Creating and managing link endpoints

Create your Satellite endpoints to manage the network between your IBM Cloud Satellite location and services, servers, or apps that run outside of the location.

Creating `cloud` endpoints to connect to resources outside of the location

Create an endpoint of type cloud so that sources in your Satellite location can connect to a service, server, or app that runs outside of the location.

Before you begin, ensure that you have the following items.

Source client: A Satellite cluster or a host that you attached to your location. For more information about how to create a Satellite cluster, see Creating Satellite clusters. To use a host, attach a host to your location but do not assign the host to the Satellite control plane or a Satellite cluster. Assigning the host starts a bootstrapping process that removes SSH access to your host.
Destination resource: A service, server, or app that runs outside of the location but that is accessible from within IBM Cloud. For example, you can use the private service endpoint for an IBM Cloud service, because that private service endpoint is routable from within the IBM Cloud network. If you want to connect to a service that runs outside of IBM Cloud, this service must be accessible from within the IBM Cloud network.
Permissions: The Administrator IBM Cloud IAM platform role for the Link resource in IBM Cloud Satellite. For more information, see Checking user permissions.

Creating cloud endpoints by using the console

Use the console to create a cloud endpoint so that sources in your Satellite location can connect to a service, server, or app that runs outside of the location.

From the Satellite Locations dashboard, click the name of your location.
From the Overview tab, verify that your location has a normal status.
From the Link endpoints tab, click Create an endpoint.
Select Cloud to create an endpoint for a service, server, or app that runs outside of the location.
Enter an endpoint name, the destination resource's fully qualified domain name (FQDN) or IP address, and the port that your destination resource listens on for incoming requests. The IP address or FQDN must resolve to a public IP address or to a private IP address that is accessible within IBM Cloud, such as a private service endpoint.
Select the protocol that a source must use to connect to the destination FQDN or IP address. This protocol must match the port for your destination resource. For more information, see Endpoint protocols.
- If you selected the TLS or HTTPS protocols and want to require server-side authentication of the destination's certificate, select the Verify destination certificate checkbox.
- If you selected the TLS or HTTPS protocols but the destination resource is still in development, you can click Upload certificate to add your self-signed certificate file. This ssl.crt file must contain the public, base-64 encoded certificate for your resource's host name and must not contain the private ssl.key certificate key. To create a self-signed certificate for testing purposes by using OpenSSL, see this self-signed SSL certificate tutorial.
- If you selected the TLS or HTTPS protocols and want to allow a separate hostname to be provided to the TLS handshake of the resource connection, enter the server name indicator (SNI).
Configure optional connection settings, such as setting an inactivity timeout. Choose a value between 1 and 600 seconds. The default value is 60 seconds.
Click Create. Wait a few minutes for the Satellite Link connector component to assign a port to your endpoint.
In the table row for your endpoint, copy the host name for your Satellite Link connector and the port for your endpoint in the Address field.
Use the address to connect to your destination from a source in your location.

Creating cloud endpoints with the CLI

Use the CLI to create an endpoint so that sources in your Satellite location can connect to a service, server, or app that runs outside of the location.

Get the ID of your Satellite location and verify that your location has a normal status.

ibmcloud sat location ls

Example output

Name               ID                     Status   Ready   Created       Hosts (used/total)   Managed From
port-antwerp       brlono42051up3k4htu0   normal   yes     2 weeks ago   6 / 7                London

Create a cloud endpoint.

ibmcloud sat endpoint create --location <location_ID> --name <endpoint_name> --dest-type cloud --dest-hostname <FQDN_or_IP> --dest-port <port> [--dest-protocol <destination_protocol>] --source-protocol <source_protocol>  [--sni <sni>]

Understanding the API request
Component	Description
`--location <location_ID>`	Enter the ID of your Satellite location that you retrieved earlier.
`--name <endpoint_name>`	Enter a name for your Satellite endpoint.
`--dest-type cloud`	Enter `cloud` to indicate that the destination resource runs outside of the location.
`--dest-hostname <FQDN_or_IP>`	Enter the fully qualified domain name (FQDN) or the externally accessible IP address of the destination that you want to connect to. For cloud endpoints, this value must resolve to a public IP address or to a private IP address that is accessible within IBM Cloud such as a private cloud service endpoint.
`--dest-port <port>`	Enter the port that destination resource listens on for incoming requests. Make sure that the port matches the destination protocol.
`--dest-protocol <destination-protocol>`	Optional: Enter the protocol of the destination resource. If you do not specify this option, the destination protocol is inherited from the source protocol. Supported protocols include `tcp` and `tls`. For more information, see Endpoint protocols.
`--source-protocol <source-protocol>`	Enter the protocol that the source must use to connect to the destination resource. Supported protocols include `tcp`, `tls`, `http`, `https`, and `http-tunnel`. For more information, see Endpoint protocols.
`--sni <sni>`	Optional. If you specify a `tls` or `https` source protocol and want a separate hostname to be added to the TLS handshake, include the server name indicator.

