Network architecture diagrams for non-PER

IBM Power Virtual Server in IBM data center

IBM Power Virtual Server Private Cloud in Client location

This topic describes typical network architectures that are used in the Power® Virtual Server network architecture and is not an exhaustive list of Power Virtual Server connection methods.

IBM Cloud Direct Link (2.0) Connect is available in all current locations. IBM clients can always contact Megaport connectivity services directly to procure their services.

Power Virtual Server networking environment

When you create a Power Virtual Server, you can configure a private network subnet. For more information, see Configuring a private network subnet.

Power Virtual Server network architectures consist of one or more of the following networks:

IBM Cloud infrastructure networks - While the following infrastructure network environments offer different features and are managed separately, they can be connected to each other to provide layer-3 IPv4 traffic flow:
- Classic - Classic network resources include VLANs, subnets, and SSL Virtual Private Network (VPN) access. See Network security architecture for a description of the classic network components. Bring Your Own IP (BYOIP) is not supported.
- Virtual Private Cloud (VPC) - VPC network resources include subnets, floating IP addresses, security groups, and VPN gateways. For more information, see About networking. For more information about a course on VPC networking, see Advanced networking for IBM Cloud VPC. BYOIP is supported.
- Power Systems - Network resources include subnets. BYOIP is supported.
Overlay networks - These networks exist in the IBM Cloud VMware Shared and VMware Dedicated offerings. While technically hosted in the IBM Cloud classic infrastructure environment, these networks are implemented in VMware NSX and under your direct control, including the IP addressing schema. BYOIP is supported. Therefore, overlay networks cannot be routed by the IBM Cloud infrastructure networks; access is through tunnels.
External:
- Internet - Access the internet through resources that are hosted in any of these three infrastructure environments.
- Remote - Connect remote networks to your IBM Cloud networks. You can use the following services to connect to a remote network:
  - Internet VPN - Uses the public internet to connect remote networks and their IBM Cloud networks through a VPN. The VPN is terminated on gateway devices or a service within IBM Cloud.
  - Direct Link - Direct Link is a suite of offerings that enable the creation of direct, private connections between your remote network in the client-managed environment and IBM Cloud, without traversing the public internet. For more information, see Getting started with IBM Cloud Direct Link (2.0).
  You can connect Direct Links to either a local or remote IBM Cloud Transit Gateway, which allows the network in the client-managed environment to access all networks that are connected to the IBM Cloud Transit Gateway.

Non Power Edge Router use cases

These use cases describe the following deployment topologies:

Connecting Power Virtual Server to IBM Cloud classic infrastructure by using IBM Cloud Direct Link (2.0). Typical use cases for this topology are as follows:
- Use IBM Cloud classic x86 resources to create tiered applications across different hardware platforms, that is, x86 application servers and Power database servers.
- Build a backup and restore environment based on IBM Spectrum Protect Cloud Blueprints for both IBM Spectrum Protect and IBM Spectrum Protect Plus topologies. Also, see AIX Backups with Power Virtual Server.
Connecting Power Virtual Server to the IBM Cloud VPC infrastructure environment by using Direct Link (2.0) Connect. A typical use case for this topology is to use IBM Cloud VPC x86 resources to create tiered applications across different hardware platforms, that is, x86 application servers and Power database servers.
Connecting Power Virtual Server to the network in the client-managed environment by using Megaport or Direct Link (2.0) Connect. A typical use case for this topology is that you require access to your Power virtual servers from your external networks, such as networks in your client-managed environment. This topology uses Megaport services or Direct Link (2.0) Connect.
Connecting two Power Virtual Server environments by using Megaport or Direct Link Connect. This topology connects two or more Power virtual server environments together by using Megaport services or Direct Link (2.0) Connect. Connecting two or more environments together enables use cases, such as disaster recovery.
Connecting Power Virtual Server to a network in the client-managed environment through the IBM classic infrastructure by using private SSL connection and a jump server. This is a specific use case for connecting to the classic environment so that the SSL VPN connection can be used to access your Power Virtual Servers for operations and administration tasks.
Connecting Power Virtual Server to a network in the client-managed environment through the IBM Cloud classic infrastructure by using an internet IPsec VPN connection. This use case describes how to connect to the classic environment so that an IPsec VPN connection can be used to access your classic and Power Virtual Servers. Typically, this network architecture is used for small production environments or proof-of-concept, development, and test purposes.
Connecting Power Virtual Server to a network in the client-managed environment through an IBM Cloud classic infrastructure by using a private Direct Link. A Direct Link enables your remote networks to connect to IBM Cloud over a private connection that does not use public networks.

