Using virtual private endpoints for VPC to privately connect to IBM Log Analysis
IBM Cloud® Virtual Private Endpoints (VPE) for VPC enables you to connect to IBM Log Analysis from your VPC network by using the IP addresses of your choosing, allocated from a subnet within your VPC.
As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.
VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis (depending on the service operation model). The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud® service on the private backbone. VPE for VPC gives you the experience of controlling all the private addressing within your cloud. For more information, see About virtual private endpoint gateways.
Before you begin
Before you target a virtual private endpoint for IBM Log Analysis you must complete the following tasks.
- Ensure that a Virtual Private Cloud is created.
- Make a plan for your virtual private endpoints.
- Ensure that correct access controls are set for your virtual private endpoint.
- Understand the limitations of having a virtual private endpoint.
- Understand how to view details about a virtual private endpoint.
Virtual private endpoint settings, specifically the Internet Protocol (IP) address, might need to be manually updated during Disaster recovery and business continuity actions.
Virtual Private Service Endpoints
The following table lists regions where IBM Log Analysis service supports VPE. It also lists IBM Log Analysis endpoints supported from each region. You can connect to IBM Log Analysis service in another region using supported endpoints. For
example, from the Sydney region, you can use IBM Log Analysis service in
us-south region using the us-south endpoint.
When connecting to a VPE via CLI or API, you will need to specify the CRN of the region that you will use to connect to the IBM Log Analysis service. Use the table below to locate the CRN of the target region.
| Region | Endpoints Supported in Region | CRN | |
|---|---|---|---|
| Dallas (us-south) | api.private.us-south.logging.cloud.ibm.com
logs.private.us-south.logging.cloud.ibm.com |
crn:v1:bluemix:public:logdna:us-south:::endpoint:api.private.us-south.logging.cloud.ibm.com | |
| Frankfurt (eu-de) | api.private.eu-de.logging.cloud.ibm.com
logs.private.eu-de.logging.cloud.ibm.com |
crn:v1:bluemix:public:logdna:eu-de:::endpoint:api.private.eu-de.logging.cloud.ibm.com | |
| London (eu-gb) | api.private.eu-gb.logging.cloud.ibm.com
logs.private.eu-gb.logging.cloud.ibm.com |
crn:v1:bluemix:public:logdna:eu-gb:::endpoint:api.private.eu-gb.logging.cloud.ibm.com | |
| Madrid (eu-es) | api.private.eu-es.logging.cloud.ibm.com
logs.private.eu-es.logging.cloud.ibm.com |
crn:v1:bluemix:public:logdna:eu-es:::endpoint:api.private.eu-es.logging.cloud.ibm.com | |
| Osaka (jp-osa) | api.private.jp-osa.logging.cloud.ibm.com
logs.private.jp-osa.logging.cloud.ibm.com |
crn:v1:bluemix:public:logdna:jp-osa:::endpoint:api.private.jp-osa.logging.cloud.ibm.com | |
| Sao Paulo (br-sao) | api.private.br-sao.logging.cloud.ibm.com
logs.private.br-sao.logging.cloud.ibm.com |
crn:v1:bluemix:public:logdna:br-sao:::endpoint:api.private.br-sao.logging.cloud.ibm.com | |
| Sydney (au-syd) | api.private.au-syd.logging.cloud.ibm.com
logs.private.au-syd.logging.cloud.ibm.com |
crn:v1:bluemix:public:logdna:au-syd:::endpoint:api.private.au-syd.logging.cloud.ibm.com | |
| Tokyo (jp-tok) | api.private.jp-tok.logging.cloud.ibm.com
logs.private.jp-tok.logging.cloud.ibm.com |
crn:v1:bluemix:public:logdna:jp-tok:::endpoint:api.private.jp-tok.logging.cloud.ibm.com | |
| Toronto (ca-tor) | api.private.ca-tor.logging.cloud.ibm.com
logs.private.ca-tor.logging.cloud.ibm.com |
crn:v1:bluemix:public:logdna:ca-tor:::endpoint:api.private.ca-tor.logging.cloud.ibm.com | |
| Washington (us-east) | api.private.us-east.logging.cloud.ibm.com
logs.private.us-east.logging.cloud.ibm.com |
crn:v1:bluemix:public:logdna:us-east:::endpoint:api.private.us-east.logging.cloud.ibm.com |
Using Virtual Private Endpoints
Before you begin
- You need to have an IBM Cloud account
- And a IBM Log Analysis instance. You can provision one from the IBM Cloud catalog. Give your instance a memorable name that appears in your account's Resource List.
Setting up your VPE
-
Create an IBM Cloud® Virtual Private Cloud. Follow the
Getting startedinstructions here. -
Make sure that your VPC has at least one VSI (virtual server instance), and can connect to the VSI. You can use the UI, CLI, and API to quickly provision IBM Cloud® Virtual Private Cloud from the Virtual server instances page in IBM Cloud console. For more information, see Creating virtual server instances.
-
Make sure your IBM Log Analysis deployment's private endpoint is enabled.
-
In the IBM Cloud console, click the menu icon and select Infrastructure > VPC Layout > Network > Virtual private endpoint gateways. Create a VPE for your IBM Log Analysis instances with the following instruction.
-
After you create your VPE, it might take a few minutes for the new VPE and pDNS to complete the process and begin working for your VPC. Completion is confirmed when you see an IP address set in the details view of the VPE.
-
To make sure pDNS is functioning for your VPE,
sshinto your VSI and runnslookup <instance_hostname>. The following example shows the output from runningnslookupon instance hostnames ofapi.private.us-east.logging.cloud.ibm.comandlogs.private.us-east.logging.cloud.ibm.com:root@test-vpc-vsi:~# nslookup api.private.us-east.logging.cloud.ibm.com Server: 161.26.0.7 Address: 161.26.0.7#53 Non-authoritative answer: Name: api.private.us-east.logging.cloud.ibm.com Address: 10.241.65.4root@test-vpc-vsi:~# nslookup logs.private.us-east.logging.cloud.ibm.com Server: 161.26.0.7 Address: 161.26.0.7#53 Non-authoritative answer: Name: logs.private.us-east.logging.cloud.ibm.com Address: 10.241.65.4In these examples
10.241.65.4is your VPE IP address. -
You can now use your instance in the VSI.
VPE Discoverability
Following the previous steps results in a IBM Log Analysis instance with private endpoints that is reachable with the Virtual Private Endpoints from your VPC network.
For more information, see Setting up private service endpoints for IBM Log Analysis.
More resources
- Planning for virtual private endpoint gateways
- Creating an endpoint gateway
- For further assistance, see the FAQs for virtual private endpoints here, and the
Troubleshooting VPE gatewaysdocumentation that includes how to fix communications issues here.