About public address ranges
Public Address Ranges for VPC is only available for evaluation and testing purposes for users with special access.
A public address range is a contiguous set of public IPs that you can reserve and bind to a VPC in an availability zone.
The IPs in the range can be routed to a Virtual Network Function (VNF) appliance in the VPC by configuring public ingress routing to route the destination IP range to a VNF appliance next-hop. Response traffic from the VNF appliance retains the source IP as it egresses, ensuring traffic isn't dropped.
For more information about configuring ingress routing, see About routing tables and routes.
Key capabilities and benefits
The following key benefits highlight how the Public Address Ranges for VPC service supports scalable, secure, and highly available networks.
- Contiguous IP Range
- A public address range provides a continuous set of IBM-provided public IPs for scalable and manageable routing and security policies.
- Resource Management
- Public address ranges can simplify access control and security while enabling a single public ingress route to inspect traffic from multiple endpoints and secure enterprise applications on the VPC.
- Scalability
- When you need more public IPs, you can reserve a larger prefix without needing to manually manage individual addresses.
- High Availability
- In regions with availability zones, you can create zone-redundant public IP ranges to distribute IP addresses for high availability. These public address ranges are regional and can be moved between VPCs in the same or different availability zones.
Planning considerations
Review the following considerations before creating a public address range:
-
Make sure that you have the appropriate IAM permissions.
-
Review public address range limitations.
-
You can bind multiple public address ranges to a VPC.
-
You can't divide public address ranges into subranges and bind it to multiple VPCs or zones.
-
You can't change the size of the address range after it is reserved. Make sure to reserve a public address range size large enough to meet your needs.
IPs in different public address ranges aren't guaranteed to be contiguous.
-
You can limit a public address range to specific resources within the VPC by configuring network ACLs, security groups, or a combination of both.
-
You can reserve a public address range with the following prefix sizes. For more information, review public address range quotas and service limits.
/28= 16 addresses/29= 8 addresses/30= 4 addresses/31= 2 addresses/32= 1 address
-
If there is an overlap between a public address range and the private address prefix in a VPC, the private address prefix takes precedence.
Getting started with public address ranges
To get started with using public address ranges, follow these steps:
-
Ensure that you have created a VPC and all the needed resources (if not already present).
-
Bind, unbind,and move public address ranges after creating a public address range.
-
Configure an ingress routing table for your VPC by adding routes that direct traffic to the next-hop IP of the target appliance, using the public IP address range as the destination. These routes direct public internet traffic to a next-hop within the VPC, such as a Network Functions Virtualization (NFV) instance, router, firewall, or load balancer.
The next-hop IP must be an IP address that is bound to a network interface on a subnet in the route's zone for ingress routing.
IAM roles and actions
IBM Cloud Identity and Access Management (IAM) controls access to public address ranges for users in your account. Every user that accesses this service in your account must be assigned an access policy with an IAM role. Review the following available platform and service roles and the actions mapped to each to help you assign access.
If you're using the CLI or API to assign access, use is.public-address-range for the service name.
| Role | Description |
|---|---|
| Administrator | As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users. |
| Editor | As an editor, you can perform all platform actions except for managing the account and assigning access policies. |
| Operator | As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard. |
| Viewer | As a viewer, you can view service instances, but you can't modify them. |
| Action | Description | Roles |
|---|---|---|
is.public-address-range.public-address-range.read |
Read a public address range | Administrator, Editor, Operator, Viewer |
is.public-address-range.public-address-range.list |
List a public address range | Administrator, Editor, Operator, Viewer |
is.public-address-range.public-address-range.create |
Create a public address range | Administrator, Editor |
is.public-address-range.public-address-range.update |
Modify a public address range | Administrator, Editor |
is.public-address-range.public-address-range.operate
and |
Bind, unbind, or move a public address range | Administrator, Editor |
is.public-address-range.public-address-range.delete |
Delete a public address range | Administrator, Editor |
Common use cases
Public address ranges help customers simplify the integration of network and security appliances into their network topology to run their workloads on a VPC. This provides more control over routing, security, and traffic management, enabling solutions that enhance network performance and security.
Secure your workloads in VPC
To manage access to sensitive data effectively, firewalls automatically detect and handle threats using policy-based routing for enhanced security. Define routing rules for public endpoints to redirect ingress traffic to third-party appliances before it reaches the final destination. This makes it easier for customers to deploy production-grade applications with the networking and security services they require in their VPC.
Deploy highly-available and resilient workloads in VPC
In the event of a zonal failure, customers can reroute internet traffic for monitoring and inspection to a VNF appliance deployed in another zone, providing highly available workloads in their VPC.