Securing your connection
With IBM Cloud Satellite, you bring IBM Cloud to your own infrastructure environment by creating a Satellite location. This setup means that you do not need IBM Cloud service endpoints to access IBM Cloud. Instead, IBM Cloud needs a Satellite Link endpoint to access your infrastructure environment. You can access services in your Satellite location by creating Satellite Link endpoints, using the cluster URL, or creating a route or similar service for workloads in a cluster.
Access to resources that run in your Satellite location
You can access the resources that run in your Satellite location in several ways, depending on what users need to access: service-instance clusters in your Satellite location, a resource in your Satellite location from the IBM private network, or an application workload in a cluster in your Satellite location.
Service-instance clusters
A cluster service URL is automatically created for any Satellite-enabled IBM Cloud service that you run in your location, such as a Red Hat OpenShift on IBM Cloud cluster. These URLs allow you to access your IBM Cloud service that runs in your location over the public network or from within your hosts' private network, depending on whether your location hosts have public and private or private only connectivity.
For example, when you create an IBM Cloud Satellite cluster, the cluster is accessible through a URL that consists one of the subdomains for your location and a port, such as https://pacfd8bdae2d04696301d-6b64a6ccc9c596bf59a86625d8fa2202-ce00.us-east.satellite.appdomain.cloud:32200.
When you access your cluster, such as by using the ibmcloud oc cluster config --cluster <cluster_name_or_ID> --admin command or by getting a login token from the Red Hat OpenShift web console, this URL is automatically
used for your connection to the cluster master. Note that if you use hosts that have private network connectivity only for your location, you must be connected to your hosts' private network, such as through VPN access, to connect to your
cluster and access the Red Hat OpenShift web console.
For more information about connecting to services that run in your Satellite location by using the cluster service URL, see the documentation for that service, such as the Red Hat OpenShift on IBM Cloud documentation.
IBM private network access with Satellite Link
If you have a resource on the IBM private network that requires access to your Satellite location, you can create a location endpoint in Satellite Link.
Application workloads that run in clusters
To make your apps available, see the options for Exposing apps in Satellite clusters.
IBM Cloud access to your Satellite location
Default Satellite Link endpoints are created for your location's control plane cluster and for any other Satellite-enabled services that you run in your location. These default Satellite Link endpoints are accessible only from within the IBM Cloud private network.
The following table describes the Link endpoints that are automatically created in your Satellite location.
| Name | Description | Type | Instances |
|---|---|---|---|
satellite-healthcheck-<location_ID> |
Allows the Satellite management plane to check the health of your location's control plane cluster. | Location | One per location |
satellite-containersApi |
Allows your Satellite location to communicate with the IBM Cloud containers API. | Cloud | One per location |
satellite-cosCrossRegion-<location_ID> |
Allows the control plane data of your Satellite location to be backed up to your IBM Cloud® Object Storage instance. management plane data is backed up by IBM and stored in an IBM-owned Object Storage instance. Satellite cluster master data is backed up to the Object Storage instance that you own. | Cloud | One per location |
satellite-cosRegional-<location_ID> |
Allows the control plane data of your Satellite location to be backed up to your IBM Cloud® Object Storage instance. management plane data is backed up by IBM and stored in an IBM-owned Object Storage instance. Satellite cluster master data is backed up to the Object Storage instance that you own. | Cloud | One per location |
satellite-cosResConf-<location_ID> |
Allows the control plane data of your Satellite location to be backed up to your IBM Cloud® Object Storage instance. management plane data is backed up by IBM and stored in an IBM-owned Object Storage instance. Satellite cluster master data is backed up to the Object Storage instance that you own. | Cloud | One per location |
satellite-iam-<location_ID> |
Allows requests to your Satellite location in IBM Cloud to be authenticated and user actions to be authorized by Identity and Access Management (IAM). | Cloud | One per Satellite location |
satellite-kpRegional-<location_ID> |
Allows apps and services in the location to communicate with the IBM Key Protect service API | Cloud | One per location |
satellite-logdna-<location_ID> |
Allows logs for your Satellite location to be sent to your IBM® Log Analysis instance. | Cloud | One per location |
satellite-logdnaapi-<location_ID> |
Allows your Satellite location to communicate with the IBM® Log Analysis API. | Cloud | One per Satellite location |
satellite-sysdig-<location_ID> |
Allows metrics for your Satellite location to be sent to your IBM Cloud® Monitoring instance. | Cloud | One per location |
satellite-sysdigapi-<location_ID> |
Allows your Satellite location to communicate with the IBM Cloud Monitoring API. | Cloud | One per Satellite location |
openshift-api-<cluster_ID> |
Allows the Red Hat OpenShift on IBM Cloud API to communicate with the master for the service cluster. By default, your Red Hat OpenShift on IBM Cloud API Satellite link endpoints are protected to accept traffic from only the IBM Cloud control plane. To access them, you must create a source list for your endpoint to be accessible from other sources. | Location | One per Satellite-enabled IBM Cloud service in your location |
These endpoints are used to manage and update your location and are enabled by default. If you disable any of these endpoints, your client services that are running on your Satellite location can be negatively impacted. To avoid issues, do not disable these endpoints.
For more information about Satellite Link endpoints and what kinds of access IBM Cloud has to your Satellite location, see Connecting Satellite locations with external services using Link endpoints.