IBM watsonx provides network security mechanisms to protect infrastructure, data, and applications from potential threats and unauthorized access. Network security mechanisms provide secure connections to data sources and control traffic across both the public internet and internal networks.
| Mechanism | Purpose | Responsibility | Configured on |
|---|---|---|---|
| Private network service endpoints | Access services through secure private network endpoints | Customer | IBM Cloud |
| Access to private data sources | Connect to data sources that are protected by a firewall | Customer | IBM watsonx |
| Integrations | Secure connections to Third-party clouds through a firewall | Customer and Third-party clouds | IBM watsonx |
| Connections | Secure connections to data sources | Customer | IBM watsonx |
| Secure connections | Secure Gateways and Satellite Links provide secure connections to applications and data sources | Customer | IBM Cloud and IBM watsonx |
| VPNs | Share data securely across public networks | Customer | IBM Cloud |
| Allow specific IP addresses | Protect from access by unknown IP addresses | Customer | IBM Cloud |
| Allow third party URLs | Allow third party URLs on an internal network | Customer | Customer firewall |
| Multi-tenancy | Provide isolation in a SaaS environment | IBM and Third-party clouds | IBM Cloud, Cloud providers |
Private network service endpoints
Use private network service endpoints to securely connect to endpoints over IBM private cloud, rather than connecting to resources over the public network. With Private network service endpoints, services are no longer served on an internet routable IP address and thus are more secure. Service endpoints require virtual routing and forwarding (VRF) to be enabled on your account. VRF is automatically enabled for Virtual Private Clouds (VPCs).
For more information about service endpoints, see:
- Securing connections to services with private service endpoints
- Blog: Introducing Private Service Endpoints in IBM Cloud Databases
- IBM Cloud docs: Secure access to services using service endpoints
- IBM Cloud docs: Enabling VRF and service endpoints
- IBM Cloud docs: Public and private network endpoints
Access to private data sources
Private data sources are on-premises data sources that are protected by a firewall. IBM watsonx requires access through the firewall to reach the data sources. To provide secure access, you create inbound firewall rules to allow access for the IP address ranges for IBM watsonx. The inbound rules are created in the configuration tool for your firewall.
Integrations
You can configure integrations with third-party cloud platforms to allow IBM watsonx users to access data sources hosted on those clouds. The following security mechanisms apply to integrations with third-party clouds:
- An authorized account on the third-party cloud, with appropriate permissions to view account credentials
- Permissions to allow secure connections through the firewall of the cloud provider (for specific IP ranges)
For example, you have a data source on AWS that you are running notebooks on. You need to integrate with AWS and then generate a connection to the database. The integration and connection are secure. After you configure firewall access, you can grant appropriate permissions to users and provide them with credentials to access data.
Connections
Connections require valid credentials to access data. The account owner or administrator configures the type of credentials that are required, either shared or personal, at the account level. Shared credentials make the data source and its credentials accessible to all collaborators in the project. Personal credentials require each collaborator to provide their own credentials to use the data source.
Connections require valid credentials to access data. The account owner or administrator configures the type of credentials that are required at the account level. The connection creator enters a valid credential. The options are:
- Either shared or personal allows users to specify personal or shared credentials when creating a new connection by selecting a radio button and entering the correct credential.
- Personal credentials require each collaborator to provide their own credentials to use the data source.
- Shared credentials make the data source and its credentials accessible to all collaborators in the project. Users enter a common credential which was created by the creator of the connection.
For more information about connections, see:
Secure connections
Secure connections provide secure communication among resources in a hybrid cloud deployment, some of which might reside behind a firewall. You have the following options for secure connections between your environment and the cloud:
Satellite Link to a Cloud Satellite Location
A Satellite Link provides highly available and secure-by-default communication to Satellite host locations such as an on-premises data center or another cloud provider. You configure the Satellite locations from your IBM cloud account. To connect to the Satellite location in IBM watsonx, you set up a Satellite Link between your infrastructure and IBM Cloud.
A Satellite Link is a two-way tunnel that you control that securely connects your Satellite location to the IBM Cloud region from which your location is managed. All incoming and outgoing communication is encrypted. Network traffic on this connection can be monitored and audited.
