Virtual Private Cloud

Why can't my VSIs access VPE gateway?

Virtual Private Cloud 4.15 and later

Review the following scenarios for why your VSI can't access your VPE gateway.

  • You have a VSI that is able to communicate through your registry VPE gateway until a secure by default cluster is added to the VPC, then your VSI can no longer communicate through the gateway.
  • You already have a secure by default environment and when you create a new VSI, that VSI cannot communicate through the existing gateways.

If you provision a VSI in a VPC containing secure by default clusters several VPE gateways are created. In a secure by default environment these gateways are attached to a security group that, by default, only allows inbound traffic from Red Hat OpenShift on IBM Cloud clusters in the VPC. Any stand-alone VSI will not have access.

Choose from one of the following options to resolve the issue.

  • Attach your kube-CLUSTERID security group to your VSI.

    • Each cluster in your VPC has a security group attached to its worker nodes. The name of this security group is kube-CLUSTERID.
    • This security group has already been configured to talk to your VPE gateway. - You can attach any kube-CLUSTERID security group to your VSI allows the VSI to communicate through the VPE gateway.
    • You can attach security groups to your VSIs from the VPC console.

  • Add an inbound security group rule from your VSI security group to your VPE gateway security group.

    1. Find the security group IDs for the current VSI and the kube-vpegw-<vpcID> security group.
      ibmcloud is security-groups
    2. Add the following remote rule to kube-vpegw-<vpcID> from your VSI's security group
      ibmcloud is sg-rulec <kube-vpegw-vpcID> inbound icmp_tcp_udp --remote <your-VSI-SG-ID>
    3. Add a remote rule from your VSI security group to kube-vpegw-<vpcID>.
      ibmcloud is sg-rulec <your-VSI-SG> outbound icmp_tcp_udp --remote  <ID of kube-vpegw-vpcID>

If the issue persists, contact support. Open a support case. In the case details, be sure to include any relevant log files, error messages, or command outputs.