Connecting application provider to the management VPC

The management VPC should be accessed only by you, the application provider. It's important that the connection be secure to avoid bad actors gaining access and conducting malicious operations. There are two options to enable this connectivity from your on-premises enterprise network: Direct Link and VPN for VPC. Alternatively, if you want to support connectivity without going through your enterprise network, you can deploy your own full tunnel client-to-site VPN solution. After a connection is established, operators can complete actions through a bastion host in the management VPC.

Operators who are connecting to the on-premises enterprise network from offsite (such as their home) should connect to the enterprise network only by using a full tunnel client-to-site VPN solution. After connected to the enterprise network through a full tunnel, they can access the management VPC to perform their duties.

Direct Link

Direct Link is the most secure way to enable connectivity from the application provider's on-premises environment to the management VPC. The speed and reliability of Direct Link extends your organization’s data center network and offers more consistent, higher-throughput connectivity, keeping traffic within the IBM Cloud network. When using Direct Link, a private Application Load Balancer for VPC (ALB) is used to distribute traffic among multiple server instances within the same region of your VPC.

The following diagram shows the Direct Link connection pattern.

Application provider on-premises to management VPC by using Direct Link — Figure 1. Application provider on-prem to management VPC using Direct Link

For more information, see:

VPN for VPC

An alternative connectivity pattern is to use the VPN for VPC service to securely connect from your private network to the management VPC. VPN for VPC can be used as a static, route-based VPN or a policy-based VPN to set up an IPsec site-to-site tunnel between your VPC and your on-premises private network, or another VPC.

The following diagram shows the VPN for VPC connection pattern.

Application provider on-premises to management VPC by using VPN for VPC — Figure 2. Application provider on-prem to management VPC using VPN for VPC

For more information, see:

Full tunnel client-to-site VPN

The third option for connectivity for your operators is to use a full tunnel client-to-site VPN, so they do not have to be on your on-premises network. However, IBM does not provide a Financial Services Validated full tunnel client-to-site VPN solution. So, if you want to use this option, you need to deploy your own. See Setting up full tunnel VPN with FS BIG-IP for one example of how to do this.

Table 1. Related controls in IBM Cloud Framework for Financial Services
Family	Control
Access Control (AC)	AC-4 (21) Information Flow Enforcement \| Physical or Logical Separation of Information Flows AC-17 Remote Access AC-20 Use of External Systems
Audit and Accountability (AU)	AU-10 Non-repudiation
Security Assessment and Authorization (CA)	CA-3 Information Exchange
System and Communications Protection (SC)	SC-7 Boundary Protection SC-7 (4) Boundary Protection \| External Telecommunications Services SC-7 (5) Boundary Protection \| Deny By Default - Allow By Exception SC-7 (10) Boundary Protection \| Prevent Exfiltration SC-8 Transmission Confidentiality and Integrity SC-8 (1) Transmission Confidentiality and Integrity \| Cryptographic Protection SC-10 Network Disconnect SC-11 Trusted Path

Next steps

Performing operator actions through a bastion host

Connecting application provider to the management VPC

Direct Link

VPN for VPC

Full tunnel client-to-site VPN

Related controls in IBM Cloud Framework for Financial Services

Next steps