IBM Cloud Docs
VPN connections

VPN connections

IBM Power Virtual Server in IBM data center

IBM Power Virtual Server Private Cloud in Client location

IBM® Power® Virtual Server offers a robust Virtual Private Network (VPN) solution that is tailored with security and seamless connectivity for businesses with diverse networking requirements. The VPN for Power Virtual Server establishes a private and encrypted communication channel between the client-managed environment and the virtual server instances that are deployed on IBM Cloud.

For more information about creating a VPN connection, see Creating a Virtual Private Cloud VPN connection Recommended

The following deprecated method is also currently supported - Creating a Power Virtual Server VPN connection Deprecated

Creating a Virtual Private Cloud VPN connection

By using the Virtual Private Cloud (VPC) provided Virtual Private Network (VPN) service, you can use a dedicated VPN for a one-cloud experience and achieve improved reliability and high availability.

If you are using the Power Virtual Server VPN as a Service (VPNaaS), you are encouraged to upgrade to the IBM Cloud VPC VPN before March 2024. The end of service for Power Virtual Server VPNaaS is on 14 July 2025. IBM will not provide the standard support for the Power Virtual Server VPNaaS after 18 January 2025. For assistance to upgrade or migrate to IBM Cloud VPC VPN, open a support ticket or engage with your Customer Support Manager (CSM).

When you complete the VPC VPN setup, you get the following benefits:

  • Private and low-cost connectivity to IBM Cloud services.
  • Access to your virtual server instances through the private IP address. You can use Secure Shell (SSH) and other client-managed applications that are running on your host for the access.

IBM Cloud offers the following two VPN options:

  • VPN for VPC for site-to-site gateways to safely and securely connect from client-managed environment to resources in VPC, Power, and classic infrastructure.
  • Client VPN for VPC for client-to-site servers that allow remote devices to secretly connect to the VPC network in a secure manner.

To learn more on the VPN options you get, see the VPC documentation on VPNs for VPC overview.

Complete the following steps for creating a VPC VPN connection:

  1. Create a VPC resource.
  2. Create a Site-to-Site VPN gateway in VPC.
  3. Attach the VPN connection to the Power Virtual Server workspace by using one of the following methods:
    • Use a Transit Gateway in a PER workspace.
    • Use a Cloud connection in a non-PER workspace.

It is recommended that you create a direct cloud connection between the VPC and the Power Virtual Server. Adding a Transit Gateway is feasible, but it incurs extra charges. The cloud connection setup is not required in a PER-enabled workspace.

Architecture diagram

Configuring VPC VPN in a PER workspace

VPC VPN in PER architecture diagram
Configuring VPC VPN in a PER workspace

  1. Define the client-managed subnet in the address prefix for the VPC.
  2. Define a routing table with Transit Gateway and VPN gateway.

Configuring VPC VPN in a non-PER workspace

VPC VPN in non-PER architecture diagram
Configuring VPC VPN in a non-PER workspace

  1. Define the client-managed subnet in the address prefix for the VPC.
  2. Define a routing table with Direct Link and VPN gateway.
  3. Attach Direct Link to workspace subnet.
  4. You can choose to attach a Transit Gateway along with the Direct Link, but it incurs extra charges.

Procedure

  1. Create a VPC resource. Complete the steps that are documented in Using the IBM Cloud console to create VPC resources.

  2. Create a Site-to-Site VPN gateway in VPC. Complete the steps documented in About site-to-site VPN gateways.

    To create a VPN connection, use a policy-based VPN.

  3. Attach the VPN connection to the Power Virtual Server workspace. Use one of the following procedures that suit your needs:

Considerations for configuring VPC VPN in a non-PER workspace

Consider the following points for configuring VPC VPN in a non-PER workspace:

  • Use a policy-based VPN in all the configurations of the VPN connection.
  • Add the subnets that are created in the Power Virtual Server to the Local CIDR list of IBM Cloud VPC and Peer CIDR list of VPC in your client-managed environment.
  • Enable VPN Gateway and traffic source for Direct Link and Transit Gateway (in the Edit Traffic window) in the routing table of IBM Cloud VPC.
  1. Choose the Direct Link that is enabled with the Transit Gateway or disable the configuration for different Power Virtual Server workspaces that are in the same region.

Changing from VPNaaS to VPC VPN service

To use VPC VPN service, you must switch from VPNaaS to VPC VPN service. The following example illustrates the steps to set up the VPC VPN connection and to validate the connectivity:

  1. Create a VPC connection in the same data center as the Power Virtual Server by using the same account. Complete the following configurations:

    1. The default routing table must be configured by selecting the VPN server and VPN gateway values for Accepts routes from option. This configuration allows the traffic between the virtual servers that are members of the VPC subnet and the devices on the remote side of the VPN connection.
    2. Create a second routing table to select VPN Server, VPN Gateway, and Transit Gateway. Under Transit Gateway, select the Advertise to option. For more information, see Getting started with Virtual Private Cloud (VPC).

  2. Establish a VPN connection between the VPC and the remote side of the existing VPNaaS. Use the following considerations:

    1. Use a policy-based VPN in all the configurations of the VPN connection.
    2. Subnets for the remote VPN, VPC, and workspace must be distinct. Subnets cannot be shared or overlapped.
    3. Add the workspace CIDRs to the list of local CIDRs in the VPN connection.
    4. Add the workspace CIDRs to the peer CIDRs list in the VPNaaS remote side.
    5. For more information about VPN options, see About site-to-site VPN gateways.

  3. Create a Transit Gateway by completing the following steps:

    1. Add VPC to Transit Gateway.
    2. Under the Routes tab, generate a routing table. You can see the list of VPC, CIDR, and the CIDR for the remote side of the VPN.

    For more information about Transit Gateways, see Getting started with IBM Cloud Transit Gateway.

    The transition to VPC VPN can begin assuming that the following list is true:

    • The connectivity between a virtual server on the VPC and a system on the remote side of the VPN is working.

    • The CIDRs are advertised through to the Transit Gateway.

      The workspace and the remote side of the VPN are not connected until all transition to VPC VPN is completed.

  4. Delete the VPNaaS gateway. You must select the VPNaaS connections that are attached to the workspace.

  5. Migrate the workspace to PER. You must remove the active Cloud Connections attached to the workspace on other subnets. For more information, see Migrating to PER.

  6. Connect to the Transit Gateway after the workspace is PER-enabled.

  7. Generate the routing table. The CIDRs for the workspace are listed along with the existing CIDRs.

Additional information