Using Virtual Private Endpoints with Code Engine

All IBM Cloud® Code Engine projects offer integration with IBM Cloud® Virtual Private Endpoints (VPE) for Virtual Private Cloud (VPC). This support gives you the ability to connect from your VPC network to Code Engine applications or functions by using the IP addresses of your choosing, which are allocated from a subnet within your VPC.

With Code Engine, you can use the following types of VPEs:

Virtual Private Endpoints to manage project resources. There is one static VPE per region.
Virtual Private Endpoints to access applications. There is one VPE per Code Engine project. All apps within the project can be accessed by using this VPE.

Private endpoints provide a connection to your project resources, applications, or functions on the IBM Cloud Private network. When you connect through a virtual private endpoint, all traffic is routed to hardware that is dedicated to Code Engine applications and remains on the IBM Cloud Private network. There are no additional charges for all traffic to and from this endpoint on the condition that the traffic remains in IBM Cloud.

A Code Engine project is automatically configured with both a public and a virtual private endpoint.

You can control the visibility of Code Engine applications and specify whether to expose the application or functions to public or private endpoints. An application or function that is configured for the private network can be accessed through the VPE or by other Code Engine applications or functions. Applications or functions that are accessed through the VPE do not leave the IBM network and stay within the IBM Cloud network.

Using your VPE to manage project resources securely

Before you begin, you must have an IBM Cloud account.

Create an IBM Cloud® Virtual Private Cloud. Follow the Getting started instructions.
Make sure that your VPC has at least one VSI (virtual server instance) and can connect to the VSI. You can use the VPC console, CLI, and API to provision a VSI from the IBM Cloud® Virtual Private Cloud page in the IBM Cloud console.
1. Create an SSH key to access the VSI.
2. Create a virtual server instance by using the console.
3. Reserve a floating IP address so your instance is reachable from the internet.
4. Connect to your VSI.
In the IBM Cloud console, click the Menu icon and select VPC Infrastructure -> Network -> Virtual private endpoint gateways. Create a VPE for the regional Code Engine endpoint api.<region>.codeengine.cloud.ibm.com by completing this instruction.
After you create your VPE, it might take a few minutes for the new VPE and private DNS (pDNS) to complete the process and begin working for your VPC. Completion is confirmed when you see an IP address set in the details view of the VPE.
SSH into your VSI and use root@. For example, ssh root@<VSI_floating_IP_address>.
To access Code Engine resources from within the VSI, set up your Code Engine CLI environment. Make sure your IBM Cloud CLI is connected to private.cloud.ibm.com.
Specify a Code Engine project to use the private endpoint. To create a project, use the ibmcloud ce project create command with the --endpoint=private option.
```
ibmcloud ce project create --name myproject --endpoint=private
```
Wait until the project is in active status. With the CLI, you can confirm the project status by using the ibmcloud ce project get command.

If you want an existing Code Engine project to use the private endpoint, use the ibmcloud ce project select command with the --endpoint=private option.
```
ibmcloud ce project select --name myproject --endpoint=private
```
For the project create and project select commands, if the --endpoint option is not explicitly specified, the behavior is determined by the system. If the IBM Cloud CLI is connected to private.cloud.ibm.com, the Code Engine project behaves as if --endpoint is private. If the IBM Cloud CLI is connected to cloud.ibm.com, the Code Engine project behaves as if --endpoint is public.

If you did not create a new project and you selected an existing project, and you want your app or function to be visible only to the private endpoint, confirm the existing project supports applications with private visibility. Use the ibmcloud ce project get command to verify the output for Application Private Visibility Supported is set to true. If the value is false, contact IBM support to enable this capability within your existing project.

ibmcloud ce project get -n myproject

Example output

Getting project 'myproject'...
OK

Name:                                      myproject  
ID:                         abcdabcd-abcd-abcd-abcd-f1de4aab5d5d
Status:                                    active  
Enabled:                                   true  
Application Private Visibility Supported:  false  
Selected:                                  true  
Region:                                    us-south 
Resource Group:             default
Service Binding Service ID: ServiceId-1234abcd-abcd-abcd-1111-1a2b3c4d5e6f
Age:                        52d 
Created:                                   Tue, 28 Sep 2021 05:12:16 -0500  
Updated:                                   Tue, 28 Sep 2021 05:12:19 -0500  

Quotas:    
Category                                  Used  Limit  
App revisions                             1     60  
Apps                                      1     20  
Build runs                                1     100  
Builds                                    2     100  
Configmaps                                2     100  
CPU                                       0     64  
Ephemeral storage                         0     256G  
Instances (active)                        0     250  
Instances (total)                         0     2500  
Job runs                                  0     100  
Jobs                                      0     100  
Memory                                    0     256G  
Secrets                                   6     100  
Subscriptions (cron)                      0     100  
Subscriptions (IBM Cloud Object Storage)  0     100  
Subscriptions (Kafka)                     0     100

Create an application that is only visible to the private endpoint. Use the ibmcloud ce application create command with the --visibility=private option. Alternatively, you can use the console to create an app or update an existing app and set the visibility of your app.
```
ibmcloud ce application create -n myapp --visibility=private
```

You have now configured and set up your virtual private endpoint to manage project resources. If you want to control which app to expose to the private endpoint, you can set up a VPE to access your application.

