IBM Cloud Docs
Planning for virtual private endpoint gateways

Planning for virtual private endpoint gateways

Before you create a virtual private endpoint gateway, review the following considerations.

VPE creation and configuration limits

  • You can create only one VPE per service within a single VPC.
  • You can bind only one IP address per VPC zone to a VPE gateway.
  • A reserved IP address that is bound to a VPE gateway can receive traffic from other zones within the same VPC, as long as your Network ACL (NACL) rules allow it.

Security groups

  • You can attach up to five security groups when you create a VPE. If you do not specify a security group during VPE creation, the default security group for your VPC is used.

    If you do not select at least one security group, it is recommended that you update your default security group rules to minimize disruption in traffic on a newly created VPE.

  • You can create a security group before or during provisioning (in the console).

    • The security group must be created in the same VPC as your VPE.
    • Configure inbound rules that define what type of traffic is allowed to the VPE. For each rule, complete the following information:
      • Specify a CIDR block or IP address for the permitted inbound traffic. Alternatively, you can specify a security group in the same VPC to allow traffic to all sources that are attached to the selected security group.
      • Select the protocols and ports that the rule applies to.

Accessing IBM Cloud services

  • You can access IBM Cloud® services by using either VPEs or the service endpoint directly. However, if you want your VPC to enforce a certain behavior or discipline, it is recommended to block direct access to the service endpoint IP addresses that use NACLs. For more information, see Configuring ACLs and security groups for use with endpoint gateways.

    IBM Cloud services do not support accessing a service endpoint and VPE simultaneously from the same virtual instance.

Unsupported features

  • The following items are not supported:

    • Services that are deployed in zones and regions that are not part of IBM Cloud Multi-Zone Regions (MZRs)
    • IBM Cloud Flow Logs for VPC
    • Egress custom routes
    • UDP traffic to a VPE is not supported over IBM Cloud Direct Link or Transit Gateway (for example, when connecting from a virtual server instance or bare metal server outside the VPE’s VPC). This includes UDP-based services, such as Network Time Protocol (NTP).

Architectural restrictions

  • Virtual private endpoints support only IPv4 addressing.
  • Each endpoint gateway is bound to a single VPC.
  • The way an endpoint gateway maps to a service depends on the specific IBM Cloud service that you are enabling. For best practices, refer to the documentation for the specific IBM Cloud service.