About public address ranges
You can now create and use public address ranges in the Frankfurt and Madrid regions, if your account has been approved for access. To request access to Public Address Ranges for VPC, contact your IBM representative.
A public address range is a contiguous set of public IPs that you can reserve and bind to a VPC in an availability zone.
You can route the IPs in the range to a target resource in the VPC, such as a virtual server instance, VNF appliance, or other compute resource. For example, you can configure public ingress routing to send the destination IP range to a VNF appliance next-hop. Response traffic from the target retains the original source IP as it exits the VPC, ensuring that return traffic isn't dropped.
For more information about configuring ingress routing, see About routing tables and routes.
Key capabilities and benefits
The following key benefits highlight how the Public Address Ranges for VPC service supports scalable, secure, and highly available networks.
- Contiguous IP Range
- A public address range provides a continuous set of IBM-provided public IPs for scalable and manageable routing and security policies.
- Resource Management
- Public address ranges can simplify access control and security while enabling a single public ingress route to inspect traffic from multiple endpoints and secure enterprise applications on the VPC.
- Scalability
- When you need more public IPs, you can reserve a larger prefix without needing to manually manage individual addresses.
- High Availability
- In regions with availability zones, you can create zone-redundant public IP ranges to distribute IP addresses for high availability. These public address ranges are regional and can be moved between VPCs in the same or different availability zones.
Planning considerations
Review the following considerations before creating a public address range:
-
Make sure that you have the appropriate IAM permissions.
-
Review public address range known issues.
-
You can bind multiple public address ranges to a VPC.
-
You can't divide public address ranges into subranges and bind it to multiple VPCs or zones.
-
You can't change the size of the address range after it is reserved. Make sure to reserve a public address range size large enough to meet your needs.
IPs in different public address ranges aren't guaranteed to be contiguous.
-
You can limit the use of a public address range to specific resources within the VPC by configuring network ACLs, security groups, or a combination of both.
-
You can reserve a public address range with the following prefix sizes. For more information, review public address range quotas and service limits.
/28= 16 addresses/29= 8 addresses/30= 4 addresses/31= 2 addresses/32= 1 address
-
If there is an overlap between a public address range and the private address prefix in a VPC, the private address prefix takes precedence.
-
When a public address range is bound to a zone in a VPC, traffic originating from any virtual server or bare metal server in that zone in the VPC, and using a source IP from the public address range, can communicate with the public and private destinations. To limit this, you can:
- Configure security groups to limit which resources can send or receive traffic with IP addresses from the public address range.
- Configure network ACLs to allow or deny traffic at the subnet level.
- Configure VPC egress routes to explicitly direct outbound traffic and avoid unintended paths.
When setting up these network traffic controls, keep in mind that some users might lack the necessary IAM permissions to secure resources properly.
When a VPC is created, the default security group and network ACL allow inbound and outbound traffic for the supported protocols. To ensure secure and intentional use of these public address range IPs, it is highly recommended to review and customize your security group rules, network ACLs, and egress routes to ensure an adequate security posture. This practice helps prevent unintended access to traffic patterns, particularly when multiple users have permission to deploy virtual server instances and compute resources in your account.
Getting started with public address ranges
To get started with using public address ranges, follow these steps:
-
Ensure that you have created a VPC and all the needed resources (if not already present).
-
Bind, unbind,and move public address ranges after creating a public address range.
-
Configure an ingress routing table for your VPC by adding routes that direct traffic to the next-hop IP of the target appliance, using the public IP address range as the destination. These routes direct public internet traffic to a next-hop within the VPC, such as a Network Functions Virtualization (NFV) instance, router, firewall, or load balancer.
The next-hop IP must be an IP address that is bound to a network interface on a subnet in the route's zone for ingress routing.
IAM roles and actions
IBM Cloud® Identity and Access Management (IAM) controls access to public address ranges for users in your account. Every user that accesses this service in your account must be assigned an access policy with an IAM role. Review the following available platform and service roles and the actions mapped to each to help you assign access.
If you're using the CLI or API to assign access, use is.public-address-range for the service name.
| Role | Description |
|---|---|
| Administrator | As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users. |
| Editor | As an editor, you can perform all platform actions except for managing the account and assigning access policies. |
| Operator | As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard. |
| Viewer | As a viewer, you can view service instances, but you can't modify them. |
| Action | Description | Roles |
|---|---|---|
is.public-address-range.public-address-range.read |
Read a public address range | Administrator, Editor, Operator, Viewer |
is.public-address-range.public-address-range.list |
List a public address range | Administrator, Editor, Operator, Viewer |
is.public-address-range.public-address-range.create |
Create a public address range | Administrator, Editor |
is.public-address-range.public-address-range.update |
Modify a public address range | Administrator, Editor |
is.public-address-range.public-address-range.operate |
Bind, unbind, or move a public address range | Administrator, Editor |
is.public-address-range.public-address-range.delete |
Delete a public address range | Administrator, Editor |
Common use cases
Public address ranges help customers simplify the integration of network and security appliances into their network topology to run their workloads on a VPC. This provides more control over routing, security, and traffic management, enabling solutions that enhance network performance and security.
Securing your workloads in VPC
To manage access to sensitive data effectively, firewalls automatically detect and handle threats using policy-based routing for enhanced security. You can define public address ranges to expose specific services or applications, enabling controlled ingress into the VPC. Define routing rules for public endpoints to redirect ingress traffic to third-party appliances before it reaches the final destination. This approach simplifies the deployment of production-grade applications with the networking and security services required in a VPC.
The following diagram illustrates how to secure your workloads in a VPC using public address ranges. First, traffic from the internet enters the VPC through a public address range. It is then routed through a routing table, redirected through a firewall or third-party appliance, and finally forwarded to the protected applications.
Deploying highly-available and resilient workloads in VPC
To ensure workload resilience, you can use public address ranges to maintain consistent access to services during zonal failures. In the event of a zonal failure, internet traffic is rerouted to a virtual network function (VNF) appliance deployed in another zone for monitoring and inspection, maintaining high availability within the VPC.
The following diagram illustrates how to configure routes and firewalls using public address ranges to enable cross-zone failover and support highly available, resilient workloads in your VPC. Set up two routes, Route 1 for the internet traffic reaching the Active Firewall in Zone 1 (us-south-1), and Route 2 for the Passive Firewall in Zone 2 (us-south-2). The routes are created with Public Address Range as the Destination and the next-hop as the Firewall in each zone. The Public Address Range is attached to the zone with Active Firewall, us-south-1. The internet traffic incoming through Public Address Ranges is routed to the Active Firewall per Route 1 in us-south-1 for traffic inspection and filtering. When the Active Firewall is down, the zone of Public Address Range is updated to us-south-2, and the traffic incoming through Public Address Range is now routed through Route 2 to the Passive Firewall, making the Firewall highly-available for internet traffic inspection and securing workloads in VPC, even during zonal failures.
