August 31, 2023
To ensure data privacy and reliable access, it’s crucial to establish secure connections between networks and resources. However, with the countless connections we create, it becomes a hassle to maintain them.
Luckily, you can now optimize your VPN connections with IBM’s VPN offerings: Client-to-Site VPN and Site-to-Site VPN. While you can learn more about these offerings here, feel free to follow the instructions provided in this blog post to connect to your IBM Cloud and on-premises environments using a single Client-to-Site VPN connection.
The use case is visually depicted in Figure 1 below. End users connect to the VSIs in their IBM Cloud VPC and to the Instances and DBs in their on-premises environment using a single Client-to-Site VPN connection:
This optimized architecture requires that a Client-to-Site VPN server and a Site-to-Site VPN gateway first be deployed in your IBM Cloud account.
Prerequisites
- An IBM Cloud account with a VPC and at least one VSI deployed in the VPC to validate the VPN connection.
- Necessary IAM permissions, Security Groups and ACLs in place to create VPN gateway(s) and other required resources.
- Peer device information from the on-premises location along with pertinent Subnet CIDR information.
- OpenVPN client installed on your local laptop, which will be used to validate the VPN connectivity.
Summary of the steps to set up the two VPNs in tandem
First, we’ll create a Site-to-Site VPN and then a Client-to-Site VPN. Once deployed, we’ll create routes and set up authentication and service-to-service authorization to connect the VPNs together. Finally, we’ll install OpenVPN on the laptop and validate connectivity to both IBM Cloud and the on-premises environment. We’ll go into each of these steps in more detail below.
Create the Site-to-Site VPN gateway
Before you begin this step, make sure you have the Peer Gateway and Preshared Key from your on-premises environment at hand along with any IKE and IPsec policies that you intend to use.
Log in to the IBM Cloud Catalog, search for “VPN” and select VPN for VPC. Choose Site-to-site gateways and select the location where you would like to deploy the gateway (along with all the required input parameters). You must choose the Route-based option for the VPN tunnel.
Click on the Create VPN gateway button on the right-hand side of the page. This creates the VPN connection to connect your IBM Cloud with your on-premises data center. Once the gateway is successfully created, it should show as active on the IBM Cloud portal. At this time, the connection is ready for the routes to be set up to route traffic from IBM Cloud to your on-premises environment.
For step-by-step guidance on creating a Site-to-Site VPN gateway, click here.
Create the Site-to-Site VPN routes
Now that the VPN connection is in place, we’ll create VPN routes to define egress routes from IBM Cloud VPC to your on-premises router. Navigate to the VPC Routing Tables to create a new Routing Table or use an existing one to create your VPN route. Input all the required fields. For example:
- Destination subnet: CIDR from on-premises
- Action: Deliver
- Next hop type: VPN connection
- VPN gateway: The VPN gateway that was just created
- VPN connection: Connection name that was provided while creating the VPN gateway
Detailed instructions on creating and managing routes can be found here.
Important: Once the routes are created, do not forget to attach the source subnet(s) in the VPC to the routing table.
You should now have a VPN connection with routing established between your IBM Cloud VPC and your on-premises environment. This flow is indicated in red in Figure 1 above.
Configure authorization and authentication
Before we create a Client-to-Site VPN connection, we must generate client and server certificates and store them in IBM Cloud Secrets Manager. Follow the steps here to generate certificates and import them into the Secrets Manager.
To enable the VPN to access the certificates from the Secrets Manager, a service-to-service authorization for the VPN Server and IBM Cloud Secrets Manager needs to be established as described here.
Create the Client-to-Site VPN server
Login into IBM Cloud Catalog, search for VPN and select VPN for VPC. Choose Client-to-site servers and select the location where you would like to deploy the gateway (along with all the required input parameters). For this article, we have chosen a standalone configuration. Choose a desired CIDR range for the Client IPv4 address pool so that IPs can be assigned to client connections from this range. Input all the mandatory fields in the Subnets section.
Next, configure the Server and Client Authentications. Select Server and Client Certificates that were added to Secrets Manager from the previous steps in this article. For added security, you can optionally choose User ID and passcode. Finally, you must ensure that the Security Group rules are configured appropriately to allow VPN traffic into the subnet.
While the rest of the input parameters are optional in this form, choose the Full tunnel option to allow all traffic to flow through the VPN interface and into the VPN tunnel. Click on the Create VPN server button on the right-hand side of the page.