Multiple topologies, described in this document, can be layered to create a topology that suits your deployment needs.

Connecting to classic infrastructure by using Direct Link (2.0)

In this deployment topology, a Direct Link is used to connect your Power Virtual Server networks to IBM Cloud resources hosted in a classic infrastructure environment. You can either order Direct Link (2.0) Connect connections, or use IBM Cloud connections.

Connect to classic infrastructure with Direct Link Connect.

Complete the following steps to implement this scenario:

Define the IP address schema of your Power Virtual Server subnets in your Power Virtual Server environment. Your Power Virtual Server instances are hosted on these subnets. Ensure that you do not overlap the subnets with your IBM Cloud classic private subnets, or the IP addressing schema that is used for the services network. For instructions, see Configuring and adding a private network subnet.
Order Direct Link (2.0) Connect, or provision an IBM Cloud connection instance from the Power Virtual Server interface to connect the Power Virtual Server router to the IBM Cloud classic infrastructure. This connection is established and operated by the IBM Cloud team and you have no direct access or control.

Consider the following information before you proceed:
- Ensure that you select the virtual routing and forwarding (VRF) option when you provision a Direct Link. The VRF option allows multiple instances of a routing table to exist in a router and to work simultaneously. With VRF, each IBM Cloud account classic environment network is segmented within its own routing table. For more information, see Virtual routing and forwarding on IBM Cloud.
- When this connection is established, the Border Gateway Protocol (BGP) is configured automatically by the IBM Cloud team in the following way:
  - The Power Virtual Server router advertises your Power Virtual Server subnets to the classic infrastructure environment.
  - The classic infrastructure advertises only your IBM Cloud classic private subnets to the Power Virtual Server router.
  - The classic infrastructure filters the following IP addresses from the BGP advertisements that are coming from the Power Virtual Server router because these IP addresses are used by the services networks: 10.0.0.0/14, 10.198.0.0/15, 10.200.0.0/14, 169.254.0.0/16, 224.0.0.0/4 and any IP ranges that are assigned to your IBM Cloud classic private subnets.
    
    You can use the 10.x.x.x range if there is no conflict with an IBM Cloud back-end 10.x.x.x service. You must contact IBM Support if you want to resolve the IP address conflict by using a Network Address Translator (NAT) device or IP aliasing method. However, IBM does not recommend by using the 10.x.x.x range when you create a network.
Identify the IBM Cloud classic private subnets and the IP address schema that is assigned to you when you ordered bare metal or virtual server instances that are hosted on your IBM Cloud classic private subnets. Connect to the required resources and services.

All the routers in all classic infrastructure data centers and point-of-presence (POP) points across the global IBM Cloud backbone are connected to the Power Virtual Server router by using the Direct Link Connect VRF-enabled connection.

Each IBM Cloud Direct Link workspace is not redundant. However, diversity can be engineered by using multiple Direct Links and BGP. For more information, see Models for diversity and redundancy in Direct Link (2.0).

Connecting to VPC by using Direct Link Connect

In this deployment topology, a Direct Link (2.0) is used to connect your Power Virtual Server networks to resources that are hosted in the IBM Cloud VPC infrastructure.

Connect to VPC with Direct Link Connect.

Complete the following steps to implement this scenario:

Define the IP address schema of your Power Virtual Server subnets in your Power Virtual Server environment. Your Power Virtual Server instances are hosted on these subnets. Ensure that you do not overlap these subnets with your IBM Cloud classic private subnets or the IP addressing schema that is used for the services network. For instructions, see Configuring and adding a private network subnet.
Order Direct Link (2.0) Connect, or provision an IBM Cloud connection instance from the Power Virtual Server interface to connect the Power Virtual Server router to the IBM Cloud classic infrastructure. This connection is established and operated by the IBM Cloud team and you have no direct access or control.

