Setting up VPC VPN connectivity
This VPN information is specific to VPC clusters. For VPN information for classic clusters, see Setting up VPN connectivity.
Securely connect apps and services in a VPC cluster in IBM Cloud® Kubernetes Service to on-premises networks, other VPCs, and IBM Cloud classic infrastructure resources. You can also connect apps that are external to your cluster to an app that runs inside your cluster.
The following table compares the connection options that are available based on the type of destination that you want to connect your VPC cluster to.
| Destination | IBM Cloud VPC VPN | Transit Gateway | Direct Link | Classic-access VPC |
|---|---|---|---|---|
| On-premises networks | Yes | Yes | ||
| Other VPCs | Yes | Yes | ||
| Classic infrastructure resources | Yes | Yes |
Communication with resources in on-premises data centers
To connect your cluster with your on-premises data center, you can use the IBM Cloud® Virtual Private Cloud VPN or IBM Cloud® Direct Link.
You might have subnet conflicts with the IBM-provided default 172.30.0.0/16 range for pods and 172.21.0.0/16 range for services. You can avoid subnet conflicts when you create a cluster from the CLI by specifying a custom subnet CIDR for pods in the --pod-subnet option and a custom subnet CIDR for services in the --service-subnet option.
If your VPN solution preserves the source IP addresses of requests, you can create custom static routes to ensure that your worker nodes can route responses from your cluster back to your on-premises network.
The 172.16.0.0/16, 172.18.0.0/16, 172.19.0.0/16, and 172.20.0.0/16 subnet ranges are prohibited because they are reserved for IBM Cloud Kubernetes Service control plane functionality.
IBM Cloud VPC VPN
With the IBM Cloud VPC VPN, you connect an entire VPC to an on-premises data center. This option allows you to remain VPC-native in you VPN connection setup. To get started:
- Configure an on-prem VPN gateway.
- Create a VPN gateway in your VPC, and create the connection between the VPC VPN gateway and your local VPN gateway. If you have a multizone cluster, you must create a VPC gateway on a subnet in each zone where you have worker nodes.
Direct Link
With Direct Link, you can create a direct, private connection between your remote network environments and IBM Cloud Kubernetes Service without routing over the public internet. IBM Cloud Direct Link (2.0) is configured for native integration with VPC. Any clusters that you create in the VPC can access the Direct Link connection.
To get started, see Ordering IBM Cloud Direct Link Dedicated. In step 8, you can create a network connection to your VPC to be attached to the Direct Link gateway.
Communication with resources in other VPCs
To connect an entire VPC to another VPC in your account, you can use the IBM Cloud VPC VPN or IBM Cloud® Transit Gateway.
IBM Cloud VPC VPN
Create a VPC gateway on a subnet in each VPC and create a VPN connection between the two VPC gateways. For example, you can connect subnets in a VPC in one region through a VPN connection to subnets in a VPC in another region. To get started, follow the steps in Connecting two VPCs using VPN. Note that if you use access control lists (ACLs) for your VPC subnets, you must create inbound or outbound rules to allow your worker nodes to communicate with the subnets in other VPCs.
IBM Cloud Transit Gateway
Use IBM Cloud Transit Gateway to manage access between your VPCs. Transit Gateway instances can be configured to route between VPCs that are in the same region (local routing) or VPCs that are in different regions (global routing). To get started, see the Transit Gateway documentation.
Communication with IBM Cloud classic resources
If you need to connect your cluster to resources in your IBM Cloud classic infrastructure, you can set up a VPC with classic access or use IBM Cloud Transit Gateway.
Create a classic-access VPC
If you plan to connect only one VPC to classic infrastructure, you can set up a VPC for classic access. Every virtual server instance or bare metal server without a public interface on your classic infrastructure in your account can send and receive packets to and from instances in the VPC.
Before you connect a VPC to a classic infrastructure account, note the following limitations and requirements:
- You must enable the VPC for classic access when you create the VPC. You can't convert an existing VPC to use classic access.
- You can set up classic infrastructure access for only one VPC per region. You can't set up more than one VPC with classic infrastructure access in a region.
- Virtual Routing and Forwarding (VRF) is required in your IBM Cloud account.
To get started, see Setting up access to classic infrastructure.
Use IBM Cloud Transit Gateway
If you plan to connect multiple VPCs to classic infrastructure, you can use IBM Cloud Transit Gateway to manage access between your VPCs in multiple regions to resources in your IBM Cloud classic infrastructure. To get started, see the Transit Gateway documentation.