Private network connectivity within IBM Cloud

For technical, cost, regulatory and/or compliance reasons, you might require all connectivity to, within, and between your VPC infrastructures to be isolated from all public backbone and the internet.

The traffic between our data centers stays within our backbone and in our ASN. Traffic between our data centers does not traverse other networks (ASNs). This includes both public (front-end, internet-facing) and private (back-end) network traffic. IBM® has a global backbone network that circles the globe.

Example use cases of private connectivity include:

1. Instance to instance within an Availability Zone (AZ)
2. Instance to instance between AZs within a single region
3. Instance to instances region to region
4. Connection from a remote network (on-premises) to IBM Cloud®

IBM Cloud supports these topologies with:

• A private backbone for all connectivity between resources deployed in your VPC virtual networks with an AZ and between AZs (this backbone is separate from the public backbone for connectivity using public addressing). IP addresses on the private backbone are non-internet routable, or not announced toward the public backbone or the internet. The private backbone is owned, managed, and operated exclusively by IBM Cloud.
• IBM Cloud Transit Gateway, which meets use cases 1 through 3 by using this private backbone exclusively for connectivity between your virtual networks within a single region, across multiple regions, and to your IBM Cloud classic workloads.
• IBM Cloud Direct Link, which meets use case 4 by providing the ability to attach your remote networks (on-premises) to your virtual networks within IBM Cloud VPC or IBM Cloud classic via this same private backbone.

By default, a VPC is private, and remains private until it is configured to enable public connectivity. For instance, a VPC might be connected to a public gateway or associated with floating IPs.

Architecture

Single-region, multi-zone VPC virtual network

Multi-region, multi-zone VPC virtual networks

Connection from a remote network (on-premises) to IBM Cloud

See IBM Cloud Transit Gateway and IBM Cloud Direct Link use case documentation for detailed private connectivity use cases and topologies. For more information about native, private connectivity to IBM Cloud services, see Endpoints available.

Connecting to Hyper Protect Crypto Services (HPCS) from VPC by using a Private Network

The HPCS instance can be configured using API requests from both public and private endpoints. You can route traffic from your virtual server instance to the HPCS instance via the private network by configuring the route. You can use the route add -net 166.9.0.0/16 gw <gateway> dev <gateway_interface> command to configure the route. For more information about configuring the private network of IBM Cloud on your virtual server, see Using service endpoints to privately connect to Hyper Protect Crypto Services.