When this connection is established, the BGP is configured by the IBM Cloud team in the following way:
- The Power Virtual Server router advertises your Power Virtual Server subnets to the router in the VPC infrastructure.
  - The router in the VPC infrastructure advertises only your IBM Cloud VPC subnets to the Power Virtual Server router.
  - The router in the VPC infrastructure filters the following networks from the BGP advertisements coming from the Power Virtual Server router because these IP addresses are used by the endpoint networks: 169.254.0.0/16, 224.0.0.0/4, 166.9.0.0/16, and any IP ranges that are assigned to your IBM Cloud VPC subnets.
Identify the IBM Cloud VPC subnets and the IP address schema that is assigned to you when you ordered VPC services. The cross-connect routers (XCRs) connects to the endpoint networks by using the VPC implicit router that provides routing functions to each VPC, and allows each VPC to have access to its own copy of the IPv4 address space. The Multi-Protocol Label Switching (MPLS) VPN works with Direct Link and classic infrastructure environments. For more information, see Network isolation, data packet flow, and the role of an implicit router in a VPC. You cannot access some endpoint networks (services and infrastructure services) from your Power Virtual Server subnets. The types of endpoint networks are as follows:
- Service endpoints - Allows connection to IBM Cloud services available through Domain Name System (DNS) names in the cloud.ibm.com domain and resolves to 166.9.x.x addresses.
- Infrastructure services - Allows connection to IBM Cloud services from the adn.networklayer.com domain and resolves to 161.26.0.0/16 addresses. Services that you can reach include:
  - DNS resolvers - 161.26.0.10 and 161.26.0.11 (Windows VS is set up with 161.26.0.7; Linux with 161.26.0.7 and 161.26.0.8)
  - Ubuntu and Debian mirrors - mirrors.adn.networklayer.com or 161.26.0.6
  - Network Time Protocol (NTP) - time.adn.networklayer.com or 161.26.0.6. This is the same IP address as the Ubuntu and Debian mirrors.
  - IBM Cloud Object Storage
Create Virtual Private Endpoints (VPEs) for services of interest such as DNS, NTP, and IBM Cloud Object Storage. For more information, see VPE supported services.
If you want to access the endpoint network, use a VPC virtual server instance to proxy any required endpoint services that do not support VPEs.

However, each IBM Cloud Direct Link service is not redundant diversity can be engineered by using multiple Direct Links and BGP. For more information, see Models for diversity and redundancy in Direct Link (2.0).

Connecting to a client-managed environment by using Megaport

In this deployment topology, Megaport or Direct Link Connect is used to provide connectivity from your (remote) network in the client-managed environment to your Power Virtual Server subnets.

Connect to client-managed environment with Megaport.

IBM Cloud Connect is a managed network service that uses Megaport services. This service is available only in the United States. You can also use Megaport to connect your network in the client-managed environment to Power Virtual Server directly.

Review the following characteristics about Megaport connectivity services:

Megaport operates a global network infrastructure that enables on-demand connectivity to hundreds of global services in Asia Pacific, North America, Europe, and the Middle East.
A port is the physical point of connection between your organization’s network and the Megaport network. While a single data center connection is possible, the best practice is to select two different port locations to provide redundancy.
Megaport has a number of cloud service providers including IBM Cloud.
Virtual Cross Connects (VXCs) provide connections between any of the locations and services on the Megaport network. Ordering a VXC (by using the Megaport portal or API) allows you to connect into the Power virtual server environment and optionally, the classic/VPC infrastructure environments or other clouds.

Megaport connectivity services are available in DAL12, DAL13, FRA05, LON06, MON01, SYD05, OSA21, WDC04, and WDC06 data centers.

Complete the following steps to implement this scenario:

Define the IP address schema of your Power Virtual Server subnets in your Power Virtual Server environment. Your Power Virtual Server instances are hosted on these subnets. Ensure that you do not overlap these subnets with your IBM Cloud classic private subnets or the IP addressing schema that is used for the services network. For instructions, see Configuring and adding a private network subnet.
Procure the Megaport VXC connections to connect your (remote) network in the client-managed environment to the Megaport network.
- Open an IBM Support case against Power Virtual Server to receive a service ID or a virtual cross-connect (VxC) identifier from IBM.
- Engage with Megaport to procure the connection (VxC) to Power Virtual Server Port at Megaport. Although a single data center connection between the network in the client-managed environment and the Megaport network is possible, best practice is to select two different port locations to provide redundancy.

