Network Design for VPC virtual servers

Default private networking with subnets

VPCs span a region and contain subnets that span individual zones within that region. These subnets use ranges of private IP addresses, with the option to bring your own public IP range. Subnets within a VPC are private by default and can communicate with each other without configuring additional routes. As a result, all resources within a VPC can communicate with one another by default subject to security groups and access control lists. Virtual server instances are attached to one or more subnets.

See the architecture diagram in About networking for VPC for a visual representation of VPC networking concepts. For additional information and design considerations, see Setting IP ranges.

Load-balancers

IBM Cloud provides two families of load balancers for VPC: Application Load Balancer (ALB) and Network Load Balancer (NLB), each designed for different use cases and operating at different layers of the OSI model.

Application Load Balancer (ALB) Application Load Balancer provides layer 7 and layer 4 load balancing on IBM Cloud, but ALBs are primarily intended for layer 7, web-based workloads. ALBs support public and private configurations with Secure Sockets Layer (SSL) offloading capabilities. Key features:

• Layer 7 (application) and Layer 4 (transport) load balancing
• SSL/TLS termination and offloading
• Content-based routing and URL-based routing
• HTTP/HTTPS protocol support
• Cookie-based session affinity
• Configured in active-active mode with high availability achieved using Domain Name Service (DNS), where the VIP of each compute resource is registered to the assigned DNS
• Support for virtual server instances, bare metal server instances, and Power System Virtual Server instances connected over Direct Link as back-end pool members
• Multi-zone deployment capability
• Integration with instance groups for auto-scaling

Choose Application Load Balancer when:

• SSL/TLS termination is required
• HTTP/HTTPS workloads need content-based routing
• Layer 7 features such as URL routing or header-based routing are needed
• Multi-zone high availability with DNS-based failover is acceptable

Network Load Balancer (NLB) Network Load Balancer provides only layer 4 load balancing on IBM Cloud and does not support SSL offloading NLB uses Direct Server Return (DSR), where information processed by backend targets is sent directly back to the client, minimizing latency and optimizing throughput performance. Key features:

• Layer 4 (transport) load balancing
• TCP and UDP protocol support
• Single, highly available virtual IP (VIP) that can be used directly, instead of through an assigned fully qualified domain name (FQDN)
• Direct Server Return (DSR) for high-performance data transfer
• Lower latency compared to ALB
• Higher throughput for large data transfers
• Supports public, private, Private Path, and private-type with routing mode enabled configurations

Choose Network Load Balancer when:

• Maximum throughput and lowest latency are critical
• Non-HTTP protocols (TCP/UDP) are required
• Direct Server Return benefits the architecture

Virtual Private Endpoints

IBM Cloud Virtual Private Endpoint (VPE) for VPC enables you to access supported IBM Cloud services remotely by using the IP addresses of your choice, which are allocated from a subnet within your VPC.

VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per-service or service-instance basis. The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zones of your VPC. Key characteristics:

• Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone
• Private IP addresses allocated from customer-defined VPC subnets
• No public internet connectivity required
• Horizontal scaling and high availability across availability zones
• Integration with VPC security groups and network ACLs
• DNS resolution support for service endpoints

External connectivity

External connectivity can be achieved with public gateways, floating IPs, and VPN gateways.

Public gateways span an entire subnet and enable all compute instances attached to that subnet to initiate outbound connections to the internet.

Floating IPs are associated with a single compute instance and support both initiating connections to and receiving connections from the internet.

VPN for VPC provides secure site-to-site connectivity from a VPC to another private network. See About site-to-site VPN gateways for additional details.

Client VPN for VPC offers client-to-site servers, which allow remote clients on the internet to connect securely to VPN servers and access VPC resources. See VPNs for VPC overview for more information.

Security

Network security in VPC is controlled through security groups and access control lists (ACLs).

Access control lists (ACLs) manage traffic at the subnet level using stateless rules. ACLs can control external connectivity established via a public gateway on a subnet.

Security groups manage traffic at the instance level using stateful rules. Security groups control external connectivity established via floating IPs attached to virtual server instances.

See Security in your VPC for additional details.

Interconnectivity

IBM Cloud Direct Link and VPN for VPC enable secure connectivity between a VPC and on-premises networks. Direct Link provides dedicated, low-latency private connections, while VPN offers encrypted connectivity over the internet.

IBM Cloud Transit Gateway interconnects VPCs with each other, PowerVS Workspaces and with IBM Cloud Classic infrastructure, providing a hub for routing traffic across multiple cloud environments. Transit Gateway simplifies network topology management in hybrid and multicloud architectures.

For guidance on selecting the appropriate connectivity option, see Interconnecting your VPC using IBM Cloud offerings and Getting started with IBM Cloud Transit Gateway.