IBM Cloud Docs
Use a VPC/VPN gateway for secure and private on-premises access to cloud resources

Use a VPC/VPN gateway for secure and private on-premises access to cloud resources

This tutorial will incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage.

IBM offers a number of ways to securely extend an on-premises computer network with resources in the IBM Cloud. This allows you to benefit from the elasticity of provisioning cloud resources when you need them and removing them when no longer required. Moreover, you can easily and securely connect your on-premises capabilities to the IBM Cloud services.

This tutorial provides the automation to create resources that demonstrate Virtual Private Network (VPN) connectivity between on-premises servers and cloud resources like IBM Cloud® Virtual Private Cloud Virtual Service Instances (VSIs) and IBM Cloud data services. DNS resolution to cloud resources is also configured. The popular strongSwan VPN Gateway is used to represent the on-premises VPN gateway.

Objectives

  • Access a virtual private cloud (VPC) environment from an on-premises data center
  • Securely reach cloud services using private endpoint gateways
  • Use DNS on-premises to access cloud resources over VPN

The following diagram shows the resources created by this tutorial

Architecture
Figure 1. Architecture diagram of the tutorial

A terraform configuration will create the following resources:

  1. The infrastructure (VPC, Subnets, Security Groups with rules, Network ACL and VSIs).
  2. The Object Storage and Databases for PostgreSQL private endpoint gateways to data services.
  3. The strongSwan open source IPsec gateway software is used on-premises to establish the VPN connection with the cloud environment.
  4. A VPC/VPN Gateway is provisioned to allow private connectivity between on-premises resources and cloud resources.
  5. The on-premises DNS resolver is connected to the cloud DNS Resolver Location to allow TLS access to cloud resources including access to virtual private endpoint gateways through a VPN.

Before you begin

This tutorial requires:

  • IBM Cloud CLI,
    • IBM Cloud Schematics plugin (schematics),
  • jq to query JSON files,
  • git to optionally clone source code repository,
  • Terraform CLI to optionally run Terraform on your desktop instead of the Schematics service.

You will find instructions to download and install these tools for your operating environment in the Getting started with tutorials guide.

The on-premises data center in this tutorial will be simulated using a VSI within a VPC.

The preferred mechanism to connect VPCs is Transit Gateway. Simulation of an on-premises environment with VPC, VSI and VPN is used only for illustration.

In addition:

Use Schematics to create the resources

  1. Log in to IBM Cloud.
  2. Navigate to Create Schematics Workspaces Under the Specify Template section, verify:
    1. Repository URL is https://github.com/IBM-Cloud/vpc-tutorials/tree/master/vpc-site2site-vpn
    2. Terraform version is terraform_v1.2
  3. Under Workspace details,
    1. Provide a workspace name : vpnsts.
    2. Choose a Resource Group and a Location.
    3. Click on Next.
  4. Verify the details and then click on Create.
  5. Under the Variables section, provide the required values (resource_group_name, ssh_key_name) by clicking the overflow menu and selecting Edit for each row. The value for the variable maintenance must be set to true.
  6. Scroll to the top of the page and click Apply plan. Check the logs to see the status of the services created.

Explore the resources that were created by clicking below and selecting the instance with matching prefix. Locate all of the resources in the diagram above.

Verify connectivity

The Schematics workspace output contains variables that can be used to verify the VPN connectivity.

  1. Get the list of workspaces, note the ID column, set the shell variable:

    ibmcloud schematics workspace list
    
  2. Set the WORKSPACE_ID variable:

    WORKSPACE_ID=YOUR_WORKSPACE_ID
    
  3. Get the environment variables for the cloud resources:

    ibmcloud schematics output --id $WORKSPACE_ID --output json | jq -r '.[0].output_values[].environment_variables.value'
    
  4. The output will look something like the following. Copy/paste these results into your shell in order to set them in the environment:

