IBM Cloud VPE overview
With IBM Cloud® Virtual Private Endpoint (VPE) for VPC, you can connect to supported IBM Cloud services from your VPC network. You can use IP addresses that you choose, which are allocated from a subnet within your VPC.
VPE is an evolution of the private connectivity to IBM Cloud services. VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis (depending on the service operation model). The endpoint gateway is a virtualized function that scales horizontally. Also, it is redundant and highly available, and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. With VPE for VPC, you can control the private addresses within your cloud.
For more information about supported IBM Cloud services, see VPE supported services.
For more information about IBM Cloud VPEs, see Virtual Private Endpoint Gateways in VPC.
Considerations with VMware Cloud Foundation solution in VPC
VPEs are located in your network address space within the VPC where your VMware® workloads are hosted. When you access IBM Cloud services from VMware workloads, you can use VPE for VPCs as the endpoint for the service. Your VMware Workloads can be either attached to the VPC subnet, or to NSX™ overlay segments. VPE uses IBM Cloud private backbone network to access the specific service, and data remains within the private IBM Cloud backbone.
The following diagram presents an overview when you are using VPEs with VMware workloads on VPC subnets.
The following diagram presents an overview when you are using VPEs with VMware NSX.
VPE is integrated with DNS Services. If your VMware workloads use IBM Cloud DNS Services, they can resolve your VPE FQDNs to your private IP address instances that are provisioned under IBM Cloud DNS Services. IBM Cloud network can use resource records that are configured through IBM Cloud DNS Services by querying DNS Services resolvers.
Therefore, the first architectural decision you must make is how your VMware Workloads resolve DNS queries. IBM Cloud DNS Services provide custom resolvers as a service that offers the ability to customize the hostname, which resolves rules for different hostnames. If your VMware workloads are attached to VPC subnet, you can use the DNS server IP addresses as defined in VPC IaaS endpoints.
The custom resolver feature offers fine-grained control of name resolution and forwarding of DNS Queries to and from on-premises DNS resolvers. You can create a custom resolver to run inside your VPC address space, and in a subnet you define. You can then use this custom resolver for your VMware Workloads on NSX overlays. For more information, see Working with custom resolvers.
VPE for VPC IP addresses uses a multizone region, logical endpoint gateway to connect to a service endpoint on the IBM Cloud private backbone. The endpoint gateway is designed to support the best practice of binding a single IP from each zone of the VPC.
You can create an endpoint gateway with zero IP addresses and bind IP addresses as each zone is brought online. When you create an endpoint gateway, a DNS zone and records are created. The VPE service automatically upgrades your virtual server instances to use the private DNS as the default DNS resolver. For more information about creating VPEs, see Creating an endpoint gateway.
As more IBM Cloud services are enabled for VPE for VPC, each service instance requires you to configure its endpoint gateway, but it uses the same topologies and best practices. For more information about provisioning and best practice guidelines, see the documentation that is provided by the individual service.