Using private endpoints

Before you begin

Before you target a private endpoint for Key Protect:

1. Ensure that your IBM Cloud infrastructure account is enabled for virtual routing and forwarding (VRF).

   When you enable VRF, a separate routing table is created for your account, and connections to and from your account's resources are routed separately on the IBM Cloud network. To learn more about VRF technology, see Virtual routing and forwarding on IBM Cloud.

   Enabling VRF permanently alters networking for your account. Be sure that you understand the impact to your account and resources. After you enable VRF, it cannot be disabled.

2. Ensure that your IBM Cloud infrastructure account is enabled for service endpoints.

   After you enable VRF and service endpoints for your account, all existing and future Key Protect resources and instances become available from both the public and private endpoints.

Private endpoint settings, specifically the Internet Protocol (IP) address, may need to be manually updated during Disaster recovery and business continuity actions.

Step 1. Configure the IBM Cloud private network on your virtual server

Prepare your VSI or test machine by configuring your routing table for the IBM Cloud private network.

1. To route traffic to the IBM Cloud private network, run the following command on your VSI:

   route add -net 166.9.0.0/16 gw <gateway> dev <gateway_interface>
   

   Replace <gateway> (for example, 10.x.x.x) and <gateway_interface> (for example, eth10) with the appropriate values.

2. Optional: Verify that the route was added successfully by displaying your new routing table.

   route -n
   

Step 2. Target the Key Protect private endpoint

After you configure your VSI to accept IBM Cloud private network traffic, you can target the private endpoint for Key Protect by using the Key Protect API or Key Protect CLI plug-in.

1. In a terminal window, log in to IBM Cloud.

   ibmcloud login
   

   If the login fails, run the ibmcloud login --sso command to try again. The --sso parameter is required when you log in with a federated ID. If this option is used, go to the link listed in the CLI output to generate a one-time passcode.

2. Optional: Ensure that your account is enabled for VRF and service endpoints.

   ibmcloud account show
   

   The following CLI output shows the account details of a VRF and service endpoint-enabled account.

   Retrieving account John Doe's Account of john.doe@email.com...
   OK
   
   Account ID:                   d154dfbd0bc2edefthyufffc9b5ca318
   Currently Targeted Account:   true
   Linked Softlayer Account:     1008967
   VRF Enabled:                  true
   Service Endpoint Enabled:     true
   

   See Enabling VRF and service endpoints to learn how to set up your account for connecting to a private network.

3. Set an environment variable to target a Key Protect private endpoint.

   export KP_PRIVATE_ADDR=https://private.<region>.kms.cloud.ibm.com
   

   Replace <region> with the region abbreviation that represents the geographic area where your Key Protect instance resides. For the complete list of endpoints, see Regions and endpoints.

Step 3. Create a Key Protect resource on the private network

Test your private network connection by using the Key Protect CLI plug-in.

1. Create a root key by targeting the private endpoint.

   ibmcloud kp key create <key_name> -i <instance_ID>
   

   Replace <key_name> with a human-readable alias for easy identification of your key. Replace <instance_ID> with the IBM Cloud instance ID that identifies your Key Protect instance.

2. Optional: Verify that the key was created successfully by listing the keys that are available in your Key Protect instance.

   ibmcloud kp keys -i <instance_ID>
   

   Replace <instance_ID> with the IBM Cloud instance ID that identifies your Key Protect instance.

Next steps

You're now set to interact with Key Protect through a private endpoint.

• To find out more about managing keys with Key Protect, check out the Key Protect CLI reference doc.