Setting up Satellite as a Secure Gateway for on-prem solutions

Satellite as a Layer 4 connection solution

While you can set up many possible solutions to enable secure connections between your on-premises network and IBM Cloud, you can use Satellite to control client communications among your hybrid cloud deployments.

For example, you might use a minimal Satellite location deployment as an alternative to the Secure Gateway solution. Satellite provides the same application-level transport through common ports as Secure Gateway, with greater client visibility and audit control. The Satellite Link functionality improves upon the Secure Gateway client experience with a highly available and secure-by-default communication between the cloud and on-premises networks, third-party clouds, or network edge.

On-premises setup with a Satellite location

A minimum deployment of Satellite includes using three RHEL 8 hosts to set up a Satellite location control plane. These hosts might be in your on-premises network or in other clouds. Then, you can attach more hosts to your location and deploy IBM Cloud managed services to run on these hosts. For example, you can deploy a Red Hat OpenShift cluster to your on-premises hosts that are attached to your Satellite location. Then, you can deploy any apps that need secure access to IBM Cloud to your Red Hat OpenShift cluster.

Secure transport to IBM Cloud

Next, your on-premises client that runs on the location hosts can use Satellite Link as Layer 4 application transport between the location and other services that run in IBM Cloud or your own applications that run within IBM Cloud. You can use Satellite Link to create location endpoints, which allow resources in IBM Cloud to securely access a resource in your on-premises Satellite location, and cloud endpoints, which allow resources in your on-premises Satellite location to access a resource that runs anywhere outside of the Satellite location. To allow access to a resource, authorization must granted in the Link endpoint's access control list.

When you evaluate whether the minimal Satellite location deployment is the best solution for your environment, keep the following considerations in mind.

• Location endpoints, or endpoints that expose resources that run in your Satellite location, are accessible only from within the IBM Cloud private network or from resources that are connected to the IBM Cloud private network.
• Although you can create endpoints for publicly accessible resources, the endpoints that are created are not publicly accessible, and can only be resolved by the Satellite Link components in IBM Cloud (the Link tunnel server) or in your location (the Link tunnel client).
• For more information about Satellite Link, including an architectural overview and FAQs, review Understanding Link endpoints and Satellite.

Setting up a secure connection to IBM Cloud with Satellite

The following example setup walks you through creating a minimal Satellite location setup with on-premises hosts, and securely connecting resources that you deploy in this Satellite location to IBM Cloud.