Create the Client-to-Site VPN routes
Once the connection shows active on the Portal, you must create two routes—one to allow end-user access to resources within the VPC and one to allow end-user access to the remote/on-premises network. Click here to learn how to create routes. This flow is indicated using solid green and red dashed lines in the VPC in the above diagram.
Configure the client profiles
Lastly, download the client profile from your VPN server. On your VPN server in the IBM Cloud portal, navigate to the Clients tab and click on the Download client profile button. Append the Client certificate and Private Key to the Client Profile .ovpn file.
Detailed instructions to set up the client VPN environment to connect to a VPN server can be found here.
Configure the OpenVPN client and validate connectivity
You will need a VPN client to access your IBM Cloud and on-premises environment. Depending on your local operating system, you can download and install an appropriate VPN client from here. Once installed, launch the OpenVPN client and connect to the OpenVPN profile that was configured in the previous steps to connect to the VPC.
This VPN connection allows users to connect to their VPC in IBM Cloud as well as their on-premises environment using IBM Cloud VPN offerings. You can validate successful client connections by navigating to the Clients tab on the VPN server in your IBM Cloud portal.
Learn more
Learn more about IBM Cloud VPC
More from Cloud
September 1, 2023
New SmartNIC brings exciting changes to IBM Cloud Bare Metal Servers VPC
2 min read – The industry’s newest SmartNIC has landed on IBM Cloud Bare Metal Servers for VPC, and with it are hardware and firmware upgrades for improved networking, storage and security across general-purpose, high-performance and VMware workloads. Customers can now get improved, instance-like performance and connectivity to more IBM Cloud services—free of charge. [1] What’s new? The latest SmartNIC update on bare metal servers seamlessly integrates into a customer’s entire IBM Cloud VPC ecosystem, supporting the same networking, storage and PaaS services as…
<!—->
August 31, 2023
Getting started with the IBM Cloud command line interface
4 min read – When working in a computer shell, the IBM Cloud command line interface (CLI) is the way to manage the lifecycle of your resources. Many of the services offered by IBM Cloud provide additional CLI functionality. You can even access IBM Cloud on private endpoints for increased security and have the login process integrate with single sign-on procedures. In this blog post, we give you an introduction to the IBM Cloud CLI tool and share useful tips and tricks to get…
<!—->
August 31, 2023
Accelerate your hybrid cloud journey and keep your business running with reliable failover solutions from IBM Power Virtual Server
3 min read – According to the World Meteorological Organization, global temperatures are set to reach new records in the next five years. The Copernicus Programme also reports that multiple global heat records were broken in July 2023. Today, climate change is a real threat with disastrous consequences to businesses. Rising cybercrimes are another significant threat to businesses, causing major financial damages in various forms. The global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over three…
<!—->
August 29, 2023
Positioning IBM i clients for future hybrid cloud success
3 min read – One of the hallmarks of the IBM i business has been how we continue to deliver new innovations and evolve the platform to provide clients greater return on investment and acceleration in adopting new capabilities. From enabling a fully virtualized platform supporting UNIX, Linux and IBM i on a single system to provide economic efficiencies, to evolving the application environment with PASE and increasing support of open source languages (providing support for IBM i in the IBM Cloud), to more…
<!—->
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Automotive / EVs, Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
- ChartPrime. Elevate your Trading Game with ChartPrime. Access Here.
- BlockOffsets. Modernizing Environmental Offset Ownership. Access Here.
