Site-to-Site IPsec

Owned by CDS Administrator
Last updated: Jun 10, 2020
2 min read

A Site-to-Site IPsec VPN can be configured between the IBM Cloud environment and a customer site or third party location. This type of VPN establishes a persistent tunnel between the two sites. Site-to-site VPNs are not configured by default. The setup and configuration of a site-to-site VPN can be complex and will require both IBM and the customer's network SMEs to work together. Initial VPN settings and shared parameters must first be agreed upon by both parties. Source and destination IPs must then be determined along with the type and direction of traffic. The tunnel must be stood up, along with routing, IP Address NATing, and applicable firewall rules on both sides. VPNs can take 2-4 weeks to design, setup, test and validate (from start to finish). Proper time should be allowed for VPN build when planning integrations or services will that depend on it for connectivity. SaaS customers must specifically request a VPN by submitting a case to the IBM Support Community.

Note:
Only one case is needed for VPN setup and can cover configuration for multiple environments (DEV, TEST, PROD, etc).

Note:
It is important to bear in mind a VPN may not necessarily be needed to establish certain types of connectivity. Some integration types can run over HTTPS and/or SFTP and may not require a VPN.

An example Site-to-Site IPsec VPN diagram is shown below.

In the above example, firewall or router on each side needs to be configured so they can talk to each other and allow specific traffic through. In this example, the traffic allowed through the VPN would be jdbc over a specific port. This would allow direct, read-only access to IBM SaaS databases to the customer.

Limitations

Configuration of one (1) site-to-site VPN (to a single customer endpoint or location) is included with the IBM Cloud subscription. This can be configured to support multiple integrations and environments (for example it could support both SAP & Peoplesoft integrations to IBM SaaS DEV, TEST and PROD environments). Configuration of an additional VPN (i.e. an additional third party endpoint or location) is available at added cost. Example of a two (2) VPN scenario is shown below. Contact you IBM Salesperson for details.

 

Disclaimer: Information provided in this wiki is for informational purposes only. Content is not to be considered part of any existing IBM®️ Maximo or TRIRIGA customer subscription, agreement, license or contract. From time to time, this site may contain technical inaccuracies or typographical errors, and IBM do not warrant the accuracy of any posted information. The information contained in this wiki is subject to change without notice. By visiting this wiki, you consent to use of cookies and other tracking technologies by IBM’s subcontractor, Atlassian, in accordance with the Atlassian Cookies & Tracking Notice found at https://www.atlassian.com/legal/cookies. If you do not consent to the collection of your data by Atlassian at any time, please leave the wiki and delete the cookies and other web-tracking technologies through your browser.