cloud private network, an internet connection is not required to connect to your deployment.

Code Engine application deployments with private endpoints are reachable from any account within the private network and access to each instance requires authentication. To restrict this access to specific IP addresses, ranges of IP addresses, IBM Cloud services, or VPCs, configure context-based restriction rules.

Managing Code Engine resources securely by using service endpoints

Specify a Code Engine project to use the private endpoint. You can configure a Code Engine project to use the private endpoint only with the CLI. To create a project, use the ibmcloud ce project create command with the --endpoint=private option.
```
ibmcloud ce project create --name myproject --endpoint=private
```
Wait until the project is in active status. With the CLI, you can confirm the project status by using the ibmcloud ce project get command.

If you want an existing Code Engine project to use the private endpoint, use the ibmcloud ce project select command with the --endpoint=private option.
```
ibmcloud ce project select --name myproject --endpoint=private
```
For the project create and project select commands, if the --endpoint option is not explicitly specified, the behavior is determined by the system. If the IBM Cloud CLI is connected to private.cloud.ibm.com, the Code Engine project behaves as if --endpoint is private. If the IBM Cloud CLI is connected to cloud.ibm.com, the Code Engine project behaves as if --endpoint is public.

If you did not create a new project and you selected an existing project, and you want your application to only be visible to the private endpoint, confirm the existing project supports applications with private visibility. Use the ibmcloud ce project get command to verify the output for Application Private Visibility Supported is set to true. If the value is false, contact IBM support to enable this capability within your existing project.

ibmcloud ce project get -n myproject

Example output

Getting project 'myproject'...
OK

Name:                                      myproject
ID:                         abcdabcd-abcd-abcd-abcd-f1de4aab5d5d
Status:                                    active
Enabled:                                   true
Application Private Visibility Supported:  false
Selected:                                  true
Region:                                    us-south
Resource Group:             default
Service Binding Service ID: ServiceId-1234abcd-abcd-abcd-1111-1a2b3c4d5e6f
Age:                        52d
Created:                                   Tue, 28 Sep 2021 05:12:16 -0500
Updated:                                   Tue, 28 Sep 2021 05:12:19 -0500

Quotas:
Category                                  Used  Limit
App revisions                             1     60
Apps                                      1     20
Build runs                                1     100
Builds                                    2     100
Configmaps                                2     100
CPU                                       0     64
Ephemeral storage                         0     256G
Instances (active)                        0     250
Instances (total)                         0     2500
Job runs                                  0     100
Jobs                                      0     100
Memory                                    0     256G
Secrets                                   6     100
Subscriptions (cron)                      0     100
Subscriptions (IBM Cloud Object Storage)  0     100
Subscriptions (Kafka)                     0     100

Create an application or function that is only visible to the private endpoint. Use the ibmcloud ce application create or the ibmcloud ce function create command with the --visibility=private option. Alternatively, you can use the console to create or update an application or function and set the visibility of your app.
```
ibmcloud ce application create -n myapp --visibility=private
```

Accessing your application securely with service endpoints

From your Code Engine project, confirm that your application is configured with a visibility=private setting. See Deploying your application with a private endpoint.
Retrieve the URL of the Code Engine application that is exposed to the private network. The URL is in the following format: <app>.<uuid>.private.<region>.codeengine.appdomain.cloud.
- From the Code Engine console, go to the Domain mappings tab for your application to view the visibility of an application and its available URLs.
- From the Code Engine CLI, use the ibmcloud ce application get command with the --option url option. In the following example, because the visibility of the myapp is set to visibility=private, specifying --option url with this command outputs the URL to the private network.
```
ibmcloud ce application get -n myapp -output url
```
  Example output
```
http://myapp.4svg40kna19.private.us-south.codeengine.appdomain.cloud
```
Call the application from within the IBM Cloud private network (for instance, by calling the application from the IBM Cloud Shell).

The myapp application is a simple Hello World application. When you execute the myapp application using cURL, Hello World is returned. For example, from the IBM Cloud Shell, run:
```
curl http://myapp.4svg40kna19.private.us-south.codeengine.appdomain.cloud
```

Accessing your function securely with service endpoints

From your Code Engine project, confirm that your function is configured with a visibility=private setting. See Deploying your function with a private endpoint.
Retrieve the URL of the Code Engine function that is exposed to the private network. The URL is in the following format: <function>.<uuid>.private.<region>.codeengine.appdomain.cloud.
- From the Code Engine console, go to the Domain mappings tab for your function to view the visibility of the function and its available URLs.
- From the Code Engine CLI, use the ibmcloud ce function get command. In the following example, because the visibility of the myfunction is set to visibility=private, this command outputs the URL to the private network.
```
ibmcloud ce function get -n myfunction
```
  Example output
```
http://myfunction.1abc23def19.private.us-south.codeengine.appdomain.cloud
```