- Source: https://www.ibm.com/blog/accessing-your-on-premises-network-and-ibm-cloud-vpc-using-a-single-vpn-connection/
- :has
- :is
- :not
- :where
- $UP
- 1
- 125
- 13
- 15%
- 2023
- 28
- 29
- 30
- 300
- 31
- 39
- 438
- 9
- a
- About
- above
- acceleration
- access
- accessing
- Account
- across
- active
- added
- Additional
- address
- Adopting
- Advertising
- All
- allow
- allows
- along
- also
- amp
- an
- analytics
- and
- Another
- any
- Application
- appropriate
- appropriately
- architecture
- ARE
- article
- AS
- assigned
- At
- attach
- AUGUST
- Authentication
- author
- authorization
- average
- back
- BE
- becomes
- been
- begin
- below
- between
- Blog
- both
- breach
- Brings
- Broken
- business
- businesses
- button
- by
- CAN
- capabilities
- carbon
- card
- Cards
- case
- CAT
- catalog
- causing
- Center
- certificate
- certificates
- change
- Changes
- charge
- check
- Choose
- chosen
- class
- click
- client
- clients
- Climate
- Climate change
- Cloud
- color
- computer
- Configuration
- configured
- Connect
- connection
- Connections
- Connectivity
- Consequences
- Container
- continue
- Cost
- create
- created
- creates
- Creating
- crucial
- CSS
- custom
- Customers
- data
- data breach
- Data Center
- data privacy
- Date
- DBS
- Default
- define
- definitions
- deliver
- Depending
- deploy
- deployed
- described
- description
- desired
- detail
- device
- disastrous
- do
- download
- each
- Economic
- ecosystem
- efficiencies
- enable
- enabling
- end
- endpoints
- engineer
- ensure
- Enter
- Entire
- Environment
- environments
- establish
- established
- Ether (ETH)
- Even
- evolve
- evolving
- example
- exciting
- existing
- Exit
- expert
- feel
- Fields
- Figure
- File
- Finally
- financial
- First
- five
- flow
- follow
- fonts
- For
- form
- forms
- found
- Free
- from
- fully
- functionality
- future
- gateway
- general-purpose
- generate
- generator
- get
- getting
- Give
- glass
- Global
- Go
- greater
- Green
- Grid
- Group
- Group’s
- guidance
- hand
- Hardware
- Have
- height
- high-performance
- How
- How To
- However
- HTTPS
- Hybrid
- hybrid cloud
- i
- IAM
- IBM
- IBM Cloud
- ICO
- ICON
- ID
- image
- import
- improved
- in
- Increase
- increased
- increasing
- index
- indicated
- industry’s
- information
- innovations
- input
- install
- instructions
- integrate
- Integrates
- intend
- Interface
- into
- intrinsic
- Introduction
- investment
- IT
- journey
- jpg
- July
- just
- Keep
- Key
- Languages
- laptop
- large
- latest
- launch
- LEARN
- least
- lifecycle
- like
- Line
- lines
- linux
- local
- locale
- location
- login
- maintain
- major
- make
- man
- manage
- manager
- managing
- mandatory
- many
- max-width
- metal
- million
- min
- minutes
- Mobile
- more
- multiple
- must
- name
- Navigate
- navigating
- Navigation
- Need
- needs
- network
- networking
- networks
- New
- Newest
- next
- nothing
- now
- of
- offered
- Offerings
- Office
- on
- once
- ONE
- open
- open source
- operating
- operating system
- Optimize
- optimized
- Option
- or
- organization
- Other
- over
- page
- parameters
- peer
- People
- performance
- permissions
- PHP
- Place
- platform
- plato
- Plato Data Intelligence
- PlatoData
- plugin
- policies
- policy
- pool
- Portal
- position
- positioning
- Post
- power
- previous
- privacy
- private
- Private Key
- procedures
- process
- Profile
- programme
- provide
- provided
- providing
- range
- reach
- Reading
- ready
- real
- records
- Red
- reliable
- Reports
- required
- requires
- Resources
- responsive
- REST
- return
- rising
- robots
- Route
- router
- routes
- routing
- rules
- running
- s
- same
- Screen
- scripts
- seamlessly
- Search
- Section
- secure
- security
- seo
- September
- Services
- set
- Share
- Shell
- should
- show
- Shows
- side
- significant
- single
- site
- small
- So
- solid
- solution
- Solutions
- Source
- Sponsored
- standalone
- start
- started
- Step
- Steps
- storage
- store
- subnet
- success
- successful
- Successfully
- support
- Supporting
- sure
- system
- table
- Technology
- that
- The
- The Source
- the world
- their
- Them
- theme
- then
- These
- this
- threat
- Through
- time
- tips
- tips and tricks
- Title
- to
- today
- together
- tool
- top
- traffic
- tunnel
- two
- type
- unix
- Update
- upgrades
- URL
- USD
- use
- use case
- used
- users
- using
- VALIDATE
- various
- View
- Virtual
- vmware
- VPN
- VPNs
- W
- was
- Way..
- we
- WELL
- were
- which
- while
- will
- with
- within
- WordPress
- working
- world
- would
- written
- years
- you
- Your
- zephyrnet