Connecting to IBM Cloud via the private network by using Satellite Connector and Direct Link 2.0
In the following steps, you set up a Virtual Private Endpoint (VPE) gateway in your Virtual Private Cloud (VPC) to use with Direct Link for communication between your on-premises apps and IBM Cloud.
After setting up the VPE, you can communicate to IBM Cloud through the VPE by using Satellite Connector.
Prerequisites
Before you begin, make sure you have the following resources and permissions.
- A VPC.
- IBM Cloud Direct Link.
- The IBM Cloud CLI and plug-ins installed.
- Administrator IBM Cloud IAM platform access role for IBM Cloud Satellite
- Administrator IBM Cloud IAM platform access role for Direct Link.
- Administrator IBM Cloud IAM platform access role for VPC.
- Administrator IBM Cloud IAM platform access role for IBM Cloud Container Registry
- Manager IBM Cloud IAM service access role for IBM Cloud Satellite
- Viewer IBM Cloud IAM platform access role for the resource group that you plan to use with Satellite
Create a subnet for your VPE gateway
Create the subnet in the VPC where you want to create a VPE gateway.
-
Get your VPC ID.
ibmcloud is vpcs -
Create a subnet. For more information and command options, see Working with subnets for VPC.
ibmcloud is subnet-create NAME VPC ((--zone ZONE_NAME --ipv4-address-count ADDR_COUNT) | --ipv4-cidr-block CIDR_BLOCK)Example command to create a subnet in VPC
r001-a1aa1a11-5eaf-4df4-9de8-ba49a46008bcibmcloud is subnet-create test-subnet r001-a1aa1a11-5eaf-4df4-9de8-ba49a46008bc --zone us-south-1 --ipv4-address-count 4
Create a VPE gateway
-
List all VPE endpoints and make a note of the Satellite Link VPE endpoint.
ibmcloud is endpoint-gateway-targets| grep satelliteExample output
CRN crn:v1:public:satellite-link:us-south:::endpoint:d-01-ws.private.us-south.link.satellite.cloud.ibm.com Parent us-south Name satellite_link-vpe Resource type provider_cloud_service Endpoint type cse Full qualified domain names d-01-ws.private.us-south.link.satellite.cloud.ibm.com Service location us-south -
Create a VPE Gateway for Satellite Link. Give your gateway a name, provide the VPC ID, and specify the Link VPE that you found in the previous step.
ibmcloud is endpoint-gateway-create --name NAME --vpc-id VPC-ID --target crn:v1:bluemix:public:satellite-link:us-south:::endpoint:d-01-ws.private.us-south.link.satellite.cloud.ibm.comExample
ibmcloud is endpoint-gateway-create --name test-vpe --vpc-id r001-a1aa1a11-5eaf-4df4-9de8-ba49a46008bc --target crn:v1:public:satellite-link:us-south:::endpoint:d-01-ws.private.us-south.link.satellite.cloud.ibm.comExample output
ID r001-11aa111b-48e5-4676-a0df-4755de9577f6 Name test-vpe CRN crn:v1:bluemix:public:is:us-south:a/9f19417983334c98bfea53579abf81e9::endpoint-gateway:r001-11aa111b-48e5-4676-a0df-4755de9577f6 Target crn:v1:public:satellite-link:us-south:::endpoint:d-01-ws.private.us-south.link.satellite.cloud.ibm.com Target Type provider_cloud_service VPC ID Name r001-a1aa1a11-5eaf-4df4-9de8-ba49a46008bc my-vpc Private IPs - Service Endpoints d-01-ws.private.us-south.link.satellite.cloud.ibm.com Lifecycle State pending Health State ok Security groups ID Name r006-7749cde3-02c5-457b-a085-a111f1fcb3b5 overarch-plated-earwig-culture-retake-linguini Created 2023-09-28T16:40:33-04:00 Resource Group ID Name 6b5746f5bed01111a754ef34b9bf1111 Default
Create a DNS instance and a customer resolver
IBM DNS Services provides private DNS to Virtual Private Cloud (VPC) users. Private DNS zones are resolvable only on IBM Cloud, and only from explicitly permitted networks in an account.
To extend the DNS resolution to resolvers that reside on-premises, add a custom resolver in the VPC where the VPE gateway is created. Then, add a rule to forward the requests for the VPE gateway to IBM internal DNS addresses.
The default forwarding rule is automatically created to forward all DNS queries to DNS Services servers 161.26.0.7 and 161.26.0.8. You don't need to add any forwarding rule in this custom resolver.
