Securing your connection

To ensure that you have enhanced control and security over your data when you use IBM Cloud Monitoring, you have the option of using private routes to IBM Cloud service endpoints. Private routes are not accessible or reachable over the internet. By using the IBM Cloud private service endpoints feature, you can protect your data from threats from the public network and logically extend your private network.

You can configure the Monitoring agent to only use private endpoints.
You can configure the Monitoring instance to only allow API calls through the private endpoints.

The Monitoring service can be configured to send and receive data on either public-only or private-only endpoints. The web UI is available only on the public endpoint.

Before you begin

Some factors that you must consider when you must decide which network to choose are:

Corporate requirements on how services and applications can access cloud-based services in your account
Security on production workloads
Industry compliance regulations

For example, you might have the following requirements when you are working in the IBM Cloud:

No access to Internet to connect to IBM Cloud services
Isolated connectivity for workloads in your account

When you have these requirements, you should move from the public network to the private network.

You can configure a Monitoring agent to connect to a Monitoring instance through the public network or through the private network. By default, the agent connects through the public network.

You can make API calls through the public network or through the private network. By default, you make them through the public network.

The type of network defines the level of isolation and security that is configured to move workloads between cloud-based resources in your account. Consider connecting the Monitoring agent over the private network.

Setting up private service endpoints

Private network endpoints support routing services over the IBM Cloud private network instead of the public network. A private network endpoint provides a unique IP address that is accessible to you without a VPN connection.

Step 1: Enabling your account

If you want to use connections over the public internet, you do not have to enable Service Endpoints on your IBM Cloud account.

To use private network endpoints, you must enable the Virtual routing and forwarding (VRF) account feature.

You must first enable virtual routing and forwarding in your account, and then you can enable the use of IBM Cloud private service endpoints.

To enable VRF, you create a support case.
To enable service endpoints, you use the IBM Cloud CLI. For more information about how to enable your account, see Enabling VRF and service endpoints.

Step 2: Enforcing API calls through private endpoints

After your account is enabled for VRF and service endpoints, you can configure a Monitoring instance to only allow API calls through the private endpoints.

After you provision an instance of the Monitoring service, you can use the following CLI command to update the instance configuration and enforce private endpoints for all API commands:

ibmcloud resource service-instance-update <my-service-instance> --service-endpoints 'private'

Or you can use the Resource Controller API, with a PATCH request to the /resource_instances/{id} endpoint.

After you enable private endpoints, the API calls that are made through a public endpoint are rejected.

Step 3: Configuring a Monitoring agent to connect through private endpoints

After your account is enabled for VRF and service endpoints, you can configure a Monitoring agent to connect to an IBM Cloud Monitoring instance through the private network.

You can configure the Monitoring agent to use the private network by using a private endpoint as the ingestion URL. To get information about private endpoints, see Private endpoints.

What happens when you configure the Monitoring agent to use a private endpoint?

Private endpoints are not accessible from the public internet.
All traffic is routed to the IBM Cloud private network.

Allowing network traffic

When you have an extra firewall set up, or you customize the firewall settings in your IBM Cloud infrastructure, you need to allow network traffic to the Monitoring service.

Ingestion through an endpoint

You can choose to send data to the Monitoring service through a public or private endpoint. Notice that you may need to define a firewall rule in your host.

To get information about private endpoints, see Private endpoints.
To get information about public endpoints, see Public endpoints.

Access to the web UI through a public endpoint

To access the IBM Cloud Monitoring web UI, you may need to define a firewall rule in your host. To get information about the web UI endpoints, see Web UI endpoints.

Alert Notifications via Webhooks

To receive alert notifications by using webhooks from the Monitoring service, you may need to define firewall rules for the subnets that are invoking your webhooks. To get information about the subnets, see Subnets for webhook notifications.