Setting up access to classic infrastructure

You can set up access from a VPC to your IBM Cloud® classic infrastructure, including IBM Cloud Direct Link connectivity. Only one VPC per region can communicate with classic resources.

The recommended method to interconnect classic network to VPC is by using IBM Cloud Transit Gateway. This allows you to connect VPCs to various resources locally and across regions.

Alternatively, when you set up a VPC for classic access, every virtual server instance or bare metal server without a public interface in your classic account can send and receive packets to and from the classic-access VPC. Firewalls, gateways, network ACLs, or security groups can filter some or all of this traffic. As a best practice, allow only the traffic that is required for your applications to function properly.

For virtual server instances and bare metal instances on the classic infrastructure that use a public interface, you must add a route that points back to your classic-enabled VPC. This route must include the subnets of your classic-enabled VPC as a destination. The route must also point to a gateway address for traffic that leaves the private interface of the host as the next hop.

Prerequisites

Your classic account must be enabled for Virtual Router Forwarding (VRF). If your account is not VRF-enabled, open a ticket to request "VRF Migration" for your account. See Converting to VRF to learn more about the conversion process.

All subnets in a classic access VPC are shared into the classic infrastructure VRF, which uses IP addresses in the 10.0.0.0/8 space. To avoid IP address conflicts, don't use IP addresses in the 10.0.0.0/14, 10.200.0.0/14, 10.198.0.0/15, and 10.254.0.0/16 blocks in your classic access VPC. Also, don't use addresses from your classic infrastructure subnets. To view the list of your classic infrastructure subnets, see View all Subnets.

Creating a classic access VPC

You can create a classic access VPC by using the IBM Cloud console, CLI, or API.

A VPC must be set up for classic access when it is created: you cannot update a VPC to add or remove classic access.

Using the IBM Cloud console to create a classic access VPC

On the New virtual private cloud page, select Enable access to classic resource under Classic access.

Using the CLI to create a classic access VPC

Use the flag --classic-access when you create the VPC, for example:

ibmcloud is vpc-create my-access-vpc --classic-access

Using the API to create a classic access VPC

Pass in the classic_access parameter when you create the VPC, for example:

curl -X POST "$rias_endpoint/v1/vpcs?version=$api_version&generation=2" \
  -H "Authorization: $iam_token" \
  -d '{
        "name": "my-access-vpc",
        "classic_access": true
      }'

Classic access VPC default address prefixes

Classic Virtual Servers aren't available in the Madrid MZR.

When a classic access VPC is created, the default address prefixes are assigned based on the zone as follows:

Table 1. Classic access VPC address prefixes by zone
Zone	Address Prefix
`us-south-1`	`172.16.0.0/18`
`us-south-2`	`172.16.64.0/18`
`us-south-3`	`172.16.128.0/18`
`us-east-1`	`172.17.0.0/18`
`us-east-2`	`172.17.64.0/18`
`us-east-3`	`172.17.128.0/18`
`eu-gb-1`	`172.18.0.0/18`
`eu-gb-2`	`172.18.64.0/18`
`eu-gb-3`	`172.18.128.0/18`
`eu-de-1`	`172.19.0.0/18`
`eu-de-2`	`172.19.64.0/18`
`eu-de-3`	`172.19.128.0/18`
`eu-es-1`	`172.27.0.0/18`
`eu-es-2`	`172.27.64.0/18`
`eu-es-3`	`172.27.128.0/18`
`jp-tok-1`	`172.20.0.0/18`
`jp-tok-2`	`172.20.64.0/18`
`jp-tok-3`	`172.20.128.0/18`
`au-syd-1`	`172.21.0.0/18`
`au-syd-2`	`172.21.64.0/18`
`au-syd-3`	`172.21.128.0/18`
`jp-osa-1`	`172.24.0.0/18`
`jp-osa-2`	`172.24.64.0/18`
`jp-osa-3`	`172.24.128.0/18`
`ca-tor-1`	`10.249.0.0/18`
`ca-tor-2`	`10.249.64.0/18`
`ca-tor-3`	`10.249.128.0/18`
`br-sao-1`	`172.26.0.0/18`
`br-sao-2`	`172.26.64.0/18`
`br-sao-3`	`172.26.128.0/18`

For x86-64 dedicated host profiles, the Madrid region only supports dedicated host profiles with instance storage. For more information, see Dedicated host profiles.

To prevent address prefixes from being created, you can add the "address_prefix_management": "manual" parameter when you create the VPC by using the API:

curl -H "Authorization:$iam_token" "$iaas_endpoint/v1/vpcs?generation=2&version=$api_version" -X POST -d '{ "name": "my-access-vpc", "address_prefix_management": "manual", "classic_access": true}'

Converting your account to VRF

The VRF conversion process involves a network disruption while the VLANs and their subnets are detached from the ACL backbone and then attached to the Customer VRF. This process results in a few moments of packet loss for traffic that is entering or exiting the VLANs. Packets within the VLAN continue to flow. In the cases where a network gateway, such as a FortiGate Security Appliance or Virtual Router Appliance is involved, no disruption occurs among the VLANs attached to that gateway. The servers see no network outage themselves, and most workloads automatically recover when the traffic flow resumes. The total duration of the disruption depends on the extent of the tenant’s topology, that is, the number of subnets, VLANs, and pods that your tenancy includes.

During migration, the VLANs are disconnected from the backbone and reconnected to the Customer VRF. The duration of disruption varies, depending on the quantity of VLANs, PODs, and data centers involved. Traffic among VLANs is disrupted, yet the servers stay connected to the network. The application might or might not be affected, depending on its sensitivity to packet loss.

How to initiate VRF conversion

To request conversion of your account to VRF, follow these steps:

Open a support case through the IBM Cloud console.
Select All products, then start typing Virtual Private Cloud and select it.
Click Next in the lower right of the page to show the form.
- For the Subject, enter "Network Engineering: Convert account to VRF for VPC Classic Access".
- For the Description, enter the following text:
  
  "I am requesting that account your account number is moved to its own VRF. I understand the risks and approve the change. Please reply with the scheduled window(s) of time where this change will be made so we can prepare for the migration."

Migration is completed by the IBM Cloud Network Engineering team. No other information is required from you, except an agreed-to schedule. Typically, packet loss might last 15 - 30 minutes, depending on the complexity of your account. It might be longer if your account has legacy Direct Link connections.

Limitations

Only private networks (also known as backend networks) in classic infrastructure can be connected to your VPC.
Only subnets allocated to your classic infrastructure with IBM Cloud provisioning systems can be connected to your VPC.
Only one VPC per region can be enabled for classic access.
All classic access VPCs must have globally unique address prefixes that do not overlap.
If your classic infrastructure includes an imported default route from Direct Link, the imported default route is used by your Classic Access VPC. In this scenario, the public gateway and floating IPs in your Classic Access VPC do not provide internet access. When the default route is no longer imported via Direct Link, then public gateways and floating IPs once again provide internet access.