Securing your connection
To ensure that you have enhanced control and security over your data when you use IBM® Log Analysis, you have the option that use private routes to IBM Cloud service endpoints. Private routes are not accessible or reachable over the internet. By using the IBM Cloud Private service endpoints feature, you can protect your data from threats from the public network and logically extend your private network.
As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.
Before you begin
Consider the following factors when you must decide which network to choose:
- Corporate requirements on how services and applications can access cloud-based services in your account.
- Security on production workloads.
- Industry compliance regulations.
For example, you might have the following requirements when you are working in the IBM Cloud:
- No access to Internet to connect to IBM Cloud services.
- Isolated connectivity for workloads in your account.
When you have these requirements, consider moving from the public network to the private network.
You can configure a logging agent to connect to an IBM Log Analysis instance through the public network or through the private network. By default, the agent connects through the public network.
The type of network defines the level of isolation and security that is configured to move workloads between cloud-based resources in your account. Consider connecting the logging agent over the private network.
Setting up private service endpoints for IBM Log Analysis
Private network endpoints support routing services over the IBM Cloud Private network instead of the public network.
- A private network endpoint provides a unique IP address that is accessible to you without a VPN connection.
- Private endpoints work between regions offering a global network. You can run your applications and services in Dallas, and connect to a logging instance in Sydney with a private endpoint.
Step 1. Enabling your account
To use private network endpoints, the following account features must be enabled for your account:
-
Virtual routing and forwarding (VRF)
-
Service endpoints
Enabling service endpoints means that all users in the account can connect to private network endpoints.
You must first enable virtual routing and forwarding in your account, and then you can enable the use of IBM Cloud private service endpoints.
- To enable VRF, you create a support case.
- To enable service endpoints, you use the IBM Cloud CLI. For more information about how to enable your account, see Enabling VRF and service endpoints.
Step 2. Setting a private endpoint
After your account is enabled for VRF and service endpoints, you can configure a logging agent to connect to an IBM Log Analysis instance through the private network.
A service instance can have a private network endpoint, a public network endpoint, or both.
- A public network endpoint is a service endpoint on the IBM Cloud public network.
- A private network endpoint is a service endpoint that is accessible only on the IBM Cloud Private network.
The IBM Log Analysis service offers private API endpoints.
Step 3. Configure your logging agent
You can configure the logging agent to use the private network by using a private endpoint as the ingestion URL.
What happens when you configure the logging agent to use a private endpoint?
- Private endpoints are not accessible from the public internet.
- All traffic is routed to the IBM Cloud Private network.
- Services like IBM Log Analysis are no longer served on an internet routable IP address.
Limitations that use private endpoints
The logging web UI is not supported on the private network.