Using virtual private endpoints for VPC to privately connect to Direct Link

IBM Cloud® Virtual Private Endpoints (VPE) for VPC enables you to connect to Direct Link from your VPC network by using the IP addresses of your choosing, allocated from a subnet within your VPC.

VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis (depending on the service operation model). The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud® service on the private backbone. VPE for VPC gives you the experience of controlling all the private addressing within your cloud. For more information, see About virtual private endpoint gateways.

Before you begin

Before you target a virtual private endpoint for IBM Cloud®, you must complete the following tasks.

Ensure that a Virtual Private Cloud is created.
Make a plan for your virtual private endpoints.
Ensure that correct access controls are set for your virtual private endpoint.
Understand the limitations of having a virtual private endpoint.
Understand how to view details about a virtual private endpoint.

Setting up a VPE for Direct Link

When you create a VPE gateway by using the CLI or API, you must specify the Cloud Resource Name (CRN) of the region in which you want connect to Direct Link. Review the following table for the available regions and CRNs to use to create your VPE gateway.

Direct Link supports VPEs in all the VPC regions as shown.

Table 1. Region availability and Cloud Resource Names (CRNs) for connecting Direct Link over IBM Cloud private networks
Location	Region	Cloud Resource Name (CRN)
Dallas	`us-south`	`crn:v1:bluemix:public:container-registry:us-south:::endpoint:vpe.us-south.container-registry.cloud.ibm.com`
Frankfurt	`eu-de`	`crn:v1:bluemix:public:container-registry:eu-de:::endpoint:vpe.eu-de.container-registry.cloud.ibm.com`
London	`eu-gb`	`crn:v1:bluemix:public:container-registry:eu-gb:::endpoint:vpe.eu-gb.container-registry.cloud.ibm.com`
Osaka	`jp-osa`	`crn:v1:bluemix:public:container-registry:jp-osa:::endpoint:vpe.jp-osa.container-registry.cloud.ibm.com`
Sao Paulo	`br-sao`	`crn:v1:bluemix:public:container-registry:br-sao:::endpoint:vpe.br-sao.container-registry.cloud.ibm.com`
Sydney	`au-syd`	`crn:v1:bluemix:public:container-registry:au-syd:::endpoint:vpe.au-syd.container-registry.cloud.ibm.com`
Tokyo	`jp-tok`	`crn:v1:bluemix:public:container-registry:jp-tok:::endpoint:vpe.jp-tok.container-registry.cloud.ibm.com`
Toronto	`ca-tor`	`crn:v1:bluemix:public:container-registry:ca-tor:::endpoint:vpe.ca-tor.container-registry.cloud.ibm.com`
Washington DC	`us-east`	`crn:v1:bluemix:public:container-registry:us-east:::endpoint:vpe.us-east.container-registry.cloud.ibm.com`

Configuring an endpoint gateway

To configure a virtual private endpoint gateway, follow these steps:

List the available services, including IBM Cloud infrastructure services available (by default) for all VPC users.
Create an endpoint gateway for Direct Link that you want to be privately available to the VPC.
Bind a reserved IP address to the endpoint gateway.
View the created VPE gateways associated with the Direct Link. For more information, see Viewing details of an endpoint gateway.

Now your virtual server instances in the VPC can access your Direct Link instance privately through it.

Using your VPE for Direct Link

After you create an endpoint gateway for Direct Link, follow these steps:

Using the VPE with the CLI

Use the following steps to update to the latest version of the CLI and the Direct Link plug-in.

Update the IBM Cloud CLI to the latest version:
```
ibmcloud update
```
Update the Direct Link CLI plug-in:
```
ibmcloud plugin update dl-cli
```

Using the VPE with the VPC API

After creating an endpoint gateway for the Direct Link service, use the service endpoints FQDN private.directlink.cloud.ibm.com in the URL to access the service. For example:

curl https://private.directlink.cloud.ibm.com/v1/direct_links?version='2020-03-31' -H "Authorization: Bearer $iam_token"

Using the VPE with the SDK

After creating an endpoint gateway for Direct Link, you must use the private endpoint's FQDN when setting the service's FQDN during construction of the direct link service object.

private.directlink.cloud.ibm.com

For examples of setting the service's FQDN for the specific SDK language, see SDK API examples.

Using the VPE with Terraform

If you plan to access the Direct Link service using Terraform, make sure to set the IBMCLOUD_DL_API_ENDPOINT environment variable to private.directlink.cloud.ibm.com. For example:

export IBMCLOUD_DL_API_ENDPOINT=private.directlink.cloud.ibm.com

For more information, see Direct Link resources and data sources.