0 / 0
Network security
Last updated: Nov 27, 2024
Network security

Cloud Pak for Data as a Service provides network security mechanisms to protect infrastructure, data, and applications from potential threats and unauthorized access. Network security mechanisms provide secure connections to data sources and control traffic across both the public internet and internal networks.

Table 1. Network security mechanisms for Cloud Pak for Data as a Service
Mechanism Purpose Responsibility Configured on
Private network service endpoints Access services through secure private network endpoints Customer IBM Cloud
Access to private data sources Connect to data sources that are protected by a firewall Customer Cloud Pak for Data as a Service
Integrations Secure connections to Third-party clouds through a firewall Customer and Third-party clouds Cloud Pak for Data as a Service
Connections Secure connections to data sources Customer Cloud Pak for Data as a Service
Connections to data behind a firewall The Satellite Connector and Satellite location provide secure connections to data sources in a hybrid environment Customer IBM Cloud and Cloud Pak for Data as a Service
VPNs Share data securely across public networks Customer IBM Cloud
Allow specific IP addresses Protect from access by unknown IP addresses Customer IBM Cloud
Allow third party URLs Allow third party URLs on an internal network Customer Customer firewall
Multi-tenancy Provide isolation in a SaaS environment IBM and Third-party clouds IBM Cloud, Cloud providers

Private network service endpoints

Use private network service endpoints to securely connect to endpoints over IBM private cloud, rather than connecting to resources over the public network. With Private network service endpoints, services are no longer served on an internet routable IP address and thus are more secure. Service endpoints require virtual routing and forwarding (VRF) to be enabled on your account. VRF is automatically enabled for Virtual Private Clouds (VPCs).

For more information about service endpoints, see:

Access to private data sources

Private data sources are on-premises data sources that are protected by a firewall. Cloud Pak for Data as a Service requires access through the firewall to reach the data sources. To provide secure access, you create inbound firewall rules to allow access for the IP address ranges for Cloud Pak for Data as a Service. The inbound rules are created in the configuration tool for your firewall.

See Configuring firewall access

Integrations

You can configure integrations with third-party cloud platforms to allow Cloud Pak for Data as a Service users to access data sources hosted on those clouds. The following security mechanisms apply to integrations with third-party clouds:

  1. An authorized account on the third-party cloud, with appropriate permissions to view account credentials
  2. Permissions to allow secure connections through the firewall of the cloud provider (for specific IP ranges)

For example, you have a data source on AWS that you are running notebooks on. You need to integrate with AWS and then generate a connection to the database. The integration and connection are secure. After you configure firewall access, you can grant appropriate permissions to users and provide them with credentials to access data.

See Integrations with other cloud platforms

Connections

Connections require valid credentials to access data. The account owner or administrator configures the type of credentials that are required, either shared or personal, at the account level. Shared credentials make the data source and its credentials accessible to all collaborators in the project. Personal credentials require each collaborator to provide their own credentials to use the data source.

Connections require valid credentials to access data. The account owner or administrator configures the type of credentials that are required at the account level. The connection creator enters a valid credential. The options are:

  • Either shared or personal allows users to specify personal or shared credentials when creating a new connection by selecting a radio button and entering the correct credential.
  • Personal credentials require each collaborator to provide their own credentials to use the data source.
  • Shared credentials make the data source and its credentials accessible to all collaborators in the project. Users enter a common credential which was created by the creator of the connection.

For more information about connections, see:

Connections to data behind a firewall

Secure connections provide secure communication among resources in a hybrid cloud deployment, some of which might reside behind a firewall. You have the following options for secure connections between your environment and the cloud:

Satellite location

A Satellite location provides the same secure communications to IBM Cloud as a Satellite Connector but adds high availability access by default plus the ability to communicate from IBM Cloud to your on-prem location. A Satellite location requires at least three x86 hosts in your infrastructure for the HA control plane. A Satellite location is a superset of the capabilities of the Satellite Connector. If you need only client data communication, set up a Satellite Connector.

See Connecting to data behind a firewall for instructions on configuring a Satellite location.

VPNs

Virtual Private Networks (VPNs) create virtual point-to-point connections by using tunneling protocols, and encryption and dedicated connections. They provide a secure method for sharing data across public networks.

Following are the VPN technologies on IBM Cloud:

  • IPSec VPN: The VPN facilitates connectivity from your secure network to IBM IaaS platform’s private network. Any user on the account can be given VPN access.

  • VPN for VPC: With Virtual Private Cloud (VPC), you can provision generation 2 virtual server instances for VPC with high network performance.

  • The Secure Gateway deprecation announcement provides information and scenarios for using VPNs as an alternative. See IBM Cloud docs: Migration options.

Allow specific IP addresses

Use this mechanism to control access to the IBM cloud console and to Cloud Pak for Data as a Service. Access is allowed from the specified IP addresses only; access from all other IP addresses is denied. You can specify the allowed IP addresses for an individual user or for an account.

When allowing specific IP addresses for watsonx.ai Studio, you must include the CIDR ranges for the watsonx.ai Studio nodes in each region (as well as the individual client system IPs that are allowed). You can include the CIDR ranges in Cloud Pak for Data as a Service by following these steps:

  1. From the main menu, choose Administration > Cloud integrations.
  2. Click Firewall configuration to display the IP addresses for the current region. Use CIDR notation.
  3. Copy each CIDR range into the IP address restrictions for either a user or an account. Be sure to enter the allowed individual client IP addresses as well. Enter the IP addresses as a comma-separated list. Then, click Apply.
  4. Repeat for each region to allow access for watsonx.ai Studio.

For step-by-step instructions for both user and account restrictions, see IBM Cloud docs: Allowing specific IP addresses

Allow third party URLs on an internal network

If you are running Cloud Pak for Data as a Service behind a firewall, you must allowlist third party URLs to provide outbound browser access. The URLs include resources from IBM Cloud and other domains. Cloud Pak for Data as a Service requires access to these domains for outbound browser traffic through the firewall.

This list provides access only for core Cloud Pak for Data as a Service functions. Specific services might require additional URLs. The list does not cover URLs required by the IBM Cloud console and its outbound requests.

Table 2. Third party URLs allowlist for Cloud Pak for Data as a Service
Domain Description
*.bluemix.net IBM legacy Cloud domain - still used in some flows
*.appdomain.cloud IBM Cloud app domain
cloud.ibm.com IBM Cloud global domain
*.cloud.ibm.com Various IBM Cloud subdomains
dataplatform.cloud.ibm.com Cloud Pak for Data as a Service Dallas region
*.dataplatform.cloud.ibm.com CCloud Pak for Data as a Service subdomains
eum.instana.io Instana client side instrumentation
eum-orange-saas.instana.io Instana client side instrumentation
cdnjs.cloudflare.com Cloudflare CDN for some static resources
nebula-cdn.kampyle.com Medallia NPS
resources.digital-cloud-ibm.medallia.eu Medallia NPS
udc-neb.kampyle.com Medallia NPS
ubt.digital-cloud-ibm.medallia.eu Medallia NPS
cdn.segment.com Segment JS
api.segment.io Segment API
cdn.walkme.com WalkMe static resources
papi.walkme.com WalkMe API
ec.walkme.com WalkMe API
playerserver.walkme.com WalkMe player server
s3.walkmeusercontent.com WalkMe static resources

Multi-tenancy

Cloud Pak for Data as a Service is hosted as a secure and compliant multi-tenant solution on IBM Cloud. See Multi-Tenant

Parent topic: Security

Generative AI search and answer
These answers are generated by a large language model in watsonx.ai based on content from the product documentation. Learn more