IBM Cloud Docs
About Private Path

About Private Path

Accounts with special approval can attach an ALB to a Private Path NLB pool, enabling access to on-prem resources while maintaining a private connection across IBM Cloud.

The Private Path solution solves security, privacy and complexity problems. Through Private Path, providers can deliver their services over the IBM Cloud private network backbone, ensuring secure and private interactions for consumers. Providers can offer their services to IBM Cloud customers over Private Path using the IBM Cloud infrastructure. Private Path components are used when connecting to IBM Cloud services, and can now be used for third-party applications and services.

The Private Path solution has the following advantages:

Increased security and privacy
Private Path allows targeted and directional connectivity between VPCs and accounts, allowing only consumers to initiate connections to the provider's service endpoint.
Granular control
Explicit authorization gives providers full control over who can access their services.
Scaling out managed services
Point-to-point connectivity, with no other shared resource dependencies between consumer and producer VPC networks, simplifies deployment and enables providers to easily scale managed services.
Decreased complexity
Simplify cloud network management and consume services directly in virtual networks without needing complex setups. Set up access policy enforcement and quickly expose and consume services across different networks and organizations.
High performance and scalability
The Private Path network load balancer transparently scales out to provide extremely high throughput and low latency.
High Availability
Private Path network load balancer is a regional load balancer and is resilient to a zone failing.
Host managed services on IBM Cloud or on-premises
Quickly deploy managed services on IBM Cloud or on-premises and deliver policy-driven access to your consumers.

The Private Path solution incorporates various products that IBM Cloud customers are already familiar with, such as VPC and network load balancers. It also incorporates any configured Virtual Private Endpoint (VPE) gateways and DNS Services, ensuring that the entire point-to-point data path is private across IBM Cloud.

Private Path service overview
A consumer VPE using a Private Path to connect to a service

To use IBM Cloud Private Path, you must first have an IBM Cloud account. To learn more, see Setting up your IBM Cloud account.

Getting started with Private Path service

As a service provider, follow these steps to get started:

  1. Make sure that you have a Virtual Private Cloud (VPC) and at least one subnet in the selected VPC.

  2. Create a Private Path NLB.

    • You can create a Private Path NLB when you create your Private Path service, or you can use the Load balancer for VPC provisioning page to create one. To create a Private Path load balancer separate from the Private Path service, see Creating a Private Path network load balancer.
    • You must use the same account within the same VPC region for your Private Path NLB and Private Path service.

  3. Create a Private Path service.

    • Set the default policy for when an account doesn’t have a specific policy that is assigned to it. The default policy (Review) allows you to permit or deny each request, whereas Permit and Deny automate the process for connection requests without specific account policies.
    • Create account policies for specific account IDs now or later. These policies determine what action to take when the provider receives a request from a specific account, and take precedence over the default policy.

Private Path service use cases

The following use cases show you the various ways that you can use Private Path services.

In all Private Path use cases, you can use ALB policy capabilities to direct Private Path service traffic.

Use case 1: Connecting a service to a single consumer

As a provider, you want to connect your service to a consumer without traffic traversing the internet and without giving access to your entire VPC. Your consumer can be a customer, other division in your company, or something else.

This figure illustrates how to establish a Private Path service. Establishing a Private Path service enables you to expose a service to a customer privately.

First, a consumer's application connects to a VPE gateway in the consumer's VPC. Then, the VPE gateway connects to the Private Path NLB in the provider's VPC. In turn, the Private Path NLB connects to the provider's service. The provider's service then responds to the consumer's request through Direct Server Return (DSR). This Private Path service activity is completely contained in a single region (US South) in an IBM Cloud private network.

A Private Path exposing a service to a customer
A Private Path exposing a service to a customer without using public internet

Use case 2: Connecting a service to multiple consumers

This figure illustrates how to establish a Private Path service with connections to multiple consumer' VPE gateways.

