Setting up Satellite as a Secure Gateway for on-prem solutions
Deploy IBM Cloud Satellite as a secure solution for connecting resources in a protected on-premises environment to cloud resources.
You can also use Satellite Connector as a light weight alternative to the solution discussed here. For more information, see Satellite Connector overview.
Satellite as a Layer 4 connection solution
While you can set up many possible solutions to enable secure connections between your on-premises network and IBM Cloud, you can use Satellite to control client communications among your hybrid cloud deployments.
For example, you might use a minimal Satellite location deployment as an alternative to the Secure Gateway solution. Satellite provides the same application-level transport through common ports as Secure Gateway, with greater client visibility and audit control. The Satellite Link functionality improves upon the Secure Gateway client experience with a highly available and secure-by-default communication between the cloud and on-premises networks, third-party clouds, or network edge.
- On-premises setup with a Satellite location
- A minimum deployment of Satellite includes using three RHEL 8 hosts to set up a Satellite location control plane. These hosts might be in your on-premises network or in other clouds. Then, you can attach more hosts to your location and deploy IBM Cloud managed services to run on these hosts. For example, you can deploy a Red Hat OpenShift cluster to your on-premises hosts that are attached to your Satellite location. Then, you can deploy any apps that need secure access to IBM Cloud to your Red Hat OpenShift cluster.
- Secure transport to IBM Cloud
- Next, your on-premises client that runs on the location hosts can use Satellite Link as Layer 4 application transport between the location and other services that run in IBM Cloud or your own applications that run within IBM Cloud. You can use Satellite Link to create location endpoints, which allow resources in IBM Cloud to securely access a resource in your on-premises Satellite location, and cloud endpoints, which allow resources in your on-premises Satellite location to access a resource that runs anywhere outside of the Satellite location. To allow access to a resource, authorization must granted in the Link endpoint's access control list.
When you evaluate whether the minimal Satellite location deployment is the best solution for your environment, keep the following considerations in mind.
- Location endpoints, or endpoints that expose resources that run in your Satellite location, are accessible only from within the IBM Cloud private network or from resources that are connected to the IBM Cloud private network.
- Although you can create endpoints for publicly accessible resources, the endpoints that are created are not publicly accessible, and can only be resolved by the Satellite Link components in IBM Cloud (the Link tunnel server) or in your location (the Link tunnel client).
- For more information about Satellite Link, including an architectural overview and FAQs, review Understanding Link endpoints and Satellite.
Setting up a secure connection to IBM Cloud with Satellite
The following example setup walks you through creating a minimal Satellite location setup with on-premises hosts, and securely connecting resources that you deploy in this Satellite location to IBM Cloud.
Step 1: Deploy Satellite to your on-premises environment
As system administrator, you set up a Satellite location in your on-premises environment to run any applications that require access to IBM Cloud.
- Create a Satellite location in your on-premises infrastructure.
- Create a managed Red Hat OpenShift on IBM Cloud cluster in the Satellite location.
- Access the Red Hat OpenShift web console.
- Deploy the apps that require communication to apps, servers, or services that run outside of the Satellite location, such as in IBM Cloud.
Step 2: Set up secure communication channels by using Satellite Link
Next, you create Satellite Link endpoints to allow apps that run in your Satellite location to access resources in IBM Cloud, or vice versa.
- Create a
cloud
endpoint to connect your Satellite location client app to a resource that runs in IBM Cloud, or alocation
endpoint to connect a resource that runs in IBM Cloud to your Satellite location app. - For a
location
endpoint, set up a source list to limit and control access from IBM Cloud to the app in your Satellite location. - Audit events for endpoint actions.
Now, you have a managed Satellite location that runs in your on-premises environment and a secure communication channel to resources in IBM Cloud.