0 / 0
Connecting to data behind a firewall

Connecting to data behind a firewall

To connect to a database that is not accessible via the internet (for example, behind a firewall), you must set up a secure communication path between your on-premises data source and IBM Cloud. Use a Satellite Connector, a Satellite location, or a Secure Gateway instance for the secure communication path.

  • Set up a Satellite Connector: Satellite Connector is the replacement for Secure Gateway. Satellite Connector uses a lightweight Docker-based communication that creates secure and auditable communications from your on-prem, cloud, or Edge environment back to IBM Cloud. Your infrastructure needs only a container host, such as Docker. For more information, see Satellite Connector overview.

  • Set up a Satellite location: A Satellite location provides the same secure communications to IBM Cloud as a Satellite Connector but adds high availability access by default plus the ability to communicate from IBM Cloud to your on-prem location. It supports managed cloud services on on-premises, such as Managed OpenShift and Managed Databases, supported remotely by IBM Cloud PaaS SRE resources. A Satellite location requires at least three x86 hosts in your infrastructure for the HA control plane. A Satellite location is a superset of the capabilities of the Satellite Connector. If you need only client data communication, set up a Satellite Connector.

  • Configure a Secure Gateway: Secure Gateway is IBM Cloud's former solution for communication between on-prem or third-party cloud environments. Secure Gateway is now deprecated by IBM Cloud. For a new connection, set up a Satellite Connector instead.

Set up a Satellite Connector

To set up a Satellite Connector, you create the Connector in your IBM Cloud account. Next, you configure agents to run in your local Docker host platform on-premises. Finally, you create the endpoints for your data source that Cloud Pak for Data as a Service uses to access the data source from IBM Cloud.

Requirements for a Satellite Connector

Required permissions
You must have Administrator access to the Satellite service in IAM access policies to do the steps in IBM Cloud.
Required host systems
Minimum one x86 Docker host in your own infrastructure to run the Connector container. See Minimum requirements.

Setting up a Satellite Connector

Note: Not all connections support Satellite. If the connection supports Satellite, the IBM Cloud Satellite tile will be available in the Private Connectivity section of the Create connection form. Alternatively, you can filter all the connections that support Satellite in the New connection page.

These steps automatically add the Satellite Connector user endpoints that correspond to the connection that you create in Cloud Pak for Data as a Service.

  1. Access the Create connector page in IBM Cloud from one of these places:

    • Log in to the Connectors page in IBM Cloud.
    • In Cloud Pak for Data as a Service:
      1. Go to the project page. Click the Assets tab.
      2. Click New asset > Connection.
      3. Select the Cloud Pak for Data as a Service connector.
      4. In the Create connection page, scroll down to the Private connectivity section, and click the IBM Cloud Satellite tile.
      5. Click Configure Satellite and then log in to IBM Cloud.
      6. Click Create connector.
  2. Follow the steps for Creating a Connector.

  3. Set up the Connector agent containers in your local Docker host environment. For high availability, use three agents per connector that are deployed on separate Docker hosts. It is best to use a separate infrastructure and network connectivity for each agent. Follow the steps for Running a Connector agent.
    The agents will appear in the Active Agents list for the connector.

  4. In Cloud Pak for Data as a Service, go back to the Create connection page. In the Private connectivity section, click Reload, and then select the Satellite Connector that you created.

  5. Click Test Connection to verify that you can connect from Cloud Pak for Data as a Service to the data source using the Satellite Connector.

  6. Save the connection. A Satellite Connector endpoint corresponding to the connection is automatically created.

In the Satellite Connectors dashboard in IBM Cloud, for each connection that you create, a user endpoint is added in the Satellite Connector. The name of the user endpoint that is automatically added will look like ep-<XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX>. To see which endpoint corresponds to the connection that you created in Cloud Pak for Data as a Service, check the Destination FQDN or IP and Destination port values in the endpoint details.

Set up a Satellite location

Use the Satellite location feature of IBM Cloud Satellite to securely connect to a Satellite location that you configure for your IBM Cloud account.

Requirements for a Satellite location

Required permissions
You must be the Admin in the IBM Cloud account to do the tasks in IBM Cloud.
Required host systems
You need at least three computers or virtual machines in your own infrastructure to act as Satellite hosts. Confirm the host system requirements. (The IBM Cloud docs instructions for additional features such as Red Hat OpenShift clusters and Kubernetes are not required for a connection in Cloud Pak for Data as a Service.)
Note: Not all connections support Satellite. If the connection supports Satellite, the IBM Cloud Satellite tile will be available in the Private Connectivity section of the Create connection form. Alternatively, you can filter all the connections that support Satellite in the New connection page.

Setting up a Satellite location

Configure the Satellite location in IBM Cloud.

Task 1: Create a Satellite location

A Satellite location is a representation of an environment in your infrastructure provider, such as an on-prem data center or cloud. To connect to data sources in Cloud Pak for Data as a Service, you need three computers or virtual machines. To create the Satellite location:

  1. Access the Create a Satellite location setup page in IBM Cloud from one of these places:

    • Log in to IBM Cloud, and select Create location.
    • In Cloud Pak for Data as a Service:
      1. Go to the project page. Click the Assets tab.
      2. Click New asset > Connection.
      3. Select the connector.
      4. In the Create connection page, scroll down to the Private connectivity section, and click the IBM Cloud Satellite tile.
      5. Click Configure Satellite and then log in to IBM Cloud.
      6. Click Create location.

        These instructions follow the On-premises & edge template. Depending on your infrastructure, you can select a different template. Refer to the template instructions and the information at Understanding Satellite location and hosts in the IBM Cloud docs.
  2. Click Edit to modify the Satellite location information:

    • Name: You can use this field to differentiate between different networks such as my US East network or my Japan network.

