Red Hat OpenShift with IBM Db2 as a Service

Architecture diagram

Figure 1 presents an architectural blueprint for a containerized workload within an Red Hat OpenShift on IBM Cloud cluster. In this setup, application data in persisted in IBM Db2 as a Service. The data is structured in relational table format to support transactional integrity and efficient querying. This architecture demonstrates how cloud-native applications can use managed database services for scalability, resiliency, and simplified operations, without losing enterprise-grade data management capabilities.

In the IBM Cloud architecture, IBM Db2 as a Service can be securely integrated with an enterprise network by using a transit virtual private cloud (VPC) setup. This transit VPC acts as a central hub for network traffic, enabling secure and scalable connectivity between cloud resources and on-premises infrastructure. To enhance security and availability, deploy virtual FortiGate appliances in High Availability mode (active-passive) within the transit VPC. These firewalls provide robust traffic inspection, virtual private network (VPN) termination, and failover capabilities, which can ensure that enterprise workloads that use IBM Db2 SaaS remain protected and resilient across hybrid environments.

VPC environments

This architecture includes four distinct VPCs: a transit VPC, which is interconnected with a workload VPC, where the application workloads on Red Hat OpenShift cluster are deployed. A service hub VPC is also provisioned to host virtual private endpoint gateways. While a management VPC uses a transit gateway to run a bastion server, enabling scalable and segmented network routing.

Transit VPC

The transit VPC hosts a pair of Fortinet virtual appliances that are running FortiOS, which serve as centralized network security components for managing ingress and egress traffic within the IBM Cloud environment. The Fortinet appliances function as dual-purpose security gateways:

VPN termination points for secure connectivity between the on-premises infrastructure and IBM Cloud, primarily for administrative and management access.
Layer 7 firewalls for deep packet inspection and policy enforcement on traffic that is traversing public interfaces.

Additionally, an IBM Cloud Internet Services instance is deployed in front of the Fortinet appliances, acting as a global load balancer and providing enhanced availability, performance optimization, and DDoS protection.

Workload VPC

A workload VPC is designed to host an Red Hat OpenShift cluster deployed across two distinct availability zones within the same IBM Cloud region. This multi-zone configuration helps ensure high availability and fault tolerance by distributing worker nodes across separate VPC data centers.

The containerized application that is deployed within the cluster is designed to span both availability zones. Using Red Hat OpenShift's scheduling and orchestration capabilities, the application achieves zone-level redundancy and automatic failover, simplifying high availability implementation without requiring complex custom logic. This design pattern aligns with cloud-native best practices for resilient workload deployment and supports continuous service availability in the event of zone-level disruptions.

Management VPC

A management VPC is provisioned with a bastion host that serves as a secure entry point for administrative access to the IBM Cloud environment. Access to this bastion is restricted to VPN-authenticated sessions that originate from the on-premises network, helping ensure that connectivity is limited exclusively to management operations. This setup enforces a controlled access model, isolating administrative traffic from production workloads and enhancing the overall security posture of the cloud infrastructure.

Service hub VPC

A service hub VPC is also provisioned to host the virtual private endpoint (VPE) gateways for each of the cloud services this architecture deploys.

VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service instance basis. The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zones of your VPC.

Design concepts

Red Hat OpenShift with IBM Db2 as a Service provides data storage to address data needs, containers for compute requirements, and enterprise connectivity, segmentations, isolation, and load balancing for networking. For security, this architecture provides data security and identity and access security. It's highly available regarding resiliency, and includes service management capabilities like monitoring, logging, auditing, and alerting.

Architecture scope for cloud native application that uses IBM Db2 as a Service

Requirements

The following table outlines the requirements that are addressed in this architecture.

Requirements
Aspect	Requirements
Application platform	The underlying platform that hosts the application should be delivered as a fully managed service, helping ensure operational efficiency, automated maintenance, and minimal administrative overhead.
Storage	Provision storage infrastructure that aligns with the performance and throughput requirements of the IBM Db2 SaaS database workload.
Networking	Deploy workloads in an isolated environment and enforce information flow policies. Provide secure, encrypted connectivity to the cloud's private network for management purposes. Support failover of application to an alternative site in the event of planned or unplanned outages. Provide capabilities to continuously identify and prioritize software vulnerabilities, detect and respond to runtime threats, and enforce configuration, permission, and compliance policies.
Security	Encrypt all application data in transit and at rest to protect it from unauthorized disclosure. Encrypt all security data (operational and audit logs) to protect from unauthorized disclosure.
Resiliency	Support application availability targets and business continuity policies. Helps ensure availability of the application in the event of planned and unplanned outages. Provide highly available compute, storage, network, and other cloud services to handle application load and performance requirements.
Service management	Monitor system and application health metrics and logs to detect issues that might impact the availability of the application. Generate alerts about issues that might impact the availability of applications to trigger appropriate responses to minimize downtime. Monitor audit logs to track changes and detect potential security problems.

What's included

This architecture includes the following services and capabilities:

An instance of IBM Db2 as a Service (in Enterprise Plan).
An instance of IBM Cloud Security and Compliance Center Workload Protection to provide comprehensive security and governance capabilities across the application lifecycle. This service enables vulnerability detection and prioritization, real-time threat monitoring and response, and centralized management of configurations, access controls, and compliance policies from source code through runtime environments.
IBM Cloud Logs, as IBM Db2 as a Service generates platform logs and activity tracking events that can be used to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. IBM Cloud Logs can be used to visualize and create alerts on platform logs and activity tracking events.
IBM Cloud Monitoring, as IBM Db2 as a Service generate metrics from queue managers (for example, commit count) that are displayed in your IBM Cloud Monitoring instances.
IBM Cloud Object Storage, to store the logs for auditing purposes.
IBM Key Protect, so you can Bring Your Own Key (BYOK) for data encryption at rest that's stored in the IBM Db2 SaaS instance and also to encrypt the data in the bucket in IBM Cloud Object Storage.

The following table outlines the products or services that are used in the architecture.

Components
Aspects	Architecture components	How the component is used
Application	Red Hat OpenShift on IBM Cloud	The Red Hat OpenShift cluster hosts the containerized application.
Storage	IBM Cloud Object Storage	Logs for short and long-term retention (application, operational, and audit logs).
Networking	Virtual Private Endpoint Gateway	Virtual private endpoint to allow connectivity from the workload VPC to the IBM Db2 SaaS instance.
	Cloud native connectivity	Secure connection to cloud services such as IBM Cloud Logs, IBM Cloud Monitoring, and other services.
	Virtual firewall appliances	The Fortinet are used as layer 7 firewall for the public access to the application and as a VPN gateway for access to the management VPC.
	IBM Cloud Internet Services	Used as a global load balancer and DDoS protection.
Security	IAM	Access control is managed by the Identity and Access Management service.
	VPCs, subnets, security groups, ACLs	Core network protection for web, app, and database tiers.
	IBM Key Protect	Hardware security module (HSM) and key management service.
	IBM Cloud Secrets Manager	Certificate and secrets management.
	IBM Cloud Security and Compliance Center Workload Protection	Find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
Service management	IBM Cloud Monitoring	Platform monitoring.
	IBM Cloud Logs	Apps, operational, and audit logs.
	IBM Cloud Event Notifications	Critical events in the IBM Cloud account.