Enable public and/or private service endpoints for IBM Cloud Databases



Enable public and/or private service endpoints for IBM Cloud Databases

You may have noticed a small change in your IBM Cloud Databases UI—we recently released an update to all IBM Cloud Databases which allows you to enable public and/or private service endpoints for your database deployments. In this post, we’ll walk you through the setup.

IBM Cloud Databases recently released an update which integrates with IBM Cloud Service Endpoints.

The benefits of using private Service Endpoints include the following:

  1. They allow you to connect to other IBM Cloud Service Endpoint enabled products over the IBM Cloud network without requiring a routable IP address. This comes with increased security since traffic between your databases stays within the IBM Cloud network. Also, it allows you to create an internal interface for your IBM Cloud services that are accessible using internal network interfaces without requiring internet access to connect to IBM services.
  2. Inbound and outbound traffic on the private network is unlimited and not charged—previously, you’d be billed for egress bandwidth when talking to an IBM Cloud service.

This means that you now have the ability to have both private and public endpoints for your databases deployed on IBM Cloud. Service Endpoints are currently only available in IBM Cloud Multi-Zone Regions, so if your deployments are in Oslo 01, for example, you aren’t able to use private endpoints since it’s a Single-Zone Region. Deployments in all other regions are able to use Service Endpoints.

Public and private Service Endpoints are available to all customers using IBM Cloud Databases. Public Service Endpoints are what you’re given by default to connect to your databases. This allows you to connect securely to your databases over the public network via the internet. Private Service Endpoints, on the other hand, are different since they route your traffic to hardware dedicated to IBM Cloud Databases over the IBM Cloud private network. These Service Endpoints are not accessible from the public internet and an internet connection is not required to connect to your deployment.

Creating Service Endpoints for Cloud Databases

You can enable Service Endpoints on new and old Cloud Databases deployments from the IBM Cloud console and the Cloud Databases API. The Service Endpoints that are available when provisioning a Cloud Database are public (default), private, or public and private (except for Databases for MongoDB, which allows only either public or private Service Endpoints to be enabled). On Databases for MongoDB, once you’ve enabled either a public or private Service Endpoint after provisioning the database, you can’t change the Service Endpoint.

You can choose whether to add Service Endpoints from the IBM Cloud UI or using the IBM Cloud CLI. We’ll show you how to add them using both ways.

Databases Service Endpoints from the IBM Cloud UI

From the IBM Cloud UI, when selecting a Cloud Database for the first time, you’ll be directed to the database’s provisioning page. Here, you can now select the Service Endpoints that are supported for your deployment. The default Service Endpoint is through the public network, but for most deployments, you can select public, private, or both public and private Service Endpoints.

In this example, I’ve chosen to enable both public and private endpoints.

Once you’ve selected the Service Endpoint you’d like to use, as well as any other configuration that’s available for the database you’ve selected, click Create and your database will provision. After it’s been provisioned, click on the database from your IBM Cloud resources panel and you’ll see both the public and private endpoints visible in the Connections pane in your Cloud Database management console.

Select either the public or private endpoints from the Connections pane to get your database connection strings and credentials.

For deployments that have already been provisioned, you already have a public Service Endpoint created. However, if you’d like to add on a private Service Endpoint, you can do that from your Cloud Databases management console by selecting the Settings tab. From there, scroll down to the Service Endpoints panel, where you can toggle Private endpoints.

After that, click on Update Endpoints and a window will pop up to confirm that you’d like to add the Service Endpoint. Once it’s been added, you’ll also see two connections in your Connections panel: one for public endpoints and another for private endpoints like above.

Databases Service Endpoints from the IBM Cloud CLI

Creating a Cloud Databases deployment from the IBM Cloud CLI with Service Endpoints is also easy to do.

Once you’re logged into your IBM Cloud account and have requested that Service Endpoints are enabled, you can provision a Cloud Database that has public, private, or public and private endpoints. In the example below, I’ve given you the command to create an example Databases for PostgreSQL deployment called

example-databases-for-postgresql with a private endpoint using the --service-endpoints option withprivate.
ibmcloud resource service-instance-create example-databases-for-postgresql \ databases-for-postgresql standard us-south --service-endpoints private

If you wanted only a private Service Endpoint for your database, you’d use private. If you wanted only a public Service Endpoint, you’d use public or not designate an endpoint at all, and it would be public by default.

To update an existing Cloud Databases deployment using the IBM Cloud CLI, you’d use the following command:

ibmcloud resource service-instance-updateexample-databases-for-postgresql --service-endpoints public-and-private

Here, we’re using the

service-instance-update command and our deployment nameexample-databases-for-postgresql

in order to give both public and private Service Endpoints to the database.

Viewing Cloud Databases Service Endpoints with the IBM Cloud API

Using the Cloud Databases API, you can view the Service Endpoints connection strings and credentials of your Cloud Databases. The documentation provides an example of the required parameters you’ll need to create the endpoint. Essentially, the endpoint that you will need to receive or to use:

/deployments/{id}/users/{userid}/connections/{endpoint_type}

So, running something like the following in your terminal would give you the private Service Endpoint for your given deployment:

curl -sS -XPOST \   "https://api.us-south.databases.cloud.ibm.com/v4/ibm/deployments/<deployment CRN/users/admin/connections/private" \ -H "Authorization: Bearer <IBM API TOKEN>"