    IP_FIP_ONPREM=169.48.x.x
    IP_PRIVATE_ONPREM=10.0.0.4
    IP_PRIVATE_CLOUD=10.1.1.4
    IP_FIP_BASTION=52.118.x.x
    IP_PRIVATE_BASTION=10.1.0.4
    IP_DNS_SERVER_0=10.1.0.5
    IP_DNS_SERVER_1=10.1.1.6
    IP_ENDPOINT_GATEWAY_POSTGRESQL=10.1.1.9
    IP_ENDPOINT_GATEWAY_COS=10.1.1.5
    HOSTNAME_POSTGRESQL=a43ddb63-dcb1-430a-a2e4-5d87a0dd12a6.6131b73286f34215871dfad7254b4f7d.private.databases.appdomain.cloud
    HOSTNAME_COS=s3.direct.us-south.cloud-object-storage.appdomain.cloud
    PORT_POSTGRESQL=32525
    
  5. You can now SSH into each of the instances following different paths including jumping through the VPN. The diagram shows the communication paths exercised by the steps.

    If the SSH key is not the default for SSH, you can set the option -I PATH_TO_PRIVATE_KEY_FILE or see the SSH reference manual for more help.

Verify connectivity
Verify connectivity

  1. Test access to on-premises VSI:
    ssh root@$IP_FIP_ONPREM
    
  2. Test access to cloud bastion:
    ssh root@$IP_FIP_BASTION
    
  3. Test access to cloud VSI through bastion:
    ssh -J root@$IP_FIP_BASTION root@$IP_PRIVATE_CLOUD
    
  4. Test access to cloud VSI through on-premises, through the VPN tunnel, through bastion:
    ssh -J root@$IP_FIP_ONPREM,root@$IP_FIP_BASTION root@$IP_PRIVATE_CLOUD
    
  5. Test access to on-premises VSI through bastion, through cloud VSI, through VPN tunnel:
    ssh -J root@$IP_FIP_BASTION,root@$IP_PRIVATE_CLOUD root@$IP_PRIVATE_ONPREM
    

Verify DNS resolution

The on-premises DNS resolution has been configured to use the IBM Cloud VPC DNS resolver location. This allows the cloud services to be accessed by name and resolved to the IP addresses of the private endpoint gateways.

Test DNS resolution to Postgresql and Object storage through the Virtual Endpoint Gateway. The two paths being verified are shown in the diagram below:

Verify DNS resolution
Verify DNS resolution

  1. Access the on-premises VSI.

    ssh root@$IP_FIP_ONPREM
    
  2. Copy and paste three(3) of the variables captured earlier: HOSTNAME_POSTGRESQL, HOSTNAME_COS, PORT_POSTGRESQL.

  3. Run a dig command to confirm resolution to the database instance through the Virtual Endpoint Gateway..

    dig $HOSTNAME_POSTGRESQL
    
  4. Verify connectivity to the database by issuing a telnet command. It should display "connected".

    telnet $HOSTNAME_POSTGRESQL $PORT_POSTGRESQL
    
  5. Once connected to the database, issue a Ctrl+C to disconnect.

  6. Run a dig command to confirm resolution to the cloud object storage instance through the Virtual Endpoint Gateway.

    dig $HOSTNAME_COS
    
  7. Verify connectivity to the cloud object storage instance by issuing a telnet command. It should display "connected".

    telnet $HOSTNAME_COS 443
    
  8. Once connected to the cloud object storage instance, issue a Ctrl+C to disconnect.

If there a problems see the troubleshoot section in the GitHub repository.

Optionally expand the tutorial

Want to add to or extend this tutorial? Here are some ideas:

  • In the GitHub repository there is an application that can be deployed that uses the database and cloud object storage. Instructions on how to deploy are in the README.
  • If you deployed the application add a DNS zone for the application.
  • Run the application on multiple Virtual Servers for VPC and add a load balancer to distribute inbound microservice traffic.

Remove resources

  1. Navigate to Schematics Workspaces, click on your workspace
  2. Click Actions... > Destroy resources
  3. Click Actions... > Delete workspace