-
Create a DNS instance.
ibmcloud dns instance-create NAME standard-dnsExample
ibmcloud dns instance-create test-dns standard-dnsExample output
Name test-dns ID 416ef1d0-fee1-4bec-bcf2-d8542192f96c Service Name dns-svcs Service ID b4ed8a30-936f-11e9-b289-1d079699cbe5 Plan ID 2c8fa097-d7c2-4df2-b53e-2efb7874cdf7 Resource Group ID 6b5746f5bed01111a754ef34b9bf1111 Location global State active -
Create a custom DNS resolver.
ibmcloud dns custom-resolver-create --name NAME --instance INSTANCE --location crn:v1:bluemix:public:is:us-south-1:a/9f19417983334c98bfea53579abf81e9::subnet:0717-331985b6-462c-4611-8d43-74e74c1aa69e --location crn:v1:bluemix:public:is:us-south-3:a/9f19417983334c98bfea53579abf81e9::subnet:0737-845992fa-694e-4ded-9106-abf320969fc5Example command
ibmcloud dns custom-resolver-create --name test-resolver --instance test-dns --location crn:v1:bluemix:public:is:us-south-1:a/9f19417983334c98bfea53579abf81e9::subnet:0717-331985b6-462c-4611-8d43-74e74c1aa69e --location crn:v1:bluemix:public:is:us-south-3:a/9f19417983334c98bfea53579abf81e9::subnet:0737-845992fa-694e-4ded-9106-abf320969fc5Example output
Creating Custom Resolver for service instance 'test-dns' ... OK ID 63c5668c-22f2-4399-afce-8d3b3923e8f6 Name test-resolver Description Enabled false Health CRITICAL Locations ID eccfd292-b97c-4599-905c-055c75284e1f Subnet CRN crn:v1:bluemix:public:is:us-south-1:a/9f19417983334c98bfea53579abf81e9::subnet:0717-331985b6-462c-4611-8d43-74e74c1aa69e Enabled true Healthy false DNS Server IP ID 0060d71c-4054-45dd-9780-8dca2a82b760 Subnet CRN crn:v1:bluemix:public:is:us-south-3:a/9f19417983334c98bfea53579abf81e9::subnet:0737-845992fa-694e-4ded-9106-abf320969fc5 Enabled true Healthy false DNS Server IP Created On 2023-08-28T21:07:26.000Z Modified On 2023-08-28T21:07:26.000Z
Optional: Create a DNS forwarding rule
For on-premises DNS, add a DNS rule that forwards the VPE gateway name requests to the custom DNS that you created in the previous.
Example command.
ibmcloud dns custom-resolver-forwarding-rule-create RESOLVER_ID --type zone --match HOSTNAME --dns-svcs IPs [--description DESCRIPTION] [-i, --instance INSTANCE] [--output FORMAT]
Example rule that forwards the requests to d-01-ws.private.us-south.link.satellite.cloud.ibm.com to the IP address 10.240.1.6 which is the address of the custom resolver created in the previous step.
ibmcloud dns custom-resolver-forwarding-rule-create 63c5668c-22f2-4399-afce-8d3b3923e8f6 --type zone --match d-01-ws.private.us-south.link.satellite.cloud.ibm.com --dns-svcs 10.240.1.6
Test connectivity
You can test connectivity to the VPE gateway in one or more of the following ways.
- Running an
nslookupcommand from the VPE gateway VPC should resolve to the internal IP address. For example:10.240.1.4.nslookup d-01-ws-vpe.private.us-south.link.satellite.cloud.ibm.com - Running a
curlcommand from VPE gateway.curl d-01-ws-vpe.private.us-south.link.satellite.cloud.ibm.com - Running
nslookupfrom on-prem VPC should also resolve to the internal IP address. For example:10.240.1.4nslookup d-01-ws-vpe.private.us-south.link.satellite.cloud.ibm.com - Running a
curlcommand from your on-prem VPC should succeed.curl d-01-ws-vpe.private.us-south.link.satellite.cloud.ibm.com
Set up Satellite Connector
Now you are ready to set up Satellite Connector and a Connector Agent.
When setting up your Connector Agent, use your VPE Gateway address, for example d-01-ws-vpe.private.us-south.link.satellite.cloud.ibm.com, as the SATELLITE_CONNECTOR_DIRECT_LINK_INGRESS parameter.
For more information, see the following links: