Using virtual private endpoints for VPC to privately connect to Qiskit Runtime
IBM Cloud® Virtual Private Endpoints (VPE) for VPC lets you connect to Qiskit Runtime from your VPC network by using IP address that you specify, allocated from a subnet within your VPC.
VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per-service basis. The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud® service on the private backbone. VPE for VPC lets you control all private addressing within your cloud. For more information, see About virtual private endpoint gateways.
Within Qiskit Runtime, all customer data is transmitted over the private network regardless of whether it is accessed through a public endpoint or VPE. If you ware using the Bring Your Own Bucket feature (ibmcloud_cos remote storage
type), Qiskit Runtime uses the IBM Cloud® Object Storage private endpoints. Customers for whom data locality is a priority should ensure that they access the Cloud
Object Storage buckets through the private endpoints. See Object Storage documentation for further details.
Connecting to Qiskit Runtime through the public endpoints transmits all request and response data over the public internet. To connect to Qiskit Runtime by using a VPE, you must use the Qiskit Runtime API or SDK. The IBM Cloud® console Qiskit Runtime page can only be accessed through the public network.
Before you begin
Before you target a VPE for Qiskit Runtime complete the following steps:
- Create a Virtual Private Cloud.
- Plan for the network topology to connect to VPEs.
- Set access controls for your VPE.
- Understand the limitations of having a VPE.
- Understand how to view VPE details.
Set up a VPE for Qiskit Runtime
There are several ways to create a VPE gateway. If you use the CLI or API, you must specify the Cloud Resource Name (CRN) of the region in which you want connect to Qiskit Runtime. Review the following table for the available regions and CRNs.
| Region | Plans | Fully Qualified Domain Name (FDQN) | Cloud Resource Name (CRN) |
|---|---|---|---|
eu-de |
Standard |
private.eu-de.quantum-computing.cloud.ibm.com |
crn:v1:bluemix:public:quantum-computing:eu-de:::endpoint:qiskit-runtime.private.eu-de.quantum-computing.cloud.ibm.com |
Channel Partner |
qiskitruntime.private.eu-de.quantum-computing.cloud.ibm.com, scheduler.private.eu-de.quantum-computing.cloud.ibm.com |
crn:v1:bluemix:public:quantum-computing:eu-de:::endpoint:qiskit-runtime.private.eu-de.quantum-computing.cloud.ibm.com |
Configuring an endpoint gateway
To configure a VPE gateway, follow these steps:
- List the available services, including IBM Cloud infrastructure services available (by default) for all VPC users.
- Create an endpoint gateway for Qiskit Runtime that you want to be privately available to the VPC.
- Bind a reserved IP address to the endpoint gateway.
- View the created VPE gateways associated with Qiskit Runtime.
Now your virtual server instances in the VPC can access your Qiskit Runtime instance privately.
Use your VPE for Qiskit Runtime
After you create an endpoint gateway for Qiskit Runtime, follow these steps:
Use the VPE with qiskit-ibm-runtime (Python SDK)
VPE support requires qiskit-ibm-runtime 0.24.0 or later.
When instantiating QiskitRuntimeService, specify private_endpoint=True.
service = QiskitRuntimeService(token="APIKEY", instance="SERVICE_CRN", channel="ibm_cloud", private_endpoint=True)
Use the VPE with the Qiskit Runtime API
After creating an endpoint gateway for Qiskit Runtime, use the service endpoint's FQDN for the target region.
curl -X POST https://private.$REGION.quantum-computing.cloud.ibm.com/jobs -H "Authorization: Bearer $BEARER_TOKEN" -H "Service-CRN: $SERVICE_INSTANCE_CRN" -d '{
"backend": "backend",
"program_id": "sampler"
}'