0 / 0
Securing connections

Securing connections

To connect to a database that is not externalized to the internet (for example, behind a firewall), you must select a Satellite Link or a Secure Gateway.

Set up a Satellite Link

Use the Satellite Link feature of IBM Cloud Satellite to securely connect to a Satellite location that you configure for your IBM Cloud account. The connection uses the Satellite location to form the Satellite Link to the data source.

Requirements and restrictions

Required permissions
You must be the Admin in the IBM Cloud account to do the tasks in IBM Cloud.
Required host systems
You need at least three computers or virtual machines in your own infrastructure to act as Satellite hosts. Confirm the host system requirements. (The IBM Cloud docs instructions for additional features such as Red Hat OpenShift clusters and Kubernetes are not required.)
Note: Not all connections support Satellite Link. If the connection supports Satellite Link, the Satellite Link tile will be available in the Private Connectivity section of the Create connection form. Alternatively, you can filter all the connections that support Satellite in the New connection page.

Task 1: Create a Satellite location

The Satellite location is your own infrastructure behind a firewall. To use Satellite Link to connect to data sources in Cloud Pak for Data as a Service, you need three computers or virtual machines. To create the Satellite location:

  1. Access the Create a Satellite location setup page in IBM Cloud from one of these places:
  • Log in to IBM Cloud, and select Create a Satellite location.

  • In Cloud Pak for Data as a Service:

    1. Go to the project page. Click Assets > New asset > Data access tools > Connection.
    2. Select the connector.
    3. In the Create connection page, scroll down to the Private connectivity section, and click Satellite Link > New Satellite location, and then log in to IBM Cloud.

    These instructions follow the On-premises & edge template. Depending on your infrastructure, you can select a different template. Refer to the template's linked instructions and the information at Understanding Satellite location and hosts in the IBM Cloud docs.

  1. Click Edit to modify the Satellite location information:

    • Name: You can use this field to differentiate between different networks such as my US East network or my Japan network.

    • The Tags and Description fields are optional.

    • Managed from: Select the IBM Cloud region that is closest to where your host machines physically reside.

    • Resource group: is set to default by default.

    • Zones: IBM automatically spreads the control plane instances across three zones within the same IBM Cloud multizone metro. For example, if you manage your location from the wdc metro in the US East region, your Satellite location control plane instances are spread across the us-east-1, us-east-2, and us-east-3 zones. This zonal spread ensures that your control plane is available, even if one zone becomes unavailable.

    • Red Hat CoreOS: Do not select this option. Leave it cleared or as No.

    • Object storage: Click Edit to enter the exact name of an existing IBM Cloud Object Storage bucket that you want to use to back up Satellite location control plane data. Otherwise, a new bucket is automatically created in an Object Storage instance in your account.

  2. Review your order details, and then click Create location.

    A location control plane is deployed to one of the zones that are located in the IBM Cloud region that you selected. The control plane is ready for you to attach hosts to it.

Task 2: Attach the hosts to the Satellite location

Attach three hosts that conform to the host requirements to the Satellite location.

Task 3: Assign the hosts to the control plane

To assign the hosts:

  1. From the Satellite Locations dashboard, click the name of your location.

  2. For each host, click the overflow menu (Overflow menu) and then select Assign. Assign one host to each zone.

Task 4: Create the connection secured with Satellite Link

Users in projects in Cloud Pak for Data as a Service can now create connections that are secured by Satellite Link. To create a secure connection:

  1. Go to the project page. Click Assets > New asset > Data access tools > Connection.

  2. Select the connector.

  3. In the Create connection form, complete the connection details. The hostname or IP address and the port of the data source must be available from each host that is attached to the Satellite location.

  4. Click Reload, and then select the Satellite location that you created.

Satellite Link forms the bridge between Cloud Pak for Data as a Service and the data source.

In the Satellite Locations dashboard, for each connection that you create by using a Satellite Link, a link endpoint is created with Destination type Location, and Created by Connectivity in the Satellite location.

Maintaining the Satellite Link

  • The host attach script expires one year from the creation date. To make sure that the hosts don't have authentication issues, download a new copy of the host attach script at least once per year.
  • Save the attach script in case you attach more hosts to the location in the future. If you generate a new host attach script, it detaches all the existing hosts.
  • Hosts can be reclaimed by detaching them from the Satellite location and reloading the operating system in the infrastructure provider.

Configure a Secure Gateway

The IBM Cloud Secure Gateway service provides a remote client to create a secure connection to a database that is not externalized to the internet. You can provision a Secure Gateway service in one service region and use it in service instances that you provisioned in other regions. After you create an instance of the Secure Gateway service, you add a Secure Gateway.

Note: Not all connections support Secure Gateway. If the connection supports Secure Gateway, the Secure Gateway tile will be available in the Private Connectivity section of the Create connection form. Alternatively, you can filter all the connections that support Secure Gateway in the**New connection page.

To configure a secure gateway:

  1. Configure a secure gateway from the Create connection screen:
    1. Select Secure Gateway.
    2. Click New Secure Gateway and then Create Secure Gateway. Otherwise, from the main menu, choose Services > Services catalog and then select Secure Gateway.
  2. Select a service plan and click Create.
  3. On the Services instances page, find the Secure Gateway service and click its name.
  4. Follow the instructions to add a gateway Adding a gateway. To maintain security for the connection, make sure that you configure the Secure Gateway to require a security token. Make sure you copy your Gateway ID and security token.
  5. From within your new gateway, on the Clients tab, click the Connect Client button to open the Connect Client pane.
  6. Select the client download for your operating system.
  7. Follow the instructions to install and configure the client.
  8. Depending on the resource authentication protocol that you specify, you might need to upload a certificate. A destination is created when the connection is first established.
  9. Go back to the Create connection page. In the Private connectivity section, click Reload, and then select the secure gateway that you created.

Learn more

Parent topic: Adding data to a project