IBM Cloud Docs
Overview

Overview

This pattern provides a solution design that securely connects Software-as-a-service (SaaS) services that are hosted in IBM Cloud to a customer’s on-premises resources. The solution is based on the IBM Cloud® Private Path service. The solution incorporates products that IBM Cloud customers are already familiar with, such as IBM Cloud® Virtual Private Cloud (VPC), Virtual Private Endpoint (VPE) gateways, Private Path network load balancer, application load balancers, Direct Link, and DNS Services. It helps ensure the point-to-point data path traverses securely over the IBM Cloud private network backbone. The objective of this pattern is to:

  • Illustrate network connectivity from SaaS services hosted in IBM Cloud to resources hosted in a customer on-premises location.
  • Provide an IBM® solution design for the network elements required to initiate communication from SaaS services to resources outside of the IBM Cloud.
  • Securely connect resources over private connectivity by using Private Path service and Direct Link
  • Provide a scalable and resilient network approach by using cloud native services, which minimizes operational effort and allows for a granular, connection-based approval mechanism.
  • Accelerate and simplify solution design by providing a standard IBM Cloud deployment architecture reference that follows the IBM® Architecture Design Framework.
  • Ensure that requirements can be met from a performance, system availability, and security perspective.

Review the following pattern for a prescriptive, end-to-end, enterprise-class solution design with diagrams, component architecture decisions, and rationale for cloud component selection that meet enterprise requirements.

Background

By design, VPCs are isolated from each other on the private [object Object] network unless they are connected by Transit Gateway or public connectivity. The Private Path service can enable private communication between IBM Cloud VPCs where connectivity through a transit gateway is not feasible. For connectivity between a consumer and a 3rd party service hosted in different IBM Cloud accounts, avoid direct connections through a transit gateway when heightened security, scalability, and service-based authentication and connection management is required.

This pattern focusses on the use case where an IBM® SaaS service that is Private Path service-enabled needs to communicate privately with resources located in the customer’s data center outside of IBM Cloud. It achieves this with a Private Path service connection from the IBM® SaaS service to a customer VPC, which passes traffic over a Direct Link private connection to the on-premises resources.

Private Path use case
Private Path use case

While you can apply this connectivity pattern to any VPC-based workload, the individual IBM Cloud service needs to support Private Path service. The scope of this pattern includes conceptual connectivity by using the Private Path service, but doesn't cover application-specific considerations that might apply.

To get familiar with Private Path concepts and check for supported IBM Cloud services, see About Private Path. For more information about use cases, see Private Path use cases.