Set up private endpoints
Gen 2
Gen 2 Cloud Databases enable a secure by default approach using private connections enabled by Virtual Private Endpoints (VPE).
IBM Cloud® recommends private endpoints that restrict access to your internal network, protecting your data and applications from unwanted access and security vulnerabilities.
Private endpoints also provide greater control over network traffic to your databases for better visibility and enable you to demonstrate adherence to compliance and regulatory requirements. Gen 2 Cloud Databases support context-based restrictions that allow account owners and administrators to define and enforce access restrictions for IBM Cloud resources based on the context of access requests.
This document covers all of the Gen 2 Cloud Databases: Databases for PostgreSQL and Databases for MongoDB. Setting up Virtual Private Endpoints will incur costs and network transfer charges apply to IBM Cloud VPC services using private endpoints. Charges are based on the volume of data transferred and follow a tiered pricing model. Use the Cost estimator to calculate an estimate based on your projected usage.
Options to connect to your VPC instance via private endpoints
You can access your instance from your local device or non-VPC client via private endpoints. Connect to VPE for VPC to provide a secure connectivity to services and instances originating from your VPC network. The instructions to connect to your Gen 2 (VPC) instance depend on where you're connecting from and where your application is running.
- VPE via VSI - This method uses a Virtual Server Instance (VSI) that resides in your Virtual Private Cloud (VPC) and leverages the Virtual Private Endpoint (VPE) to provide secure, private connectivity between resources within the VPC and external IBM Cloud services.
- Use VPN connection established through a VPE (Client to Site). The VPN lets you connect and manage from a local laptop or client via the VPC/VPE. For more information, see Client to Site.
- Use a VPC/VPN gateway for secure and private on-premises access to cloud resources. For more information, see Site to Site.
Establishing Virtual Private Endpoints through a VSI
Step 1: Create a VPC
Use IBM Cloud instructions to create a Virtual Private Cloud (VPC). Ensure that the VPC is in the same region as your database deployment.
Step 2: Create a VSI and an SSH key
-
Provision a VSI within the VPC using instructions for creating virtual server instances in the Virtual server instances for VPC UI. Assign a floating IP to the VSI to allow external SSH access (optional for testing).
-
Generate and attach an SSH key for secure login. For detailed instructions on how to create an SSH key pair, see Getting started with SSH Keys.
-
Once the key pair is ready, move the private key into the
~/.sshdirectory on your local machine to follow best practises for secure SSH key management. -
Change the permissions of the private key. This makes the key read-only to the file owner. On Unix-like systems such as macOS, run the following command:
$ chmod 400 ~/.ssh/<NAME_OF_THE_SSH_KEY> -
SSH into your VSI using the following command:
$ ssh -i ~/.ssh/<NAME_OF_THE_SSH_KEY> root@<FLOATING_IP_ADDRESS>
Step 3: Create a VPE
In the IBM Cloud console, click the menu icon and select VPC Infrastructure > Network > Virtual private endpoint gateways. Create a VPE for your Cloud Databases instances with these instructions.
Bind the VPE to your VPC and subnet.
Step 4: Update VPC security groups
Modify the security group to allow outbound traffic from your VSI to the database instance. Ensure ports required by your database (for example, Postgresql or MongoDB) are open.
Step 5: Create a service key for your database
Use IBM Cloud CLI or UI to create a service key for the database. The service key contains the information that is needed to access the database.
Step 6: Connect to your database with private endpoints
Install and verify the required database client, and connect to the database using the connection details from the service key. This command will vary depending on the database. The instructions required per database are listed in the table below.
| Service | Client tool | Sample command |
|---|---|---|
| Databases for PostgreSQL | psql |
You can connect to the VSI from a local environment by sending the root certificate from a local machine to a VSI.$ PGPASSWORD=$PASSWORD psql “<PASSWORD> You can verify your connection with the following command (optional):$ /list |
| Databases for MongoDB | mongosh |
You can verify your connection with the following command:--eval "db.stats()" |
Establishing Virtual Private Endpoints using a VPN connection
Use a VPN to connect to a VPC and access a VPE. The VPN lets you connect and manage your instance from a local laptop or client via the virtual private endpoint in your VPC.
Step 1: Create a VPC
Use IBM Cloud instructions to create a Virtual Private Cloud (VPC). Ensure the VPC is in the same region as your database deployment.
Step 2: Create a VPE
- In the IBM Cloud console, click the menu icon and select VPC Infrastructure > Network > Virtual private endpoint gateways. Create a VPE for your Cloud Databases instances with these instructions.
- Bind the VPE to your VPC and subnet.
Step 3: Update VPC security groups
Modify the security group to allow outbound traffic from your VSI to the database instance. Ensure ports required by your database (for example, Postgresql or MongoDB) are open.
Step 4: Create the VPN server
- Create an IBM Cloud secrets manager instance.
- Create a certificate engine in secrets mananger and generate a certificate for the VPN server.
- Create IAM service to service authorisation for the VPN server to secrets manager to enable the VPN server to securely retrieve the certificate.
- Create a VPN server for VPC, specifying the VPC created in step 1. Configure it to use the certificate stored in secrets manager.
You have now set up a VPN server that allows you to establish a secure tunnel to the VPC.
Step 5: Connect to the VPN
Download the VPN client file and use a VPN client to connect to the VPN.
Step 6: Connect to your database with private endpoints
| Service | Client tool | Sample command |
|---|---|---|
| Databases for PostgreSQL | psql |
You can verify your connection with the following command:$ /list |
| Databases for MongoDB | mongosh |
You can verify your connection with the following command:--eval "db.stats()" |
Establishing VPC/VPN gateway from on-premise
Use a VPC/VPN gateway for secure and private on-premises access to cloud resources.
Step 1: Create a VPC
Use IBM Cloud instructions to create a Virtual Private Cloud (VPC). Ensure the VPC is in the same region as your database deployment.
Step 2: Create a VPE
- In the IBM Cloud console, click the menu icon and select -> VPC Infrastructure -> Network -> Virtual private endpoint gateways. Create a VPE for your Cloud Databases instances with these instructions.
- Bind the VPE to your VPC and subnet.
Step 3: Update VPC security groups
Update security groups with rules to allow traffic between the VPN and Gateway and VPE.
Step 4: Build your connection by creating a VPN
- Create a VPN Gateway in the VPC.
- Use strongSwan, a popular VPN Gatewayto simulate an on-premise VPN Gateway.
- Configure DNS resolution to route queries through IBM Cloud DNS resolver.
Step 5: Log in to the network
Log in to the network by connecting through the VPN. When the service-to-service VPN is active, the secure connection path works automatically, allowing access to the on-premise VSI and cloud bastion host.
Step 6: Connect to your database with private endpoints
Connect to your database from an on-premise location by installing and verifying the required client. The clients for each database and sample verification commands are shown in the following table:
| Service | Client tool | Sample command |
|---|---|---|
| Databases for PostgreSQL | psql |
You can verify your connection with the following command (optional):$ /list |
| Databases for MongoDB | mongosh |
You can verify your connection with the following command:--eval "db.stats()" |