Connectivity to IBM Cloud services with private endpoints
IBM Cloud services should be used only over private routes. Private routes are not accessible or reachable over the internet. By using the IBM Cloud private endpoints feature, you can protect your data from threats from the public network and logically extend your private network.
When inside a VPC, this private access can be accomplished by using a virtual private endpoint (VPE) to map a VPC IP address to the IBM Cloud service. VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis (depending on the service operation model). The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. VPE for VPC gives you the experience of controlling all the private addressing within your cloud.
The VPE supported services page list all of the IBM Cloud services that support VPE and provide links that describe the private hosts to use and any special instructions that might be needed. Not only does this list include the Financial Services Validated IaaS and PaaS services that are available, but they also include a number of platform services, such as Cloud Identity and Access Management (IAM).
Private endpoints should be used whether you are accessing a service by using the CLI, API, or Terraform. For more information, see:
- Securing your connection when using the IBM Cloud CLI
visibility
input parameter in Configuring the IBM Cloud Provider plug-in
Creating endpoint gateways
- Create endpoint gateways for the management and workload cluster. For more information, see Creating an endpoint gateway.