Open an IBM Support case against the Power Virtual Server team to configure the Megaport network to the Power Virtual Server router by using VXCs. Remember to include the following pieces of information in your case:

Customer name and contact:
Customer account ID
Service ID (VxC Identifier):

Customer network subnet:
Customer router IP Address:
Power Virtual Server customer network IP address:
Power Virtual Server network ASN: 64999 for WDC04 and 64997 for DAL13
Customer Network ASN:

Customer subnets to be advertised:
Power Virtual Server customer Private Network ID (1):
Power Virtual Server customer Private Network ID (2):
Power Virtual Server customer Private Network ID (3):

The Power Virtual Server router is the default gateway for your Power virtual server instances. This router is operated by the Power Virtual Server team and you have no direct access or control.

Connecting two Power virtual server environments

In this deployment topology, Megaport or Direct Link (2.0) Connect is used to provide connectivity between Power virtual server environments at two different data centers.

Connect Power Virtual Server environments with Megaport.

The key features of this Connect-to-classic topology are as follows:

Define the IP address schema of your Power Virtual Server subnets in your Power Virtual Server environment. Your Power Virtual Server instances are hosted on these subnets. Ensure that you do not overlap these subnets with your IBM Cloud classic private subnets or the IP addressing schema that is used for the services network. For instructions, see Configuring and adding a private network subnet.
Procure the Megaport VXC connections to connect your (remote) networks in the client-managed environment to the Megaport network.
- Open an IBM Support case against Power Virtual Server to receive a service ID or a virtual cross-connect (VxC) identifier from IBM.
- Engage with Megaport to procure the connection (VxC) to Power Virtual Server Port at Megaport. When connecting a Power IaaS Location-1 to Power IaaS Location-2 by using Megaport, you might need a Megaport Cloud Router (MCR) unless network connectivity is through a customer router. Consult a Direct Link Connect or Megaport representative for specific network requirements.

Open an IBM Support case against the Power Virtual Server team to perform the network configuration to connect the Megaport network to the Power Virtual Server router by using VXCs. Remember to include the following pieces of information in your case:

Customer name and contact:
Customer account ID
Service ID (VxC Identifier):

Customer network subnet:
Customer router IP Address:
Power Virtual Server customer network IP address:
Power Virtual Server network ASN: 64999 for WDC04 and 64997 for DAL13
Customer Network ASN:

Customer subnets to be advertised:
Power Virtual Server customer Private Network ID (1):
Power Virtual Server customer Private Network ID (2):
Power Virtual Server customer Private Network ID (3):

The Power Virtual Server router is the default gateway for your Power virtual server instances. This router is operated by the IBM Cloud team and you have no direct access or control.

Connecting to a network in the client-managed environment by using a private SSL connection and a jump server

The IBM Cloud SSL VPN service is a feature of the IBM Cloud classic infrastructure, which enables you to manage your classic resources, remotely, over the IBM Cloud Private network. An SSL VPN connection from your location to the private network allows out-of-band management and server rescue through an encrypted VPN tunnel. For more information, see About VPN.

The IBM Cloud SSL VPN service can access only your classic private IP subnets. Therefore, you cannot use the SSL VPN feature to access your Power Virtual Server instances directly from your workstation. Instead, a jump server or bastion host is used to access your Power Virtual Server instances from your network in the client-managed environment.

Connect to client-managed environment with SSL VPN.

This deployment topology builds on the Connect-to-classic architecture.

