IBM Cloud Docs
Enforcing private endpoints to configure IBM Cloud Metrics Routing resources

Enforcing private endpoints to configure IBM Cloud Metrics Routing resources

Use this tutorial to learn how to enforce the use of private endpoints to configure IBM Cloud Metrics Routing resources in your account.

You can configure your account to manage private and public endpoints by using the IBM Cloud Metrics Routing CLI, the IBM Cloud Metrics Routing REST API, and Terraform scripts.

Table 1. Configuration steps
Step Description Link
1 Check that your account is VRF enabled. link
2 Disable public endpoints. link
3 Check you have access to private endpoints. link

Prerequisites

  • You need a user ID that is a member, or an owner of, an IBM Cloud account. To get an IBM Cloud user ID, go to: Create an account.

  • If you prefer to work with the command line, you must install the IBM Cloud CLI. For more information, see Installing the IBM Cloud CLI. In addition, you must install the IBM Cloud Metrics Routing CLI plugin. For more information, see IBM Cloud Metrics Routing CLI.

  • Your user ID needs administrator platform permissions to manage the IBM Cloud Metrics Routing service. Contact the account owner. The account owner can grant another user access to the account for the purposes of managing user access, and managing account resources. Learn more.

Check your account is VRF enabled

By default, public endpoints are enabled in your account. To allow the usage of private endpoints in your account, you must enable the account for virtual routing and forwarding (VRF).

  • When using the classic infrastructure, you connect to resources in your account over the IBM Cloud public network by default. You can enable virtual routing and forwarding (VRF) to move IP routing for your account and all of its resources into a separate routing table. If VRF is enabled, you can then enable IBM Cloud service endpoints to connect directly to resources without using the public network. Enabling VRF and service endpoints.

  • Virtual Private Clouds (VPCs) are automatically enabled for virtual routing and forwarding (VRF). To enable service endpoints for your VPC, continue to Enabling service endpoints.

For example, to check if the account is VRF enabled, run the following command:

ibmcloud account show

To enable private endpoints, run the following command:

ibmcloud account update --service-endpoint-enable true

Disable public endpoints in the account

To disable public endpoints, run the following command:

ibmcloud metrics-router setting update --private-api-endpoint-only TRUE

Check you have access to private endpoints

After you disable public endpoints, you must configure IBM Cloud Metrics Routing within the private network.

For example, to configure IBM Cloud Metrics Routing in your account, you can provision a VPC VSI. Then, from a terminal, you can run cURL commands to create a target and a route.

For example, complete the following steps to provision a VPC VSI so that you can run cURL commands to create a target and a route in your account:

Deploying a VSI has additional costs.

  1. Generate an ssh key.

  2. Create a VSI in your account.

  3. Connect to the VSI from a terminal in your local environment.

  4. After you ssh into the VSI, install the IBM Cloud CLI. Run the following command:

    curl -fsSL https://clis.cloud.ibm.com/install/linux | sh

You can run the following command to check that you can access the private endpoints:

ping private.{region}.metrics-router.cloud.ibm.com

For example, you can run the following command to check access to the Dallas region:

ping private.us-south.metrics-router.cloud.ibm.com