Connect cloud services to on-premises environments

Use this reference architecture for scenarios where you want Software-as-a-Service (SaaS) services that are hosted on IBM Cloud and are Private Path-enabled to communicate privately with resources located in the customer’s data center outside of IBM Cloud.

Architecture diagram

Illustrates the solution architecture for connecting cloud services to on-premises environments by using the Private Path service — Solution architecture for connecting cloud services to on-premises environments by using the Private Path service.

The IBM Cloud service initiates traffic by connecting to the Private Path service endpoint name specified during creation (for example, customer.internal). A private DNS entry for the SaaS service instance that is configured during the set up process resolves to the Virtual Private Endpoint.
The Virtual Private Endpoint Gateway forwards traffic to the Private Path NLB (NLB)
The Private Path NLB has an application load balancer (ALB) configured as a member of its back-end pool (to allow traffic forwarding to targets outside of the customer VPC) and forwarDS the request to the ALB.
The ALB has the on-premises targets, which are configured in its back-end pool, and forwards the traffic to those targets over the Direct Link connection.
The on-premises application can return traffic over the established connection back to the ALB.
The ALB returns traffic directly back to the VPE Gateway by direct server return (DSR).
The VPE Gateway sends the traffic back to the IBM Cloud service.

Illustrates high availability and resiliency for connecting cloud services to on-premises environments by using the Private Path service — High availability and resiliency for connecting cloud services to on-premises environments by using the Private Path service

The architecture uses IBM Cloud services with regional availability to provide resiliency. The VPE Gateway, Private Path NLB, ALB, and Transit Gateway span availability zones within the region. High availability is achieved through a multi-availability zone deployment of the IBM Cloud service, complemented by redundant Direct Link connections for private on-premises access.

Design scope

Following the Architecture Design Framework, this pattern for connecting cloud services to on-premises environments by using Private Path covers design considerations and architecture decisions for the following aspects and domains:

Networking: Enterprise connectivity, cloud-native connectivity, load balancing, DNS
Security: Identity and Access
Resiliency: High availability
Service management: Monitoring, logging

Illustrates a detailed network and component architecture for connecting cloud services to on-premises environments by using the Private Path service — Network and component architecture for connecting cloud services to on-premises environments by using the Private Path service.

The Architecture Framework provides a consistent approach to design cloud solutions by addressing requirements across a set of "aspects" and "domains", which are technology-agnostic architectural areas that need to be considered for any enterprise solution. For more information, see Introduction to the Architecture Design Framework.

Requirements

The following aspects represent a baseline set of requirements that are applicable to most clients and critical to successfully connecting cloud services to on-premises environments by using the Private Path service.

Requirements
Aspect	Requirements
Network	Secure and private access from IBM® SaaS services to resources located in the customer's on-premises data center
Security	Targeted and directional private connectivity between IBM Cloud services and client on-premises workloads, allowing only consumers to initiate connections to the provider's service endpoint.
Resiliency	Resilient to availability zone failure.
Service Management	Provide health and system monitoring with ability to monitor and correlate performance metrics and events and provide alerting across applications and infrastructure

Components

The following table outlines the products or services used in the architecture for each aspect.

Components
Aspects	Architecture components	How the component is used
Networking	Direct Link	Private enterprise connectivity from customer data centers to IBM Cloud for access to applications, data, and services.
	Virtual Private Gateway & Virtual Private Endpoint (VPE)	Allows consumers to connect to a provider's service using the service's cloud resource name (CRN).
	Private Path service	Associates a provider's service with a Private Path NLB (Private Path NLB) to manage incoming connectivity requests. Allows service providers to enable and manage private connectivity for the consumers of the hosted service.
	Private Path network load balancer (Private Path NLB)	Load balances traffic in a Private Path service, only receiving requests across the IBM Cloud network. The Private Path service requires a Private Path NLB to establish a secure connection with each consumer's Virtual Private Endpoint (VPE) gateway.
	Application Load Balancer (ALB)	Member of the Private Path NLB backend pool. Used to integrate the Private Path NLB with the on-premises customer applications.
	IBM Cloud DNS Services	To associate human-friendly names with IP addresses (automatically provisioned during the creation of a Private Path service).
Security	Access Control	Access control is through the Private Path service by using account access policy.
Resiliency	Multi-zone Support	Support for zone failure.
Service management	IBM Cloud Monitoring	Operational monitoring.
	IBM Cloud Logs	Operational logs.