IBM Cloud Docs
Bring Your Own IP Address

Bring Your Own IP Address

This tutorial describes the use of Classic Infrastructure. Most workloads can be implemented using IBM Cloud® Virtual Private Cloud resources. Use IBM Cloud VPC to create your own private cloud-like computing environment on shared public cloud infrastructure. A VPC gives an enterprise the ability to define and control a virtual network that is logically isolated from all other public cloud tenants, creating a private, secure place on the public cloud. Specifically, you can bring your own subnet IP address range to IBM Cloud VPC.

This tutorial may incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage.

This tutorial presents a brief overview of BYOIP implementation patterns that can be used with IBM Cloud and a decision tree for identifying the appropriate pattern when realizing the secure enclosure as described in the Isolate workloads with a secure private network tutorial. Setup may require additional input from your onsite network team, IBM Cloud technical support or IBM Services.

Bring Your own IP (BYOIP) is a frequent requirement where its desired to connect existing client networks to infrastructure provisioned on the IBM Cloud. The intent is typically to minimize change to the clients network routing configuration and operations with the adoption of a single IP address space based on the clients existing IP addressing scheme.

Objectives

  • Understand BYOIP implementation patterns.
  • Select implementation pattern for IBM Cloud.

IBM Cloud IP addressing

The IBM Cloud utilizes a number of private address ranges, most specifically 10.0.0.0/8, and in some cases these ranges may conflict with existing client networks. Where address conflicts exist, there are a number of patterns that support BYOIP to allow interoperability with the IBM Cloud network.

  • Network Address Translation
  • GRE (Generic Routing Encapsulation) tunneling
  • GRE tunneling with IP alias
  • Virtual Overlay Network

The choice of pattern is determined by the applications intended to be hosted on the IBM Cloud. There are two key aspects, application sensitivity to the pattern implementation and the extent of overlap of address ranges between the client network and IBM Cloud. Additional considerations will also apply if there is an intent to use a dedicated private network connection to IBM Cloud. The documentation for IBM Cloud® Direct Link is recommended reading for all users considering BYOIP. For IBM Cloud® Direct Link users, the associated guidance should be followed in deference to the information presented here.

Implementation patterns overview

  1. NAT: NAT address translation at the on-premises client router. Perform on-premises NAT to translate the client addressing scheme to the IP addresses assigned by IBM Cloud to provisioned IaaS services.

  2. GRE Tunneling: The addressing scheme is unified by routing IP traffic over a GRE tunnel between IBM Cloud and the on-premises network, typically via VPN. This is the scenario illustrated in the VPN into a secure private network tutorial.

    There are two sub-patterns depending on the potential for address space overlap.

    • No Address Overlapping: When there’s no address overlap of address ranges and risk of conflict between the networks.
    • Partial Address Overlapping: When the client and IBM Cloud IP address spaces use the same address range and there is potential for overlap and conflict. In this case client subnet addresses are chosen which don’t overlap in IBM Cloud private network.

  3. GRE Tunneling + IP alias: The addressing scheme is unified by routing IP traffic over a GRE tunnel between the on-premises network and alias IP addresses assigned to servers on the IBM Cloud. This is a special case of the scenario illustrated in the VPN into a secure private network tutorial. An additional interface and IP alias for a compatible IP subnet is created on the virtual and bare-metal servers provisioned on the IBM Cloud, supported by appropriate routing configuration on the VRA.

  4. Virtual Overlay Network: IBM Cloud Virtual Private Cloud (VPC) supports BYOIP for fully virtual environments on the IBM Cloud. It could be considered as an alternative to the secure private network enclosure described in the Isolating workloads with a secure private network tutorial.

Alternatively consider a solution such as VMware NSX that implements a virtual overlay network in a layer over the IBM Cloud network. All BYOIP addresses in the virtual overlay are independent of IBM Cloud network address ranges. See Getting started with VMware and IBM Cloud.

Pattern decision tree

The decision tree here can be used to determine the appropriate implement pattern.

Pattern decision tree
Pattern decision tree

The following notes provide further guidance:

Is NAT problematic for your applications?

There are following two distinctive cases where NAT could be problematic. In these cases, NAT should not be used.

  • Some applications such as Microsoft AD domain communication, and P2P applications could have technical problems with NAT.
  • Where unknown servers need to communicate with the IBM Cloud or hundreds of bidirectional connections between IBM Cloud and on-premises servers are required. In this case all the mapping cannot be configured on the client router/NAT table because of an inability to identify the mapping beforehand.

No address overlapping

Is 10.0.0.0/8 used in the on-premises network? When no address overlaps exist between the on-premises and the IBM Cloud private network, GRE tunneling as described in this tutorial can be used between on-premises and IBM Cloud to avoid the need for NAT translation. This requires a review of network address usage with onsite network team.

Partial address overlapping

If any of the 10.0.0.0/8 range is in use on the on-premises network, are there non-overlapping subnets available on the IBM Cloud network? Review existing network address usage with on-site network team and contact IBM Cloud technical sales to identify available non-overlapping networks.

Is IP aliasing problematic?

If no overlap-safe addresses exist, IP aliasing can be implemented on virtual and bare-metal servers deployed in the secure private network enclosure. IP aliasing assigns multiple subnet addresses on one or more network interfaces on each server.

IP aliasing is a commonly used technique, though it is recommended to review server and application configurations to determine if they work well under multi-home and IP alias configurations.

Additional routing configuration on the VRA will be required to create dynamic routes (for example BGP) or static routes for the BYOIP subnets.