IBM Cloud Docs
VPN connections

VPN connections

IBM Power Virtual Server located in IBM data centers: Off-premises

IBM Power Virtual Server Private Cloud: On-premises

IBM® Power® Virtual Server offers a robust Virtual Private Network (VPN) solution that is tailored with security and seamless connectivity for businesses with diverse networking requirements. The VPN for Power Virtual Server establishes a private and encrypted communication channel between the client-managed environment and the virtual server instances that are deployed on IBM Cloud.

For more information about creating a VPN connection, see Creating a Virtual Private Cloud VPN connection Recommended

The following deprecated method is also currently supported - Creating a Power Virtual Server VPN connection Deprecated

Creating a Virtual Private Cloud VPN connection

By using the Virtual Private Cloud (VPC) provided Virtual Private Network (VPN) service, you can use a dedicated VPN for a one-cloud experience and achieve improved reliability and high availability.

If you are using the Power Virtual Server VPN as a Service (VPNaaS), you are encouraged to upgrade to the IBM Cloud VPC VPN before March 2024. The end of service for Power Virtual Server VPNaaS is on 14 July 2025. IBM will not provide the standard support for the Power Virtual Server VPNaaS after 18 January 2025. For assistance to upgrade or migrate to IBM Cloud VPC VPN, open a support ticket or engage with your Customer Support Manager (CSM).

When you complete the VPC VPN setup, you get the following benefits:

  • Private and low-cost connectivity to IBM Cloud services.
  • Access to your virtual server instances through the private IP address. You can use Secure Shell (SSH) and other client-managed applications that are running on your host for the access.

IBM Cloud offers the following two VPN options:

  • VPN for VPC for site-to-site gateways to safely and securely connect from client-managed environment to resources in VPC, Power, and classic infrastructure.
  • Client VPN for VPC for client-to-site servers that allow remote devices to secretly connect to the VPC network in a secure manner.

To learn more on the VPN options you get, see the VPC documentation on VPNs for VPC overview.

Complete the following steps for creating a VPC VPN connection:

  1. Create a VPC resource.
  2. Create a Site-to-Site VPN gateway in VPC.
  3. Attach the VPN connection to the Power Virtual Server workspace by using one of the following methods:
    • Use a Transit Gateway in a PER workspace.
    • Use a Cloud connection in a non-PER workspace.

It is recommended that you create a direct cloud connection between the VPC and the Power Virtual Server. Adding a Transit Gateway is feasible, but it incurs extra charges. The cloud connection setup is not required in a PER-enabled workspace.

Architecture diagram

Configuring VPC VPN in a PER workspace

VPC VPN in PER architecture diagram
Configuring VPC VPN in a PER workspace

  1. Define the client-managed subnet in the address prefix for the VPC.
  2. Define a routing table with Transit Gateway and VPN gateway.

Configuring VPC VPN in a non-PER workspace

VPC VPN in non-PER architecture diagram
Configuring VPC VPN in a non-PER workspace

  1. Define the client-managed subnet in the address prefix for the VPC.
  2. Define a routing table with Direct Link and VPN gateway.
  3. Attach Direct Link to workspace subnet.
  4. You can choose to attach a Transit Gateway along with the Direct Link, but it incurs extra charges.

Procedure

  1. Create a VPC resource. Complete the steps that are documented in Using the IBM Cloud console to create VPC resources.

  2. Create a Site-to-Site VPN gateway in VPC. Complete the steps documented in About site-to-site VPN gateways.

    To create a VPN connection, use a policy-based VPN.

  3. Attach the VPN connection to the Power Virtual Server workspace. Use one of the following procedures that suit your needs:

Considerations for configuring VPC VPN in a non-PER workspace

Consider the following points for configuring VPC VPN in a non-PER workspace:

  • Use a policy-based VPN in all the configurations of the VPN connection.
  • Add the subnets that are created in the Power Virtual Server to the Local CIDR list of IBM Cloud VPC and Peer CIDR list of VPC in your client-managed environment.
  • Enable VPN Gateway and traffic source for Direct Link and Transit Gateway (in the Edit Traffic window) in the routing table of IBM Cloud VPC.
  1. Choose the Direct Link that is enabled with the Transit Gateway or disable the configuration for different Power Virtual Server workspaces that are in the same region.

Additional information