First, a consumer's application connects to a VPE gateway in the consumer's VPCs. Then, the VPE gateway connects to the Private Path NLB in the provider's VPC. In turn, the Private Path NLB connects to the provider's service. The provider's service then responds to the consumer's request through DSR. This Private Path service activity is completely contained in a single region (US South) in an IBM Cloud private network.

A Private Path exposing a service to multiple customers
A Private Path exposing a service to multiple customers without using public internet

Use case 3: Connecting a service to a customer within your VPC

This diagram illustrates how to establish a Private Path service with connections to the VPE gateway of a consumer within your VPC.

Use a Private Path service within a single VPC if you need to enhance the performance and scalability of a Private Path network load balancer.

First, a consumer's application connects to the consumer's VPE gateway within the provider's VPC. Then, the VPE gateway connects to the Private Path NLB in the provider's VPC. In turn, the Private Path NLB connects to the provider's service. The provider's service then responds to the consumer's request through DSR. This Private Path service activity is completely contained in a single region (US South) in an IBM Cloud private network.

A Private Path exposing a service to a customer within the same VPC
A Private Path exposing a service to a customer within the same VPC without using public internet

Use case 4: Enabling an IBM Cloud service to connect to a provider's VPC

Private Path allows connection between an IBM Cloud service like IBM Cloud Code Engine and your VPC without compromising security or putting your VPC at risk. Code Engine is a multi-tenant compute service that runs source-code or containerized workloads. Its dynamic scaling capabilities allow your apps to automatically scale up and down, even to zero, based on incoming requests. With its pay-per-use model, Code Engine only charges for the compute capacity you actually use. For more information, see IBM Cloud Code Engine.

This diagram illustrates how to establish a Private Path service with connections to the VPE gateway of a Code Engine application and your VPC. First, the Code Engine application connects to the VPE gateway within the Code Engine's VPC. Then, the VPE gateway connects to the Private Path NLB in the provider's VPC. In turn, the Private Path NLB connects to the provider's application. The provider's application then responds to the request. This Private Path service activity is completely contained in a single region (us-south) in an IBM Cloud private network.

Use Code Engine and Private Path to deploy complex architecture with dynamic and static scaling needs
Use Code Engine and Private Path to deploy complex architecture with dynamic and static scaling needs

Use case 5: Using an ALB with a Private Path NLB to host services outside a VPC

Select availability only

The following diagram illustrates the process of setting up a Private Path service to connect a consumer's service to a provider's endpoint, which can be hosted on-premises or in other private locations that are accessible from the provider's VPC:

  1. The consumer's application or service connects to a virtual private endpoint (VPE) gateway within the consumer’s VPC. The consumer's VPC can be an IBM service with Private Path support, like MQ as a Service or Code Engine, allowing connections such as linking an on-cloud MQ Queue Manager to an on-premises Queue Manager or connecting a Code Engine project to an on-premises resource.

  2. The VPE gateway then links to the Private Path network load balancer (NLB) located in the provider's VPC.

  3. To enable the Private Path NLB to reach its on-premises endpoint, the provider adds their application load balancer (ALB) as a member of the Private Path NLB.

  4. The provider configures the on-premises endpoint as an ALB pool member.

  5. Finally, the provider connects the on-premises endpoint to their ALB using IBM Cloud Direct Link.

The provider can further harness ALB policy capabilities to direct traffic to the relevant ALB pool and member. For more information, see Policy-based load balancing.

It is recommended to enable zonal affinity in the Private Path service to ensure that traffic from the client to the VPE gateway is directed to a Private Path NLB and ALB within the same zone (if available), thereby avoiding cross-zone traffic.

A Private Path connecting a consumer’s service to a provider’s on-premises service using an ALB in a Private Path NLB pool
A Private Path connecting a consumer’s service to a provider’s on-premises service using an ALB in a Private Path NLB pool

Next steps

The following links provide additional information about the Private Path solution: