IBM Cloud Docs
Network overview

Network overview


IBM Power Virtual Server Private Cloud: On-premises


Establishing a connectivity between the pod in your data center and IBM® Power® Virtual Server IBM Cloud requires meticulous planning, site preparation, meeting the prerequisites, understanding the network architecture, and others.

Setting up of a network involves setting up the following two networks:

Control plane network

The IBM Power Virtual Server (On-premises) network architecture requires connectivity between IBM Cloud and the pod that is located in your IBM Power Virtual Server (On-premises) data center. This connectivity is the main communication channel between the Service Broker, IBM Cloud, and pod. This communication channel is known as a control plane network. Through this channel, the Service Broker can start the APIs on PowerVC for Power Virtual Server for the virtual machine lifecycle operations.

The control plane network is set up with redundancy, providing multiple network paths, to ensure that the pods are connected to the IBM Cloud regions reliably. The control plane network can be set up by using an IBM Cloud Direct Link 2.0 or Virtual private network (VPN). For IBM Cloud Direct Link 2.0 connection, IBM orders the device that uses an IPsec over VPN (last-mile connectivity) to connect to the IBM Power Virtual Server (On-premises) pod in the IBM Cloud region.

Before the pod installation, provide the required network-specific information so that either the IBM Cloud Direct Link 2.0 connection or VPN connection can be established.

Virtual Private Network

The Virtual Private Network(VPN) between the IBM Cloud and the pod can be established in the following ways:

  • Site-to-Site VPN connectivity A VPN gateway can be set up on the VPC that houses the service broker. This gateway provides an internet-facing IP address. You can establish a VPN client on your data center that can provide an internet-facing IP address. This connectivity forms an IPsec VPN tunnel between the two end points. Then, the VPN client on your data center can be extended to the IBM Power Virtual Server (On-premises) routers.
  • VPN connectivity by using IBM Cloud classic environment: A Juniper vSRX Virtual Firewall can be deployed in the classic environment on the IBM Cloud. This setup can be connected to the VPC that houses the service broker through a transit-gateway. Alternatively, a similar VPN hardware or software environment can be set up on your data center environment. This setup can be connected through an IPsec VPN tunnel and extended to the IBM Power Virtual Server (On-premises) routers. Your data center infrastructure must be connected to the routers on the pod. This connectivity is recommended to be as minimal as possible. You can set up one or more virtual routers in your environment and set up a Border Gateway Protocol (BGP) deployment by using the IBM Power Virtual Server (On-premises) routers.

Data plane network

The data plane network is enabled when the pods in your data center are connected to your IBM Power Virtual Server (On-premises) network infrastructure. You must be able to access the virtual servers (logical partitions) in the pod through your network instead of IBM Cloud.

The pod contains all the software components that are required to communicate to the IBM Cloud. The components include service software such as HMC and PowerVC, and storage and network devices such as Application Centric Infrastructure (ACI) and router.

When you create a network within a pod, ensure that the network does not overlap with other existing networks in the same workspace within the pod. If you create an overlapping network, an error message is displayed.

If you create an overlapping network through an API, an error message similar to the following example is displayed:

{
  "errors": "Subnet overlap between uni/tn-VPN502/BD-BD_VPN502_V504_PRIV_3302/subnet-[192.168.31.1/24] and uni/tn-VPN502/BD-BD_VPN502_V504_PRIV_3301/subnet-[192.168.31.1/24] in VRF uni/tn-VP
N502/ctx-VPN502_V504_VRF. It is not possible to have overlapping subnets across different Bridge Domains within the same VRF."
}

As part of the network planning, you can review the following use cases and identify the use cases that are applicable to you. You can communicate about such requirements before the installation so that you do not have to open separate support tickets to implement the use-cases and configurations.

  • Connectivity between the LPARs within a pod - You can create an internal private network and deploy LPARs on them with no external connectivity. These LPARS can be accessible with each other due to the automated Host Communication, which configures the ACI fabric inside the pod. For more information, see Connectivity between the LPARs within a pod.
  • Outbound-only external connectivity via DNAT - You can create external networks in the pod. Connectivity for these networks must be configured through a manual ticket process. After the connectivity configuration, LPARs can be deployed on them and they can access external networks. You can always deploy LPARs with both internal and external networks as separate network interfaces. For more information, see Outbound-only external connectivity via DNAT.
  • Bi-directional external connectivity via BGP - You can deploy an external network within the pod to establish the communicating between the endpoints that are in the IBM Power Virtual Server (On-premises) network environment by using BGP. For more information, see Bi-directional external connectivity via BGP.
  • Bi-directional external connectivity via Static Route - You can deploy an external network within the pod to establish the communicating between the endpoints that are in the IBM Power Virtual Server (On-premises) network environment by using static route similar to BGP. For more information, see Bi-directional external connectivity via static routes.
  • Bi-directional external connectivity - ACI L2Out - When you establish this type of external connectivity, it by-passes the router and directly connects to the ACI fabric. This type of connectivity is useful if the same IP address space is required on both internal and external networks. All other types of external networks involve two distinct subnets. For more information, see Bi-directional external connectivity via ACI L2Out.

Network architecture diagrams

Figure 1 shows the overall view of the network architecture.

Power Virtual Server network architecture
High-level network architecture in Power Virtual Server