Using your VPE to access an app securely

Before you begin, you must have an IBM Cloud account.

You can only use your VPE to access your app with a private endpoint if your selected project supports application private visibility. To confirm if the project supports application private visibility, use the ibmcloud ce project get command to verify the output for Application Private Visibility Supported is set to true.

Create an IBM Cloud® Virtual Private Cloud. Follow the Getting started instructions.
Make sure that your VPC has at least one VSI (virtual server instance) and can connect to the VSI. You can use the console, CLI, and API to quickly provision Virtual server instances from the IBM Cloud® Virtual Private Cloud page in the IBM Cloud console.
1. Create an SSH key to access the VSI.
2. Create a virtual server instance by using the UI.
3. Reserve a floating IP address so your instance is reachable from the internet.
4. Connect to your VSI.
From your Code Engine project, confirm that your application is configured with a visibility=private setting. See Deploying your app with a private endpoint.
In the IBM Cloud console, click the Menu icon and select VPC Infrastructure -> Network -> Virtual private endpoint gateways. Create a VPE for the regional Code Engine endpoint for the specific project that you are using for private application visibility by completing this instruction. This project is listed in the table with its endpoint in the format, *.<uuid>.private.<region>.codeengine.appdomain.cloud.
After you create your VPE, it might take a few minutes for the new VPE and private DNS (pDNS) to complete the process and begin working for your VPC. Completion is confirmed when you see an IP address set in the details view of the VPE.
Retrieve the URL of the Code Engine application that is exposed to the private network. The URL is in the following format: <app>.<uuid>.private.<region>.codeengine.appdomain.cloud. From the Code Engine console, go to the Domain mappings tab for your application to view the visibility of an app and its available URLs. From the Code Engine CLI, you can use the ibmcloud ce application get command with the --option url option. Because the visibility of the myapp is set to visibility=private, specifying --option url with this command outputs the URL to the private network.
```
ibmcloud ce application get -n myapp -output url
```
Example output
```
http://myapp.4svg40kna19.private.us-south.codeengine.appdomain.cloud
```
You can now use your instance in the VSI. Call the application. The myapp application is a simple Hello World application. When you curl the myapp app, Hello World is returned.
```
curl http://myapp.4svg40kna19.private.us-south.codeengine.appdomain.cloud
```

Using your VPE to access a function securely

Before you begin, you must have an IBM Cloud account.

You can only use your VPE to access your function with a private endpoint if your selected project supports function private visibility. To confirm if the project supports function private visibility, use the ibmcloud ce project get command to verify the output for Application Private Visibility Supported is set to true.

Create an IBM Cloud® Virtual Private Cloud. Follow the Getting started instructions.
Make sure that your VPC has at least one VSI (virtual server instance) and can connect to the VSI. You can use the console, CLI, and API to quickly provision Virtual server instances from the IBM Cloud® Virtual Private Cloud page in the IBM Cloud console.
1. Create an SSH key to access the VSI.
2. Create a virtual server instance by using the UI.
3. Reserve a floating IP address so your instance is reachable from the internet.
4. Connect to your VSI.
From your Code Engine project, confirm that your application is configured with a visibility=private setting. See Deploying your app with a private endpoint.
In the IBM Cloud console, click the Menu icon and select VPC Infrastructure -> Network -> Virtual private endpoint gateways. Create a VPE for the regional Code Engine endpoint for the specific project that you are using for private application visibility by completing this instruction. This project is listed in the table with its endpoint in the format, *.<uuid>.private.<region>.codeengine.appdomain.cloud.
After you create your VPE, it might take a few minutes for the new VPE and private DNS (pDNS) to complete the process and begin working for your VPC. Completion is confirmed when you see an IP address set in the details view of the VPE.
Retrieve the URL of the Code Engine function that is exposed to the private network. The URL is in the following format: <function>.<uuid>.private.<region>.codeengine.appdomain.cloud. From the Code Engine console, go to the Domain mappings tab for your function to view the visibility of your function and its available URLs. From the Code Engine CLI, you can use the ibmcloud ce function get command. Because the visibility of the myfunction is set to visibility=private, this command displays the URL to the private network.
```
ibmcloud ce function get -n myfunction
```
Example output
```
http://myfunction.1abc23def19.private.us-south.codeengine.appdomain.cloud
```

You can now use your instance in the VSI.