Connecting IBM MQ as a Service to on premises IBM MQ
Architecture diagram
The architecture diagram illustrates a reference solution that has IBM® MQ as a Service and IBM Cloud VPC. The diagram shows a connection to the enterprise network through the virtual private network (VPN) gateway service, but this is not included in the deployable architecture.
A multizone region
Virtual private cloud (VPC) environment
Transit VPC: This VPC hosts the VPE for VPC that is put in front of the IBM® MQ as a Service. It might also host (into two separate subnets) a VPN gateway if the enterprise network will be connected through a VPN IPsec tunnel.
It also hosts the Private Path service (and its related Private Path network load balancer and Application Load Balancer for VPC) that allow outbound connectivity to an on-premises queue manager. Another Virtual Private Endpoint Gateway is deployed and it is the front end for the IBM Cloud Secrets Manager instance deployed into the IBM Cloud, since the on-premises application needs to consume certificates or API keys hosted here.
The solution component details include:
An instance of IBM® MQ as a Service (in Reserved Capacity plan). MQ managers will be deployed into this instance. IBM Cloud Logs, as the IBM® MQ as a Service generates platform logs and activity tracking events that can be used to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. IBM Cloud Logs can be used to visualize and create alerts on platform logs and activity tracking events.
IBM Cloud Monitoring, as the IBM® MQ as a Service generate metrics from queue managers (for example, commit count) that are displayed in your IBM Cloud Monitoring instances.
IBM Cloud Object Storage, to store the logs and audit. IBM Key Protect, used for Bring Your Own Key to encrypt data at rest into the IBM Cloud Object Storage. IBM Cloud Secrets Manager is an optional component in the deployable architecture, and it is used by the MQ manager to eventually host certificates and API keys to be consumed by the client applications.
Design concepts
Requirements
The following table outlines the requirements that are addressed in this architecture.
| Aspect | Requirements |
|---|---|
| Application platform | The solution must be fully managed from end to end. |
| Storage | Provide storage that meets the MQ performance requirements. |
| Networking | Deploy workloads in isolated environment and enforce information flow policies. Provide secure, encrypted connectivity to the cloud’s private network for management purposes. Support failover of application to an alternative site when planned or unplanned outages occur. |
| Security | Encrypt all application data in transit and at rest to protect it from unauthorized disclosure. Encrypt all security data (operational and audit logs) to protect from unauthorized disclosure. |
| Resiliency | Support application availability targets and business continuity policies. Help ensure availability of the application when planned and unplanned outages occur. Provide highly available compute, storage, network, and other cloud services to handle application load and performance requirements. |
| Service management | Monitor system and application health metrics and logs to detect issues that might impact the availability of the application. Generate alerts/notifications about issues that might impact the availability of applications to trigger appropriate responses to minimize downtime. Monitor audit logs to track changes and detect potential security problems. |
Components
The following table outlines the products or services that are used in the architecture for each aspect.
| Aspects | Architecture components | How the component is used |
|---|---|---|
| Storage | Cloud Object Storage | Logs for short and long-term retention (application, operational, and audit logs) |
| Networking | Virtual Private Gateway & Virtual Private Endpoint (VPE) | Virtual Private Endpoint to allow connectivity from the on-premises network through Transit Gateway |
| Private Path Service | To allow outbound connectivity to a queue manager on premises | |
| Application Load Balancer | To allow outbound connectivity to a queue manager on premises | |
| Cloud native connectivity | Secure connection to Cloud Services (IBM Cloud Logs and IBM Cloud Monitoring, Secrets Manager, and KMS, Cloud Object Storage) | |
| Security | IAM | Access control is managed by the Identity and Access Management service |
| Virtual Private Clouds (VPCs), Subnets, Security Groups, ACLs | Core Network Protection for web, app, and database tiers | |
| Key protect or HPCS | Hardware security module (HSM) and Key Management Service | |
| Secrets Manager | Certificate and Secrets Management | |
| Service management | IBM Cloud Monitoring | Platform monitoring |
| IBM Cloud Logs | Apps and operational logs, Audit Logs | |
| IBM Cloud Event Notifications | Critical events in the IBM Cloud account |