Wait a few minutes for the Satellite Link connector component to assign a port to your endpoint.

Verify that your endpoint is created. In the output, copy the host name for your Satellite Link connector and the port for your endpoint in the Address field.

ibmcloud sat endpoint ls --location <location_ID>

Example output

ID                           Name                                         Destination Type   Address                                                                                                    Status
c0mnbnkw0jl8si22djkg_cEomQ   openshift-api-c0mpnn4w0bv28oq2dks0           location           TCP  c-02.us-east.link.satellite.cloud.ibm.com:32823                                                       enabled
c0mnbnkw0jl8si22djkg_6UTZd   satellite-healthcheck-c0mnbnkw0jl8si22djkg   location           HTTP c-02.us-east.link.satellite.cloud.ibm.com:32822                                                       enabled
c0mnbnkw0jl8si22djkg_GzstO   test-endpoint                                cloud              TLS  nae4dce0eb35957baff66-edfc0a8ba65085c5081eced6816c5b9c-c000.us-east.satellite.appdomain.cloud:30819   enabled

Use the address to connect to your destination from a source in your location.

Testing connections through cloud endpoints

Use the Satellite Link connector host name and port that are assigned to your endpoint to connect to your destination resource from a source in your location. The source can be a Satellite cluster that you previously created or a host that you assigned to your location.

Example for testing the connection from an unassigned host

Log in to your host. Enter the password to access your host when prompted.
```
ssh root@<ip_address>
```
Use the Satellite Link connector host name and port to test the connection to your destination resource.
```
curl http://<linkconnector_hostname>:<port>
```

Example for testing the connection from a Satellite cluster

Target your cluster. If you are not connected to your location host network, include the --endpoint link option.
```
ibmcloud oc cluster config --cluster <cluster_name> --admin [--endpoint link]
```

Deploy a sample app to your cluster. To test the connection from your location to your endpoint, you must be connected to the network that your Satellite cluster is connected to. You can connect to the network by deploying an app, logging in to the app, and then running a curl request against your endpoint. The following example deploys nginx into your cluster.

Create a configuration file for your deployment.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginxinc/nginx-unprivileged
        ports:
        - containerPort: 80

Deploy the app in your cluster.
```
oc apply -f deployment.yaml
```

Verify that the nginx app is successfully deployed in your cluster.

oc get pods

Example output

NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-85ff79dd56-6lrpg   1/1     Running   0          11s

Log in to your pod.
```
oc exec <pod_name> -it bash
```
Use the Satellite Link connector host name and port to test the connection to your destination resource.
```
curl http://<linkconnector_hostname>:<port>
```

Creating `location` endpoints to connect to resources in a location

Create an endpoint of type location so that sources that are connected to the IBM Cloud private network can connect to a service, server, or app in your Satellite location.

Before you begin, ensure that you have the following items.

Source client: A service, server, or app that that can access the IBM Cloud private network. Destination resource; A service, server, or app that runs in a Satellite cluster or a host that you attached to your location. For more information about how to create a Satellite cluster, see Creating Satellite clusters. To use a host, attach a host to your location but do not assign the host to the Satellite control plane or a Satellite cluster. Assigning the host starts a bootstrapping process that removes SSH access to your host.
Permissions: The Administrator IBM Cloud IAM platform role for the Link resource in IBM Cloud Satellite. For more information, see Checking user permissions.

Creating location endpoints by using the console

Use the console to create an endpoint so that sources that are connected to the IBM Cloud private network can connect to a service, server, or app in your Satellite location.

