About IBM Cloud Transit Gateway
As the number of your Virtual Private Clouds (VPCs) grows, you need a way to manage the interconnection between these resources across multiple regions. IBM Cloud® Transit Gateway is designed specifically for this purpose.
With IBM Cloud Transit Gateway, you can create single or multiple transit gateways to connect VPCs together. You can also connect your IBM Cloud classic infrastructure to a transit gateway to provide seamless communication with classic infrastructure resources. Any new network that you connect to a transit gateway is then automatically made available to every other network connected to it so that you can scale your network as it grows.
Transit gateways provide flexibility by allowing you to add networks to local gateways. Networks can be attached to multiple local gateways and a single global gateway, enabling you to keep local traffic on a local gateway.
Overview of features
IBM Cloud Transit Gateway offers the following features:
Routing
IBM Cloud Transit Gateway supports local and global routing between VPCs and the IBM Cloud classic infrastructure. All routing options remain within the private IBM Cloud infrastructure without operating on the public internet, and are optimized for performance. IBM Cloud Transit Gateway allows customers greater flexibility, redundancy, and speed in scaling their workloads, and in connecting isolated networks that run on IBM Cloud.
For more information, see IBM Cloud Transit Gateway route reports.
Privacy
-
Connections to and from an IBM Cloud Transit Gateway on the IBM private network are not exposed to the public internet, thus reducing public egress and VPN costs and reducing security threats.
-
IBM Cloud Transit Gateway is a fully redundant, fault-tolerant service with no single point of failure within these IBM Cloud Multi-Zone Regions (MZR).
-
IBM Cloud Transit Gateway integrates with Identity and Access Management (IAM), by letting you manage access to your transit gateway. Using IAM, you can create and manage IBM Cloud users and groups, as well as user permissions to allow or deny their access.
Easily connect across boundaries
IBM Cloud Transit Gateway interconnects your IBM Cloud VPCs with compute and classic resources across the globe. You can also interconnect VPCs and classic resources across IBM Cloud accounts.
IBM Cloud Transit Gateway also supports the use of Generic Routing Encapsulation (GRE) tunnels to connect endpoints. The GRE tunnel connection allows a transit gateway to connect to overlay networks hosted on classic infrastructure resources in unique use cases.
Direct Link connectivity
IBM Cloud Transit Gateway supports Direct Link connections. Connecting Direct Link to your IBM Cloud Transit Gateway on-premises network grants access to all networks connected on the transit gateway. Similarly, all other connections on the transit gateway have access to your network. As with other network connections to the IBM Cloud Transit Gateway, special consideration must be taken to avoid IP overlap issues. For more information, see Dealing with overlapping VPC prefixes and classic infrastructure subnets.
Power Virtual Server connectivity
IBM Cloud Transit Gateway supports Power Virtual Server connections. Connecting a Power Virtual Server instance to your IBM Cloud Transit Gateway network grants access to all networks connected on the transit gateway. Similarly, all other connections on the transit gateway will have access to your network. As with other network connections to the IBM Cloud Transit Gateway, special consideration must be taken to avoid IP overlap issues. For more information, see Dealing with overlapping VPC prefixes and classic infrastructure subnets.
Interconnectivity patterns
IBM Cloud Transit Gateway enables you to connect IBM Cloud VPCs and classic infrastructure to transit gateways, allowing you to build global networks of multiple VPCs and classic infrastructure resources across IBM Cloud regions to keep up with your business needs. IBM Cloud Transit Gateway works across IBM Cloud VPCs as well as IBM classic networks.
IBM Cloud Transit Gateway can connect to classic networks located in any MZR, regardless of the location of the transit gateway or the routing type specified.
Here are some ways that you can implement the IBM Cloud Transit Gateway service.
Use case 1: Interconnect two or more VPCs in the same MZR
Connect two VPCs in the same region with a local transit gateway.
Use case 2: Interconnect two or more VPCs across multiple MZRs
Connect VPCs in multiple regions by using a global transit gateway.
Use case 3: Interconnect one or more VPCs in the same MZR and an IBM classic network
Connect VPCs in the same region with IBM Cloud classic through a local transit gateway.
Use case 4: Interconnect VPCs and an IBM classic network to access all your resources across all MZRs
Connect VPCs from multiple regions with IBM Cloud classic through a global transit gateway.
Use case 5: Interconnect VPCs across accounts
Connect VPCs in the same region owned by different IBM Cloud accounts through a local transit gateway.
Use case 6: Connect networks (VPC and classic) to multiple local gateways
Keep in mind:
- Your local traffic is kept on a local transit gateway, which reduces latency.
- Highly Available (HA) capabilities are provided, as data in VPCs C and D might be replicated in VPCs in E and F.
- Classic infrastructure transit gateway connections are required to be in the same account as the transit gateway owner.
Use case 7: Interconnect networks (VPC and classic) across accounts
Connect cross-account IBM Cloud classic accounts to one or more transit gateways. To do so, the IBM Cloud account that owns the transit gateway requests permission from the IBM Cloud classic account to connect it to the transit gateway. The IBM Cloud classic account must approve the request before the connection is made. You can repeat this process for multiple IBM Cloud classic account connections as shown.
Use case 8: Connect networks by using a High Availability GRE tunnel
Connect IBM Cloud classic infrastructure by using a GRE tunnel to a local transit gateway.
This diagram shows a highly available GRE tunnel configuration. When you set up a GRE tunnel configuration, an availability zone must be specified. To make this use case highly available, you must set up two GRE tunnels with the same endpoints, but by using different availability zones.
Transit gateway GRE connections require the gateway owner to specifically configure HA for their needs. A GRE connection is a point-to-point connection, has no built-in redundancy, and is a single point of failure. When you configure a GRE connection on a transit gateway, you must specify the availability zone. For a robust HA solution, configure multiple GRE connections by using different availability zones.
Use case 9: Connect an on-premises network by using Direct Link
Connect IBM Cloud Direct Link to allow on-premises connectivity to IBM Cloud networks through a transit gateway. This allows the on-premises network to access all networks that are connected to the transit gateway. In the following example, the Direct Link gateway connects to a global transit gateway, along with 4 VPCs and IBM Cloud Classic Infrastructure. The inverse is also true, in that all other networks that are connected to the transit gateway are now connected to the on-premises network.
Direct Link can be connected to either local or remote transit gateways.
Power Virtual Server uses cases using Transit Gateway
For use cases involving Power Virtual Server workplaces, see Power Edge Router use cases.