Learning about IBM Cloud Metrics Routing architecture and workload isolation
Review the following sample architecture for IBM Cloud Metrics Routing, and learn more about different isolation levels so that you can choose the solution that best meets the requirements of the workloads that you want to run in the cloud.
IBM Cloud Metrics Routing architecture
IBM Cloud Metrics Routing is a multi-tenant, regional service that is available in IBM Cloud. With IBM Cloud Metrics Routing, you can manage collection and routing of metrics in your account.
The following figure shows the high level architecture for IBM Cloud Metrics Routing:
IBM Cloud Metrics Routing is deployed and managed per region. See List of supported regions. In each region, the service runs in three physically separate data centers to ensure availability. All data and the configuration for each service deployment is retained within the region in which it is hosted.
You can use the IBM Cloud Metrics Routing CLI, the IBM Cloud Metrics Routing API, and IBM Cloud Metrics Routing Terraform to manage the service in your account.
You can configure the IBM Cloud Metrics Routing settings to define how to manage metrics globally in your account. You can configure whether you want to use private endpoints only, location of the metadata that is required by the service to run, default destinations in case you do not set a rule for a region where you operate, and more.
Before you can configure the resources that define how to manage metrics in the account, you must define a Primary metadata region. The Primary metadata region defines the location where metadata about your account
and resources is stored. You can optionally configure a Backup metadata region. Metadata includes information about the routing rules, the account settings that define how to manage metrics in your account, and target details,
including credentials that are needed to send the data to your destinations. The setting definition is a global resource that defines the account values that are used by the IBM Cloud Metrics Routing service to route metrics to your destinations..
After you configure the primary metadata region, you must create 1 or more targets, and 1 or more routes.
- A target defines a destination where you want to route metrics and store them for further analysis. A target resource definition is a regional resource. However, some of the target's details are required in the account's primary and backup metadata locations for operational purposes.
- A route defines the rules on how to route metrics across the account to your destinations (targets). A route resource definition is a global resource that defines rules whose scope goemight go beyond a region.
In your account, metrics are automatically collected from IBM Cloud services that run in the account, with the exception of some services that require additional configuration to enable metrics. For more information about services that generate metrics, see Cloud services.
After you configure IBM Cloud Metrics Routing in your account, metrics are routed to the target of your choice. You are responsible for managing the metrics in the target resources.
All data and the configuration that is required for the IBM Cloud Metrics Routing service deployment is retained within the region in which it is hosted.
The IBM Cloud Metrics Routing's metadata in your account is hosted in the primary metadata location and the backup metadata location. You choose the primary and backup regions. You can choose any location as long as the location is one where the IBM Cloud Metrics Routing is available.
The metrics that you route to 1 or more destinations stay in the same region where they are generated if you configuration sends them to destinations in the same region. However, you might have destinations collecting metrics from other regions or even in destinations in a different IBM Cloud account. Metrics will cross regions or even accounts in these scenarios. Your IBM Cloud Metrics Routing service configuration define where metrics data is routed.
The flow of all customer data between IBM Cloud Metrics Routing and its dependencies uses private network connections. For more information about private connections, see Using service endpoints to privately connect to IBM Cloud Metrics Routing.
Connections
You can use private and public endpoints to configure IBM Cloud Metrics Routing resources in your account.
Private connections
You cannot disable private endpoints.
Public connections
You can choose to disable public endpoints for IBM Cloud Metrics Routing.
For more information, see Enforcing private endpoints to configure IBM Cloud Metrics Routing resources.
Dependencies to other IBM Cloud services
Review the IBM Cloud services that IBM Cloud Metrics Routing connects to over public or private connections.
| Service name | Description |
|---|---|
| IBM Cloud Internet Services | IBM Cloud Internet Services is used as a provider for DNS and load-balancing capabilities. |
| IBM Cloud Kubernetes Service | IBM Cloud Metrics Routing uses IBM Cloud Kubernetes Service to run its service. |
| IBM Cloud Monitoring | IBM Cloud Metrics Routing integrates with Monitoring, by using a private connection, to send platform metrics. For more information, see Monitoring metrics for IBM Cloud Metrics Routing. |
| IBM Cloud Platform | To authenticate requests to the service and authorize user actions, IBM Cloud Metrics Routing implements platform and service access roles in Cloud Identity and Access Management (IAM). For more information about required IAM permissions to work with the service, see Managing access for IBM Cloud Metrics Routing. Connections from IBM Cloud Metrics Routing to IAM do not use private connections. |
| IBM Cloud Databases for PostgreSQL | IBM Cloud Metrics Routing uses IBM Cloud Databases for PostgreSQL for storing metadata. |
| Key Protect | IBM® Key Protect for IBM Cloud® is used to store encrypted keys that are required to operate the service. This does not include Bring Your Own Key (BYOK). |
Workload isolation
Each regional deployment serves multiple tenants that are identified by the IBM Cloud account ID.
- There is 1 deployment per region that is responsible for running user workloads in the region.
- In a region, the deployment is highly available.
- The data that is collected is associated with the IBM Cloud account ID and not visible to the other users by virtue of this association.
- Data for all tenants is co-located in the same data stores and segmented by the tenant-specific IBM Cloud account ID to enforce access control policies.
- You can use Cloud Identity and Access Management (IAM) to control which users see, create, use, and manage resources.