    • The Tags and Description fields are optional.

    • Managed from: Select the IBM Cloud region that is closest to where your host machines physically reside.

    • Resource group: is set to default by default.

    • Zones: IBM automatically spreads the control plane instances across three zones within the same IBM Cloud multizone metro. For example, if you manage your location from the wdc metro in the US East region, your Satellite location control plane instances are spread across the us-east-1, us-east-2, and us-east-3 zones. This zonal spread ensures that your control plane is available, even if one zone becomes unavailable.

    • Red Hat CoreOS: Do not select this option. Leave it cleared or as No.

    • Object storage: Click Edit to enter the exact name of an existing IBM Cloud Object Storage bucket that you want to use to back up Satellite location control plane data. Otherwise, a new bucket is automatically created in an Object Storage instance in your account.

  3. Review your order details, and then click Create location.

    A location control plane is deployed to one of the zones that are located in the IBM Cloud region that you selected. The control plane is ready for you to attach hosts to it.

Task 2: Attach the hosts to the Satellite location

Attach three hosts that conform to the host requirements to the Satellite location.

Important considerations for Satellite location hosts

  • Satellite hosts are dedicated servers and cannot be shared with other applications. You cannot log in to a host with SSH. The root password will be changed.
  • You need only three hosts for Cloud Pak for Data as a Service connections.
  • Worker nodes are not required. Only control plane hosts are needed for Cloud Pak for Data as a Service connections.
  • The Red Hat OpenShift Container Platform (OCP) is not needed for Cloud Pak for Data as a Service connections.
  • Container Linux CoreOS Linux is not needed for Cloud Pak for Data as a Service connections.
  • Hosts connect to IBM Cloud with the TLS 1.3 protocol.

To attach the hosts to the Satellite location:

  1. From the Satellite Locations dashboard, click the name of your location.

  2. Click Attach Hosts to generate and download a script.

  3. Run the script on all the hosts to be attached to the Satellite location.

  4. Save the attach script in case you attach more hosts to the location in the future. The token in the attach script is an API key, which must be treated and protected as sensitive information. See Maintaining the Satellite location.

Task 3: Assign the hosts to the control plane

To assign the hosts:

  1. From the Satellite Locations dashboard, click the name of your location.

  2. For each host, click the overflow menu (Overflow menu) and then select Assign. Assign one host to each zone.

Task 4: Create the connection secured with a Satellite location

To create the secure connection:

  1. In Cloud Pak for Data as a Service, go to the project page. Click the Assets tab.

  2. Click New asset > Connection.

  3. Select the connector.

  4. In the Create connection form, complete the connection details. The hostname or IP address and the port of the data source must be available from each host that is attached to the Satellite location.

  5. Click Reload, and then select the Satellite location that you created.

In the Satellite Locations dashboard in IBM Cloud, for each connection that you create, a link endpoint is created with Destination type Location, and Created by Connectivity in the Satellite location. The name of the user endpoint that is automatically added will look like ep-<XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX>. To see which endpoint corresponds to the connection that you created in Cloud Pak for Data as a Service, check the Destination FQDN or IP and Destination port values in the endpoint details.

Maintaining the Satellite location

  • The host attach script expires one year from the creation date. To make sure that the hosts don't have authentication problems, download a new copy of the host attach script at least once per year.
  • Save the attach script in case you attach more hosts to the location in the future. If you generate a new host attach script, it detaches all the existing hosts.
  • Hosts can be reclaimed by detaching them from the Satellite location and reloading the operating system in the infrastructure provider.

Configure a Secure Gateway

The IBM Cloud Secure Gateway service provides a remote client to create a secure connection to a database that is not externalized to the internet. You can provision a Secure Gateway service in one service region and use it in service instances that you provisioned in other regions. After you create an instance of the Secure Gateway service, you add a Secure Gateway.

Important: Secure Gateway is deprecated by IBM Cloud. For information see Secure Gateway deprecation overview and timeline.
Note: Not all connections support Secure Gateway. If the connection supports Secure Gateway, the IBM Cloud Secure Gateway tile will be available in the Private Connectivity section of the Create connection form. Alternatively, you can filter all the connections that support Secure Gateway in the New connection page.

To configure a secure gateway:

  1. Configure a secure gateway from the Create connection screen:
    1. Click the IBM Cloud Secure Gateway tile.
    2. Click Create a new instance of Secure Gateway.

      Alternatively, from the main menu in Cloud Pak for Data as a Service, choose Services > Services catalog and then select Secure Gateway.
  2. Select a region and a pricing plan.
  3. Under Configure your resource, enter a service name and optional tags.
  4. Click Create.
  5. On the Services instances page, find the Secure Gateway service and click its name.
  6. Follow the instructions to add a gateway Adding a gateway. To maintain security for the connection, make sure that you configure the Secure Gateway to require a security token. Make sure you copy your Gateway ID and security token.
  7. From within your new gateway, on the Clients tab, click Connect Client to open the Connect Client pane.
  8. Select the client download for your operating system.
  9. Follow the instructions for installing the Client.
  10. Depending on the resource authentication protocol that you specify, you might need to upload a certificate. A destination is created when the connection is first established.
  11. In Cloud Pak for Data as a Service, go to the project page. Click the Assets tab. In the Private connectivity section, click Reload, and then select the secure gateway that you created.

Learn more

Parent topic: Adding data to a project

Generative AI search and answer
These answers are generated by a large language model in watsonx.ai based on content from the product documentation. Learn more