From the Satellite Locations dashboard, click the name of your location.
From the Overview tab, verify that your location has a normal status.
From the Link endpoints tab, click Create an endpoint.
Select Satellite location to create an endpoint for a service, server, or app in your Satellite location.
Enter an endpoint name, the destination resource's fully qualified domain name (FQDN) or IP address, and the port that your destination resource listens on for incoming requests. The FQDN or IP address must resolve from and be reachable from the control plane hosts for Satellite locations or where the agent runs for Satellite Connector.
Select the protocol that a source must use to connect to the destination FQDN or IP address. This protocol must match the port for your destination resource. For more information, see Endpoint protocols.
- If you selected the TLS or HTTPS protocols and want to require server-side authentication of the destination's certificate, select the Verify destination certificate checkbox.
- If you selected the TLS or HTTPS protocols but the destination resource is still in development, you can click Upload certificate to add your self-signed certificate file. This ssl.crt file must contain the public, base-64 encoded certificate for your resource's host name and must not contain the private ssl.key certificate key. To create a self-signed certificate for testing purposes by using OpenSSL, see this self-signed SSL certificate tutorial.
- If you selected the TLS or HTTPS protocols and want to allow a separate hostname to be provided to the TLS handshake of the resource connection, enter the server name indicator (SNI).
Configure optional connection settings, such as setting an inactivity timeout. Choose a value between 1 and 600 seconds. The default value is 60 seconds.
Click Create. Wait a few minutes for the Satellite Link connector component to assign a port to your endpoint.
In the table row for your endpoint, copy the host name for your Satellite Link tunnel server and the port for your endpoint in the Address field.
From your source client in the IBM Cloud private network, test the connection to your Satellite endpoint by using the address. For example, depending on your source client, you might send a curl request to the endpoint:
```
curl http://<linkserver_hostname>:<port>
```

Creating location endpoints by using the CLI

Use the CLI to create an endpoint so that sources that are connected to the IBM Cloud private network can connect to a service, server, or app in your Satellite location.

Get the ID of your Satellite location and verify that your location has a normal status.

ibmcloud sat location ls

Example output

Name               ID                     Status   Ready   Created       Hosts (used/total)   Managed From
port-antwerp       brlono42051up3k4htu0   normal   yes     2 weeks ago   6 / 7                London

Create a location endpoint.

ibmcloud sat endpoint create --location <location_ID> --name <endpoint_name> --dest-type location --dest-hostname <FQDN_or_IP> --dest-port <port> [--dest-protocol <destination_protocol>] --source-protocol <source_protocol>

Understanding the API request
Component	Description
`--location <location_ID>`	Enter the ID of your Satellite location that you retrieved earlier.
`--name <endpoint_name>`	Enter a name for your Satellite endpoint.
`--dest-type cloud`	Enter `cloud` to indicate that the destination resource runs outside of the location.
`--dest-hostname <FQDN_or_IP>`	Enter the fully qualified domain name (FQDN) or the externally accessible IP address of the destination that you want to connect to. For location endpoints, this value must resolve from and be reachable from the control plane hosts for Satellite locations or where the agent runs for Satellite Connector.
`--dest-port <port>`	Enter the port that destination resource listens on for incoming requests. Make sure that the port matches the destination protocol.
`--dest-protocol <destination-protocol>`	Optional: Enter the protocol of the destination resource. If you do not specify this option, the destination protocol is inherited from the source protocol. Supported protocols include `tcp` and `tls`. For more information, see Endpoint protocols.
`--source-protocol <source-protocol>`	Enter the protocol that the source must use to connect to the destination resource. Supported protocols include `tcp`, `tls`, `http`, `https`, and `http-tunnel`. For more information, see Endpoint protocols.
`--sni <sni>`	Optional. If you specify a `tls` or `https` source protocol and want a separate hostname to be added to the TLS handshake, include the server name indicator.

Wait a few minutes for the Satellite Link connector component to assign a port to your endpoint.

Verify that your endpoint is created. In the output, copy the host name for your Satellite Link tunnel server and the port for your endpoint in the Address field.

ibmcloud sat endpoint ls --location <location_ID>

Example output

ID                           Name                                         Destination Type   Address
c0mnbnkw0jl8si22djkg_cEomQ   openshift-api-c0mpnn4w0bv28oq2dks0           location           TCP  c-02.us-east.link.satellite.cloud.ibm.com:32823
c0mnbnkw0jl8si22djkg_6UTZd   satellite-healthcheck-c0mnbnkw0jl8si22djkg   location           HTTP c-02.us-east.link.satellite.cloud.ibm.com:32822

From your source client in the IBM Cloud private network, test the connection to your Satellite endpoint by using the address. For example, depending on your source client, you might send a curl request to the endpoint.
```
curl http://<linkserver_hostname>:<port>
```

Setting up access control lists to limit access to endpoints

Control which clients can access destination resources by creating an access control list for an endpoint.

