Satellite Connector end-to-end example
After the tunnel has been established, you can run an application container on your machine and access its endpoints from IBM Cloud.
To configure Satellite Connectors, you must have Administrator access to the Satellite service in IAM access policies.
In this example, use a simple Nginx container.
Creating a Docker container
- Create the following directories.
~/agent/nginx/etc/nginx ~/agent/nginx/www/data
- Create a file called
index.html
in~/agent/nginx/www/data
with the following value.Hello from ngnix running at my location.
- Create a file called
nginx.conf
in~/agent/nginx/etc/nginx
with the following value.events { worker_connections 1024; } http { server { listen 80; root /www/data; location / { } } }
- Run the Nginx container.
You now have a running Nginx container.docker run -d -p 80:80 -v ~/agent/nginx/etc/nginx:/etc/nginx:ro -v ~/agent/nginx/www/data:/www/data:ro nginx
Creating your Link endpoint
-
Create a Location link endpoint in your Satellite Connector on IBM Cloud.
- From the Satellite console, select your connector.
- From the User Endpoints tab, click Create endpoint.
- In the Endpoint name field, enter
MyNginx
. - In the Destination FQDN or IP field, enter the IP address of the Nginx container, for example,
172.17.0.3
. To find the Nginx IP address, rundocker inspect <nginx container id> | grep IPAddress
. - In the Destination port field, enter
80
. - Click Next.
- In the Source protocol field, select
TCP
. - Leave the rest of fields blank.
- Click Next.
- Optionally, select an ACL rule or create a new ACL rule to control which clients can access location endpoint resources. If no ACL rule is selected, any client that is connected to the IBM Cloud private network can use the endpoint to connect to the destination resource that runs in your location.
- Click Next.
- Leave the connection settings at their default values.
- Click Create endpoint.
-
In the Endpoint details, you can see an Endpoint Address that refers to a CSE endpoint that is accessible from within the IBM Cloud network. If you run a VSI instance or use the VPC VPN, you can curl your Nginx endpoint. For example:
curl http://c-02.private.us-east.link.satellite.cloud.ibm.com:<port> Hello from ngnix running at my location.
Adding TLS support
This section modifies the previous example to add support for TLS to Nginx.
-
Create the following directories.
~/agent/nginx/etc/nginx/ssl/certs ~/agent/nginx/etc/nginx/ssl/private
-
Create a self-signed certificate. When you are prompted for your DN, enter a value for the first field and leave the rest at the default values.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ~/agent/nginx/etc/nginx/ssl/private/nginx-selfsigned.key -out ~/agent/nginx/etc/nginx/ssl/certs/nginx-selfsigned.crt
-
Edit the
nginx.conf
file at~/agent/nginx/etc/nginx
to add the SSL settings. The file looks similar to the following example.events { worker_connections 1024; } http { server { listen 80; listen 443 ssl; ssl_certificate /etc/nginx/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/nginx/ssl/private/nginx-selfsigned.key; root /www/data; location / { } } }
-
Restart the Nginx container and include the
expose
option. If there is an instance currently running, stop it first and then restart.docker stop <nginx container id> docker run -d --expose=443 -v ~/agent/nginx/etc/nginx:/etc/nginx:ro -v ~/agent/nginx/www/data:/www/data:ro nginx
-
Create another Location type link endpoint as you did in the previous section that uses the following settings.
- Use a different name such as
MyNginx-ssl
. - For destination port specify
443
. - Keep the Source protocol as
TCP
as SSL termination is done at the nginx server.
- Use a different name such as
-
Now if you select this endpoint, you see an Endpoint Address that refers to a CSE endpoint that is accessible from within the IBM Cloud network. So if you run a VSI instance or use the VPC VPN, you can curl your Nginx endpoint. As the target endpoint is using SSL, make sure to specify
https
in the curl command. Also, because a self-signed certificate is used, specify the-k
option. For example:curl -k https://c-02.private.us-east.link.satellite.cloud.ibm.com:<port> Hello from ngnix running at my location.
The Nginx container IP address might change when the Nginx container is restarted. If that happens, you must update the Link endpoint destination address.