0 / 0
Securing connections
Securing connections

Securing connections

To connect to a database that is not externalized to the internet (for example, behind a firewall), you must select a Satellite Link or a Secure Gateway.

Set up a Satellite Link

With a Satellite Link in Cloud Pak for Data as a Service, you can securely connect to Satellite locations you configure in a distributed cloud environment for your IBM Cloud account. First, you create a Satellite location for your account in IBM Cloud. As part of the setup, you attach and assign three or more hosts to the Satellite location, and then assign the hosts to run IBM Cloud services. A host represents a compute machine in your own infrastructure, such as an on-premises data center or another cloud provider.

Satellite hosts are dedicated servers. They are not generally accessible and cannot be shared with other applications. Hosts can be reclaimed by detaching them from the Satellite location and reloading the host machine in the infrastructure provider.

You do not need IBM Cloud service endpoints for accessing IBM Cloud on a Satellite location. Instead, you configure a Satellite Link endpoint to access your infrastructure environment. Other users with access to your IBM Cloud account can use the Satellite location. Access to IBM Cloud Satellite service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). For information, see Managing access.

To set up a Satellite Link:

  1. Open the Create a Satellite location Setup page in IBM Cloud from one of these places:

    • Log in to IBM Cloud, and select Create a Satellite location.
    • In Cloud Pak for Data as a Service, from the Create connection page for the data source, go to the Private connectivity section, and click Satellite Link.
  2. Select Amazon Web Services, Azure, or Manual setup.

  3. Follow the guided setup pages in IBM Cloud to create a Satellite location. For an introduction, see IBM Cloud docs: Getting started with IBM Cloud Satellite. It can take up to two hours to complete the Satellite location setup.

    Note: Satellite Link for Cloud Pak for Data as a Service does not require worker nodes. Only control plane hosts are needed for a Satellite Link.

  4. Attach control plane hosts to the Satellite location. You must download and run a script on each host that you attach to the Satellite location. Hosts connect to IBM Cloud with the TLS protocol.

    Information on planning your Satellite environment and host requirements:

  5. Go back to Cloud Pak for Data as a Service. In the Create connection form complete the connection details. The host or IP address and the port of the data source must be available from each host that is attached to the Satellite location.

  6. Click Reload, and then select the Satellite location that you created.

For each connection that you create by using a Satellite Link, a link endpoint is created with Destination type Location, and Created by Connectivity in the Satellite location.

Configure a Secure Gateway

The IBM Cloud Secure Gateway service provides a remote client to create a secure connection to a database that is not externalized to the internet. You can provision a Secure Gateway service in one service region and use it in Watson Studio instances that you provisioned in other regions. After you create an instance of the Secure Gateway service, you add a Secure Gateway.

To configure a secure gateway:

  1. Configure a secure gateway from the Create connection screen:
    1. Select Secure Gateway.
    2. Click New Secure Gateway and then Create Secure Gateway.
      Otherwise, from the main menu, choose Services > Services catalog and then select Secure Gateway.
  2. Select a service plan and click Create.
  3. On the Services instances page, find the Secure Gateway service and click its name.
  4. Follow the instructions to add a gateway Adding a gateway. Make sure you copy your Gateway ID and security token.
  5. From within your new gateway, on the Clients tab, click the Connect Client button to open the Connect Client pane.
  6. Select the client download for your operating system.
  7. Follow the instructions to install and configure the client.
  8. Depending on the resource authentication protocol that you specify, you might need to upload a certificate. A destination is created when the connection is first established.
  9. Go back to the Create connection page. In the Private connectivity section, click Reload, and then select the secure gateway that you created.

Learn more

Parent topic: Adding data to a project