If no sources are configured, any client can use an endpoint to connect to the destination resource. For example, for a location endpoint, any client that is connected to the IBM Cloud private network can use the endpoint to connect to the destination resource that runs in your Satellite location. You can restrict access to your destination resource by adding only the IP addresses or subnet CIDRs of specific clients to the endpoint's source list.

Currently, you can create source lists only for endpoints of type location. You cannot create source lists for endpoints of type cloud.

Creating access control lists by using the console

Complete the following steps to create an access control list for an endpoint from the console.

From the Satellite Locations dashboard, click the name of your location.
Select the Access control list tab, then click Create rule.
On the ACL rule page, complete the following steps.
1. Enter a Rule name.
2. Enter the IP addresses of the clients that are allowed to connect to the endpoint. This value can be a single IP address, a CIDR block, or a comma-separated list. The value must be fully contained in the following CIDRs: 10.0.0.0/8, 161.26.0.0/16, 166.8.0.0/14, 172.16.0.0/12.
3. Select the endpoint (or multiple endpoints) this rule should control access to in your location. Network traffic to the destination through the endpoint is permitted only from clients that use an IP address in the range that you specified in the rule. Network traffic from other clients that is sent to the destination resource through the endpoint is blocked.
Click Create
To modify an existing ACL rule, select Edit in the overflow menu at the right end of the rule, update the field values, and press Save when done.

Creating access control lists by using the CLI

Complete the following steps to create an access control list for an endpoint from the CLI.

Run the following command to create an ACL rule for one or more subnets and optionally bound to one or more endpoints.
```
ibmcloud sat acl create --location LOCATION --name NAME --subnet SUBNET [--subnet SUBNET ...] [--endpoint ENDPOINT ...]
```
--location LOCATION

Enter the name or ID of your Satellite location.

--name NAME

Enter a name for the ACL.

--subnet SUBNET

Enter an IP or CIDR block allowed by this ACL. Value must be fully contained in the following CIDRs: 10.0.0.0/8, 161.26.0.0/16, 166.8.0.0/14, 172.16.0.0/12. You can repeat this parameter to provide multiple values.

--endpoint ENDPOINT

Optionally enter the name or ID of an endpoint to enable for this ACL. You can repeat this parameter to provide multiple values.

Verify that the ACL was created.

ibmcloud sat acl ls --location LOCATION

You can also add or remove endpoints or subnets for an existing ACL.

 ibmcloud sat acl endpoint add --location LOCATION --acl-id ID --endpoint ENDPOINT [--endpoint ENDPOINT ...]
 ibmcloud sat acl endpoint rm --location LOCATION --acl-id ID --endpoint ENDPOINT [--endpoint ENDPOINT ...]
 ibmcloud sat acl subnet add --location LOCATION --acl-id ID --subnet SUBNET [--subnet SUBNET ...]
 ibmcloud sat acl subnet rm --location LOCATION --acl-id ID --subnet SUBNET [--subnet SUBNET ...]

Enabling and disabling endpoints

After you set up an endpoint, you can control the flow of network traffic through the endpoint at any time by enabling or disabling the endpoint.

From the Locations dashboard, select the location where you created the Satellite endpoint.
Select the Link endpoints tab and find the endpoint that you want to enable or disable.
Use the toggle to enable or disable the endpoint. After you disable an endpoint, network traffic between your location and the destination server, service, or app is blocked for all sources.

Creating and managing link endpoints

Creating cloud endpoints to connect to resources outside of the location

Creating cloud endpoints by using the console

Creating cloud endpoints with the CLI

Testing connections through cloud endpoints

Example for testing the connection from an unassigned host

Example for testing the connection from a Satellite cluster

Creating location endpoints to connect to resources in a location

Creating location endpoints by using the console

Creating location endpoints by using the CLI

Setting up access control lists to limit access to endpoints

Creating access control lists by using the console

Creating access control lists by using the CLI

Enabling and disabling endpoints

Creating `cloud` endpoints to connect to resources outside of the location

Creating `location` endpoints to connect to resources in a location