To connect to a database that is not externalized to the internet (for example, behind a firewall), you must select a Satellite Link or a Secure Gateway.
Set up a Satellite Link
Use the Satellite Link feature of IBM Cloud Satellite to securely connect to a Satellite location that you configure for your IBM Cloud account. The connection uses the Satellite location to form the Satellite Link to the data source.
Requirements and restrictions
- Required permissions
- You must be the Admin in the IBM Cloud account to do the tasks in IBM Cloud.
- Required host systems
- You need at least three computers or virtual machines in your own infrastructure to act as Satellite hosts. Confirm the host system requirements. (The IBM Cloud docs instructions for additional features such as Red Hat OpenShift clusters and Kubernetes are not required.)
Setting up a Satellite Link
To set up a Satellite Link, you first configure the Satellite location in IBM Cloud. Then users can create connections in Cloud Pak for Data as a Service that are secured by Satellite Link.
Task 1: Create a Satellite location
The Satellite location is your own infrastructure behind a firewall. To use Satellite Link to connect to data sources in Cloud Pak for Data as a Service, you need three computers or virtual machines. To create the Satellite location:
- Access the Create a Satellite location setup page in IBM Cloud from one of these places:
Log in to IBM Cloud, and select Create a Satellite location.
In Cloud Pak for Data as a Service:
- Go to the project page. Click Assets > New asset > Data access tools > Connection.
- Select the connector.
- In the Create connection page, scroll down to the Private connectivity section, and click Satellite Link > New Satellite location, and then log in to IBM Cloud.
These instructions follow the On-premises & edge template. Depending on your infrastructure, you can select a different template. Refer to the template's linked instructions and the information at Understanding Satellite location and hosts in the IBM Cloud docs.
Click Edit to modify the Satellite location information:
Name: You can use this field to differentiate between different networks such as
my US East networkor my
The Tags and Description fields are optional.
Managed from: Select the IBM Cloud region that is closest to where your host machines physically reside.
Resource group: is set to
Zones: IBM automatically spreads the control plane instances across three zones within the same IBM Cloud multizone metro. For example, if you manage your location from the wdc metro in the US East region, your Satellite location control plane instances are spread across the us-east-1, us-east-2, and us-east-3 zones. This zonal spread ensures that your control plane is available, even if one zone becomes unavailable.
Red Hat CoreOS: Do not select this option. Leave it cleared or as No.
Object storage: Click Edit to enter the exact name of an existing IBM Cloud Object Storage bucket that you want to use to back up Satellite location control plane data. Otherwise, a new bucket is automatically created in an Object Storage instance in your account.
Review your order details, and then click Create location.
A location control plane is deployed to one of the zones that are located in the IBM Cloud region that you selected. The control plane is ready for you to attach hosts to it.
Task 2: Attach the hosts to the Satellite location
Attach three hosts that conform to the host requirements to the Satellite location.
Important considerations for Satellite Link hosts
- Satellite hosts are dedicated servers and cannot be shared with other applications. You cannot log in to a host via SSH. The root password will be changed.
- You need only three hosts.
- Worker nodes are not required. Only control plane hosts are needed.
- The Red Hat OpenShift Container Platform (OCP) is not needed.
- Container Linux CoreOS Linux is not needed.
- Hosts connect to IBM Cloud with the TLS protocol.
To attach the hosts to the Satellite location:
From the Satellite Locations dashboard, click the name of your location.
Click Attach Hosts to generate and download a script.
Run the script on all the hosts to be placed in the Satellite location.
Save the attach script in case you attach more hosts to the location in the future. The token in the attach script is an API key, which must be treated and protected as sensitive information. See Maintaining the Satellite Link
Task 3: Assign the hosts to the control plane
To assign the hosts:
From the Satellite Locations dashboard, click the name of your location.
For each host, click the overflow menu () and then select Assign. Assign one host to each zone.
Task 4: Create the connection secured with Satellite Link
Users in projects in Cloud Pak for Data as a Service can now create connections that are secured by Satellite Link. To create a secure connection:
Go to the project page. Click Assets > New asset > Data access tools > Connection.
Select the connector.
In the Create connection form, complete the connection details. The hostname or IP address and the port of the data source must be available from each host that is attached to the Satellite location.
Click Reload, and then select the Satellite location that you created.
Satellite Link forms the bridge between Cloud Pak for Data as a Service and the data source.
In the Satellite Locations dashboard, for each connection that you create by using a Satellite Link, a link
endpoint is created with Destination type
Location, and Created by
Connectivity in the Satellite location.
Maintaining the Satellite Link
- The host attach script expires one year from the creation date. To make sure that the hosts don't have authentication issues, download a new copy of the host attach script at least once per year.
- Save the attach script in case you attach more hosts to the location in the future. If you generate a new host attach script, it detaches all the existing hosts.
- Hosts can be reclaimed by detaching them from the Satellite location and reloading the operating system in the infrastructure provider.
Configure a Secure Gateway
The IBM Cloud Secure Gateway service provides a remote client to create a secure connection to a database that is not externalized to the internet. You can provision a Secure Gateway service in one service region and use it in service instances that you provisioned in other regions. After you create an instance of the Secure Gateway service, you add a Secure Gateway.
To configure a secure gateway:
- Configure a secure gateway from the Create connection screen:
- Select Secure Gateway.
- Click New Secure Gateway and then Create Secure Gateway. Otherwise, from the main menu, choose Services > Services catalog and then select Secure Gateway.
- Select a service plan and click Create.
- On the Services instances page, find the Secure Gateway service and click its name.
- Follow the instructions to add a gateway Adding a gateway. To maintain security for the connection, make sure that you configure the Secure Gateway to require a security token. Make sure you copy your Gateway ID and security token.
- From within your new gateway, on the Clients tab, click the Connect Client button to open the Connect Client pane.
- Select the client download for your operating system.
- Follow the instructions to install and configure the client.
- Depending on the resource authentication protocol that you specify, you might need to upload a certificate. A destination is created when the connection is first established.
- Go back to the Create connection page. In the Private connectivity section, click Reload, and then select the secure gateway that you created.
Parent topic: Adding data to a project