- To create a Satellite Link, see Securing connections
- For an introduction to configuring Satellite locations for your IBM Cloud account, see IBM Cloud docs: Getting started with IBM Cloud Satellite
Secure Gateway
A Secure Gateway provides a secure, persistent connection between your environment and the cloud. With Secure Gateway, you can safely connect all of your applications and resources regardless of their location.
For more information, see:
- Secure Gateway on IBM watsonx
- IBM Cloud docs: Getting started with Secure Gateway
- For the Secure Gateway deprecation announcement and suggested alternatives, see IBM Cloud Secure Gateway Deprecation
VPNs
Virtual Private Networks (VPNs) create virtual point-to-point connections by using tunneling protocols, and encryption and dedicated connections. They provide a secure method for sharing data across public networks.
Following are the VPN-related technologies on IBM Cloud that provide VPN connection capability:
-
IPSec VPN: The VPN facilitates connectivity from your secure network to IBM IaaS platform’s private network. Any user on the account can be given VPN access.
-
VPN for VPC: With Virtual Private Cloud (VPC), you can provision generation 2 virtual server instances for VPC with high network performance.
The blog that describes the deprecation of the Secure Gateway also provides information and scenarios for using VPNs as an alternative. See IBM Cloud Secure Gateway Deprecation
Allow specific IP addresses
Use this mechanism to control access to the IBM cloud console and to IBM watsonx. Access is allowed from the specified IP addresses only; access from all other IP addresses is denied. You can specify the allowed IP addresses for an individual user or for an account.
When allowing specific IP addresses for Watson Studio, you must include the CIDR ranges for the Watson Studio nodes in each region (as well as the individual client system IPs that are allowed). You can include the CIDR ranges in IBM watsonx by following these steps:
- From the main menu, choose Administration > Cloud integrations.
- Click Firewall configuration to display the IP addresses for the current region. Use CIDR notation.
- Copy each CIDR range into the IP address restrictions for either a user or an account. Be sure to enter the allowed individual client IP addresses as well. Enter the IP addresses as a comma-separated list. Then, click Apply.
- Repeat for each region to allow access for Watson Studio.
For step-by-step instructions for both user and account restrictions, see IBM Cloud docs: Allowing specific IP addresses
Allow third party URLs on an internal network
If you are running IBM watsonx behind a firewall, you must allowlist third party URLs to provide outbound browser access. The URLs include resources from IBM Cloud and other domains. IBM watsonx requires access to these domains for outbound browser traffic through the firewall.
This list provides access only for core IBM watsonx functions. Specific services might require additional URLs. The list does not cover URLs required by the IBM Cloud console and its outbound requests.
| Domain | Description |
|---|---|
| *.bluemix.net | IBM legacy Cloud domain - still used in some flows |
| *.appdomain.cloud | IBM Cloud app domain |
| cloud.ibm.com | IBM Cloud global domain |
| *.cloud.ibm.com | Various IBM Cloud subdomains |
| dataplatform.cloud.ibm.com | IBM watsonx Dallas region |
| *.dataplatform.cloud.ibm.com | CIBM watsonx subdomains |
| eum.instana.io | Instana client side instrumentation |
| eum-orange-saas.instana.io | Instana client side instrumentation |
| cdnjs.cloudflare.com | Cloudflare CDN for some static resources |
| nebula-cdn.kampyle.com | Medallia NPS |
| resources.digital-cloud-ibm.medallia.eu | Medallia NPS |
| udc-neb.kampyle.com | Medallia NPS |
| ubt.digital-cloud-ibm.medallia.eu | Medallia NPS |
| cdn.segment.com | Segment JS |
| api.segment.io | Segment API |
| cdn.walkme.com | WalkMe static resources |
| papi.walkme.com | WalkMe API |
| ec.walkme.com | WalkMe API |
| playerserver.walkme.com | WalkMe player server |
| s3.walkmeusercontent.com | WalkMe static resources |
Multi-tenancy
IBM watsonx is hosted as a secure and compliant multi-tenant solution on IBM Cloud. See Multi-Tenant
Parent topic: Security