Complete the following steps to implement the connectivity using jump server or bastion host:

Ensure that you meet the following prerequisites:
- Ensure that your IBM Cloud account has the required permissions, a VPN password is configured, and you have access to the subnets that are hosting your resources. For instructions, see Activating or deactivating SSL VPN access for a user.
- Ensure that your workstation or laptop at your client-managed location has the stand-alone VPN client installed. For instructions, see standalone VPN clients (Windows, Linux, and Mac OS X)
- Ensure that you have internet access and the stand-alone client has a connection to the endpoint for the location that is hosting your classic resources. For a complete list, see Available VPN endpoints.
Deploy a jump server or bastion host with your preferred operating system. You can connect from your workstation or laptop at your location to the private IP address of your jump server or bastion host by using Remote Desktop Protocol (RDP) or Secure Shell Protocol (SSH).
Establish a connection from the jump server or bastion host to your Power Virtual Server instances by using SSH.

This option is typically used to manage infrastructures and is not recommended for production workloads.

Connecting to a network in the client-managed environment by using an internet IPsec VPN connection

Although individual Power Virtual Server instances can have internet access, there is no site-to-site IPsec VPN service that connects your Power Virtual Server subnets to your remote networks currently available.

Connect to client-managed environment with IPSec VPN.

This deployment topology uses the IBM Cloud classic infrastructure gateway appliance to provide an internet-connected IPsec VPN gateway to enable a site-to-site VPN connection to your Power Virtual Server resources.

The IBM Cloud gateway appliance allows you to selectively route private and public network traffic through a full-featured, enterprise-level firewall that is powered by the software features of VyOS, JunOS, or any other operating system (Bring Your Own Appliance) that you choose.
All appliance features are customer-managed.
By using the IBM Cloud UI, CLI, or API, you can select your VLANs, and hence, the associated subnets, that you want to associate with your gateway appliance. Associating a VLAN with a gateway appliance reroutes (or trunks) that VLAN and all of its subnets to your appliance, giving you control over filtering, forwarding, and protection.
A gateway appliance is attached to two nonremovable transit VLANs, one each for your public and private networks.

Complete the following steps to implement this scenario:

Set up an IBM Cloud gateway appliance to establish an IPsec VPN connection from your remote location to the IBM Cloud classic infrastructure.
Complete all steps that are mentioned in Connect to classic infrastructure by using IBM Cloud (2.0) Direct Link. This includes configuring Power Virtual Server private subnets and provisioning a Direct Link (2.0) Connect or an IBM Cloud connection instance with the VRF option.

The IBM Cloud classic infrastructure environment VRF contains the following routes:
- Subnets that are assigned to you by IBM Cloud for use in your classic environment.
- Your Power Virtual Server subnets advertised by the Power Virtual Server router.
However, it does not contain routes to your remote networks. Static routes or a routing protocol, such as BGP, shares routes between your remote network and the gateway appliance. The routes that are advertised by the gateway appliance include your Power Virtual Server subnets.
Configure a Generic Routing Encapsulation (GRE) tunnel between the gateway appliance and the Power Virtual Server router as this router doesn't have routes for your remote networks that are advertised to it through the IBM Cloud-side router. Within the GRE tunnel, static routes are configured between the Power Virtual Server router and the gateway appliance. For detailed steps, see Configuring Generic Routing Encapsulation (GRE) tunnel.

For a tutorial on site-to-site VPN connectivity, see IBM Power Virtual Server Virtual Private Network Connectivity.

Additionally, the x86 servers can be deployed on to the subnets contained within the associated and nonassociated VLANs to build complex topologies, such as three-tier architectures.

Connecting to a network in the client-managed environment by using a private Direct Link connection

To connect your external networks to your Power Virtual Server subnets, you can use the Direct Link service; however, you cannot use this connectivity for a direct connection as both your Power Virtual Server subnets and your remote networks are considered to be external networks to the VRF and direct external-to-external traffic is prohibited. Therefore, in this deployment topology, a gateway appliance and GRE tunnels are used to provide connectivity.

This topology focuses on Direct Link (2.0) service that has the following offerings:

Direct Link Dedicated - A single-tenant, fiber-based, cross-connect into the IBM Cloud Private network.
Direct Link Connect - Uses a service provider who is already connected to the IBM Cloud Private network to deliver multi-tenant, high capacity links, also known as network-to-network interfaces.

Currently, Direct Link (2.0) is not available in all locations. For more information, see Locations and providers.

If Direct Link (2.0) is not available at a suitable location, then see Getting started with IBM Cloud Direct Link on Classic.

