IBM Cloud Docs
VPN connections

VPN connections

IBM® Power® Virtual Server offers a robust Virtual Private Network (VPN) solution that is tailored with security and seamless connectivity for businesses with diverse networking requirements. The VPN for Power Virtual Server establishes a private and encrypted communication channel between on-premises environments and the virtual server instances that are deployed on IBM Cloud.

There is a new method for creating a VPN connection - Creating a Virtual Private Cloud VPN connection Recommended

The following deprecated method is also currently supported - Creating a Power Virtual Server VPN connection Deprecated

Creating a Virtual Private Cloud VPN connection

The Virtual Private Cloud's (VPC) Virtual Private Network (VPN) service allows using a dedicated VPN for a one-cloud experience, improved reliability and high availability.

If you are using the Power Virtual Server VPN, upgrading to IBM Cloud VPC VPN is encouraged before March 2024 with the end of service on 14 July 2025. After 18 January 2025, IBM won't provide standard support for the legacy Power Virtual Server VPNaaS. If you need any assistance on upgrading or migration, open a support ticket or engage with your Customer Support Manager (CSM).

When you complete the VPC VPN set-up, you can:

  • Ensure a private and low-cost connectivity to IBM Cloud services.
  • Access your virtual server instances through the private IP address by using Secure Shell (SSH) and other on-premises applications running on your host.

IBM Cloud offers the following two VPN options:

  • VPN for VPC for site-to-site gateways to safely and securely connect from on-premises to resources in VPC, Power, and Classic infrastructure
  • Client VPN for VPC for client-to-site servers allowing remote devices to secretly connect to the VPC network in a secure manner.

To learn more on the VPN options you get, see the VPC documentation on VPNs for VPC overview.

This topic provides you with guidance on how to create or use the VPC VPN. Following are the steps for creating a VPC VPN:

  1. Create a VPC resource.
  2. Create a Site-to-Site VPN gateway in VPC
  3. Attach the VPN connection to the Power Virtual Server workspace by using one of the following methods:
    • In PER workspace through TGW
    • In non-PER workspace through Cloud connection.

It is recommended that you create a direct cloud connection between the VPC and the Power Virtual Server. Adding in the Transit Gateway is viable, but it incurs extra charges. The cloud connection set-up is not required in a PER-enabled workspace.

Architecture diagram

Configuring VPC VPN in a PER workspace

VPC VPN in PER architecture diagram
Figure 1. Configuring VPC VPN in a PER workspace

  1. Define the on-premises subnet in the address prefix for the VPC.
  2. Define a routing table with Transit Gateway and VPN gateway.

Configuring VPC VPN in a non-PER workspace

VPC VPN in non-PER architecture diagram
Figure 1. Configuring VPC VPN in a non-PER workspace

  1. Define the on-premises subnet in the address prefix for the VPC.
  2. Define a routing table with Direct Link and VPN gateway.
  3. Attach Direct Link to workspace subnet.
  4. You can choose to attach a Transit Gateway along with the Direct Link, but it incurs extra charges.

Procedure

  1. Create a VPC resource. Complete the steps that are documented in Using the IBM Cloud console to create VPC resources.

  2. Create a Site-to-Site VPN gateway in VPC. Complete the steps documented in About site-to-site VPN gateways.

    While creating a VPN connection, use a policy-based VPN.

  3. Attach the VPN connection to the Power Virtual Server workspace. Use one of the following procedures that suit your needs:

Considerations

  1. The VPN connection that is used in all the configurations are policy-based VPN.
  2. Subnets that are created in Power Virtual Server needs to be added to Local CIDR list of IBM Cloud VPC and Peer CIDR list of On-premises VPC.
  3. In the routing table of IBM Cloud VPC, you must enable VPN Gateway and traffic source for Direct Link and Transit Gateway (in Edit Traffic window).
  4. Choose the Direct Link with Transit Gateway enabled or disable configuration for different Power Virtual Server workspaces that are in the same region.

Additional information