Using private endpoints

Create and manage IBM Cloud Schematics workspaces on the private network by targeting the Schematics private service endpoint.

To get started, enable virtual routing and forwarding (VRF) and service endpoints for your IBM Cloud® account. After you enable VRF for your account, you can connect to IBM Cloud Schematics by using a private IP that is accessible only through the IBM Cloud Private network. To learn more about private connections on IBM Cloud, see Service endpoints for private connections.

To connect to IBM Cloud Schematics by using a private network connection, you must use the Schematics API or the command-line plug-in. This capability is not available from the IBM Cloud console.

Private service endpoints in Schematics

The private service endpoints are available for Schematics. IBM Cloud Schematics CLI users can access their private network by specifying private-us-south.schematics.cloud.ibm.com as the API endpoint of IBM Cloud Schematics CLI. For more information, see Using private Schematics endpoints.

To access the private network, you need to first login to private network by using ibmcloud login -a private.cloud.ibm.com. Access Schematics commands to interact with the private Schematics endpoint to automatically access the endpoint.

Enable VRF and service endpoints for your account

Enable your IBM Cloud account to work with private service endpoints.

Enable your IBM Cloud account for virtual routing and forwarding (VRF).

When you enable VRF, a separate routing table is created for your account, and connections to and from your account's resources are routed separately on the IBM Cloud network. To learn more about VRF technology, see Virtual routing and forwarding on IBM Cloud.

Enabling VRF permanently alters networking for your account. Be sure that you understand the impact to your account and resources. After you enable VRF, you cannot disable VRF again.
Enable your IBM Cloud account for service endpoints.

After you enable VRF and service endpoints for your account, all existing and future Schematics workspaces become available from both the public and private service endpoints.
Verify that your account is enabled for VRF and service endpoints.
1. Log in to IBM Cloud.
```
ibmcloud login
```
  If the login fails, run the ibmcloud login --sso command to try again. The --sso parameter is required when you log in with a federated ID. If this option is used, go to the link listed in the command-line output to generate a one-time passcode.
2. Show the details of your account.
```
ibmcloud account show
```
  Example output:
```
Retrieving account User's Account of user@email.com...
OK

Account ID:                   a111aaaa1aa1aaaaaaaaaaaa1a1aa111   
Currently Targeted Account:   true   
Linked Softlayer Account:     000000
VRF Enabled:                  true  
Service Endpoint Enabled:     true
```

Connect to the Schematics private service endpoint

Prepare your VSI or test machine by configuring your routing table for the IBM Cloud Private network.

To connect to the private service endpoint, you must create a virtual server instance (VSI) first. You use this VSI to connect to the IBM Cloud Private network. You can create a classic VSI or VPC VSI.
After you are connected to the VSI, target the private service endpoint when you send API requests to the Schematics API server. The following example shows the supported Terraform and Helm versions of the Schematics engine.
```
curl -X GET https://private-us-south.schematics.cloud.ibm.com/v1/version
```

Virtual Private Endpoints Gateways for Schematics

A service instance can have a private network endpoint, a public network endpoint, or both. After your account is enabled for VPC and you connect Schematics service on the private network from Virtual Private Endpoint Gateways.

- **Public:** A service endpoint on the IBM Cloud public network.
- **Private:** A service endpoint that is accessible only on the IBM Cloud private network with no access from the public internet.
- **Both public and private:** Service endpoints that allow access over both networks.

Virtual Private Endpoint Gateways is only supported for the VPC Generation 2.

Before you begin

Before you begin, to access the Schematics service through the Virtual Private Endpoint Gateways, ensure that you meet the following criteria:

Make sure that you have the required permissions to create VPC, to create an endpoint gateway, to create or bind a reserved IP from the subnet, and account limits for VSI creation for concurrent instances.
A VPC Generation 2 instance and a subnet zones to bind an IP address at the same time you provision the endpoint gateway. For more information, see Getting started with VPC.
A VSI is created. For more information, see creating a VSI.

Adding Virtual Private Endpoint Gateways for Schematics

Now, you can securely connect the Virtual Private Endpoint Gateways to access Schematics services and functions such as workspace, action, job, plan, apply, and destroy for a new instance. For more information, see Overview of private service endpoints in Schematics.

You cannot create multiple Virtual Private Endpoint Gateways for the same Schematics instance.

The steps to add the private network endpoints for Schematics:

Create a Schematics workspace. For more information, see creating a workspace.
Optionally, you can deploy a resource instance into Schematics workspace. For more information, see deploying your resource.
Create a Virtual Private Endpoint Gateways. For more information, see creating an endpoint gateway. And you can assign the listed Schematics services endpoint into Virtual Private Endpoint Gateways.
View the created Virtual Private Endpoint Gateways associated with the Schematics services. For more information, see Viewing details of an endpoint gateway.