Connect to client-managed environment with Direct Link GRE Tunnel.

This deployment topology uses the IBM Cloud classic infrastructure gateway appliance to provide a GRE gateway. For more information, see Getting started with IBM Cloud Gateway Appliance.

The IBM Cloud gateway appliance allows you to selectively route private and optionally public network traffic through a full-featured, enterprise-level firewall that is powered by the software features of; VyOS, JunOS, or any other operating system (Bring Your Own Appliance) you choose.
All appliance features are customer-managed.
By using the IBM Cloud UI, CLI, or API, you can select your VLANs, and hence, the associated subnets that you want to associate with your gateway appliance. Associating a VLAN with a gateway appliance reroutes (or trunks) that VLAN and all of its subnets to your appliance, giving you control over filtering, forwarding, and protection.
A gateway appliance is attached to two nonremovable transit VLANs, one each for your public and private networks.

Complete the following steps to implement this scenario:

Set up an IBM Cloud Gateway Appliance.
Complete all steps that are mentioned in Connect-to-classic infrastructure by using IBM Direct Link. It includes configuring Power Virtual Server private subnets and provisioning a Direct Link (2.0) Connect or an IBM Cloud connection instance with the VRF option.
The IBM Cloud classic infrastructure environment VRF contains the following routes:
- Subnets that are assigned to you by IBM Cloud for use in your classic environment.
- Your Power Virtual Server subnets advertised by the Power Virtual Server router.
However, it does not contain routes to your remote networks. Static routes or a routing protocol, such as BGP, shares routes between your remote network and the gateway appliance. The routes that are advertised by the gateway appliance include your Power Virtual Server subnets.
Configure a GRE tunnel between the gateway appliance and the Power Virtual Server router as this router doesn't have routes for your remote networks that are advertised to it through the IBM Cloud-side router. Within the GRE tunnel, static routes are configured between the Power Virtual Server router and the gateway appliance. For more information, see Configuring Generic Routing Encapsulation (GRE) tunnel.
Set up a separate Direct Link (2.0) connection between your remote network (client-managed environment) and the IBM Cloud classic infrastructure. See Getting started with IBM Cloud Direct Link (2.0).

Key elements of IBM Cloud Direct Link (2.0) include the following:
- Requires BGP to establish the routes to a customer's remote network.
- Each IBM Cloud Direct Link service is not redundant but, diversity can be enabled over multiple Direct Links along with BGP.
- Ensure that IP subnet overlaps do not exist between the infrastructure environments and the remote networks.
Configure a GRE tunnel between the gateway appliance and a tunnel endpoint that is connected to your external network to enable the remote network connectivity. For more information, see Configuring Generic Routing Encapsulation (GRE) tunnel.

For tutorials based on some of the topologies described, see IBM Power Virtual Server Virtual Private Network Connectivity.

Connecting two Power Virtual Server environments by using IBM Cloud Transit Gateway

In this deployment topology, a connection through IBM Cloud Transit Gateway is used to provide connectivity between Power virtual server environments at two different data centers. With IBM Cloud Transit Gateway, you can also interconnect your Power Virtual Servers to the IBM Cloud classic and VPC infrastructures, keeping traffic within the IBM Cloud network. Transit Gateway enables you to connect your otherwise disconnected private networks, such as classic, VPC, and Direct Link. In addition, you can establish connection between multiple Power Virtual Server workspaces across different data centers.

The following network architecture allows connectivity between multiple Power Virtual Server locations with high availability (HA) and disaster recovery (DR) solutions.

Key features are as follows:

Access and connectivity between two different Power Virtual Server locations in the same region (for example DAL12 to DAL13) to support HA through replication.
Access and connectivity between two different Power Virtual Server locations in different regions (for example DAL12 to WDC06) to support DR through replication.

Complete the following steps to implement this scenario:

Create an IBM Cloud Transit Gateway to enable the virtual connections.
Create an IBM Cloud connection with Transit Gateway enabled.
Connect your Power Virtual Servers that are located in data center 1 and data center 2 through the IBM Cloud network by using a Transit Gateway.

After the Transit Gateway connection is established, different IBM Cloud networks are connected to each other.