IBM Cloud VPC Deep Dive

IBM Cloud Virtual Private Cloud
Deep Dive Session
31/07/19
Nagesh Ramamoorthy

• IBM Cloud Overview
• IAM
• Account Management
• VPC Components & Demo
• Virtual Servers for VPC
• Limitations in Discussion

IBM Cloud Value Proposition
True Hybrid cloud offering
Perhaps only enterprise class provider who provides both managed single tenant , Dedicated (Called classic
Infrastructure) and mutli-tenant (public cloud) model and offering tight connectivity between them
Open Cloud by Design
One of the most open-source friendly enterprise class cloud platform:
• Kubernetes containers
• Cloud Foundry PaaS environment ( Founding member and platinum sponsor)
• IBM Cloud functions based on OpenWhisk

4
Classic Infrastructure VPC Infrastructure
Classic and VPC Infrastructures – Today Comparison
Compute services Full catalog of services
(e.g. Bare Metal, Virtual Server Instances, VMware, SAP)
Virtual Server Instances only
Virtual server families Public, dedicated, transient, reserved Public only
VSI Profiles All profiles, including the GPU profiles
Balanced, compute, memory profiles with higher RAM and
vCPU option
Supported images
Full set of pre-stock images, plus custom
images
Limited set of pre-stock images
IP addresses IPV6 supported IPV4 only supported
Network functions and
services
Primarily physical and virtual appliances from
multiple vendors with some as-a-service
Cloud native, as-a-service network functions for key
function such as VPNs, Firewalls, and Load Balancing.
Platform integration
IAM and resource group integration for a unified
experience
Hybrid connectivity
IP Sec VPN
Direct Link
VPNaaS
Direct Link w/ support for “bringing your own IPs” (BYOIP)
Security Offerings
Vyatta, Fortigate, Juniper vSRX appliances
Security Groups for virtual server instances
Network Access Control Lists (ACLs) for subnets,
Security Groups for virtual server instances
Location construct Data Centers and PODs Multi-Zone Regions (MZRs) and Availability Zones (Azs)
Service Differentiators
SoftLayer API (SLAPI) with users & permission
managed separate from IBM Cloud platform
New developer-friendly, REST-based API with users &
permissions fully integrated into the IBM Cloud platform

5
Regions and Zones
• 6 Regions (US Dallas ,
Washington DC , UK ,
Germany, Japan and
Australia )
• 18 Availability Zones

6
Resource and Resource
Groups
A resource group is a way for you to organize your account resources in customizable groupings so that you
can quickly assign users access to more than one resource at a time
Any account resource that is managed by using IBM Cloud™ Identity and Access Management (IAM)
access control belongs to a resource group
IBM Cloud Resource Controller manages the Resources and Resource Groups
We can't change the Resource Group membership after creation
Not all services support the use of resource groups and IAM currently- Its under transition
Cloud Foundry services have no connection to resource groups and use Cloud Foundry roles for access
management. These services are called Cloud Foundry services
IBM cloud provides visibility across globe under one view

7
Tags and Resource Identifiers
Resource Identifiers
Tags
A Tag is a key: value pair assigned to a cloud
resource to achieve the below:
• Filter resources
• Search resources
• Identify Team
• Cost allocation
Cloud Resource Names (CRNs) uniquely identify IBM Cloud resources.
A CRN is used to specify a resource in a way that is unambiguous and guaranteed to be globally unique, such as in
IBM Cloud Identity and Access Management (IAM) policies
CRN Format:
crn:version:cname:ctype:service-name:location:scope:service-instance:resource-type:resource

8
Infrastructure as Code (IAC)
The popular open source Terraform provisioning engine
is IBM Cloud‘s infrastructure as code (IAC) tool of choice.
Provision IBM Cloud resources by using the IBM Cloud
Provider for Terraform

Monitoring , Logging and Activity
Tracker
• Monitoring through “Sysdig” partner solution
• Logging and Activity tracking through “LogDNA” Partner solution
• Both of these solutions requires setting up dedicated VSI instances
9

1
0
Support Tiers
Basic Support Advanced Support Premium Support
Description Basic business protection that is included
with your IBM Cloud Pay-As-You-Go or
Subscription account
Prioritized case handling and support
experience that is aligned with your
business needs
Client engagement that is aligned with
your business outcomes to accelerate
time-to-value
Availability Access to the IBM Cloud technical support
team through cases
Phone and chat available only for PayGo
and Subscription accounts
24 x 7 access to the IBM Cloud technical
support team through cases, phone, and
chat
24 x 7 access to the IBM Cloud
technical support team through cases,
phone, and chat
Initial response time objectives Not applicable Severity 1: Less than 1 hour
Severity 2: Less than 2 hours
Severity 1: Less than 15 minutes
Severity 2: Less than 1 hour
Additional support Not applicable Not applicable Technical Account Manager assigned
Quarterly business reviews
Access to experts

1
1
Architecture Center
We should explore
reference architectures
before defining our
architecture

IBM Confidential | © 2018 IBM Corporation 13
Identity and Access
Management ( IAM)
IBM Cloud Identity and Access Management (IAM) enables you to securely authenticate users for
both platform services and control access to resources consistently across IBM Cloud
A set of IBM Cloud services are enabled to use Cloud IAM for access control and are organized into
resource groups
Users can be invited to the account and given access to resources.
The services that support IAM roles for access and created under Resource Group are called IAM-enabled
services
Currently all the services are being migrated to Resource Groups and IAM support

IAM Constructs
Identities
Users are identified by their IBMid or SoftLayer account ID who
consumes the IBM cloud resources through web console or command
line or API access
Access Groups : A group of users and service IDs can be
created by so that the same access can be assigned to all entities
within the group with one or more policies.
Service IDs are the Cloud IAM feature that is used to provide a
separate identity for services and applications. You can create a
service ID to be used by an application that needs access to your IBM
Cloud services so that individual user credentials do not have to be
used.
Access Management
Access policies are how users, service IDs, and access groups
in the account are given permission to access account resources.
Policies include a subject, target, and role. The subject is the user,
service ID, or access group that you are providing access. The target
of the policy is the resource to which you want to provide access.
Platform management roles define allowable actions for managing
resources at the platform level such as user access and creation of service
instances. Platform roles also apply to actions that can be taken within the
context of account management services such as inviting and removing
users, managing access groups, managing service IDs, and private catalog
offerings.
Cloud IAM access roles allow a user to complete specific tasks
on the resource that is defined in the policy.
There are two types of access roles: platform management and
service access
Service access roles define allowable actions within the context of
using the service such as calling service APIs.

Platform Management Role
The following table provides examples for some of the platform management actions that users can take within the context of
catalog resources and resource groups.
Platform Access Role One or all IAM-enabled
services
Selected service in a
resource group
Selected resource group
Viewer role View instances, aliases,
bindings, and credentials
View only specified instances in
the resource group
View resource group
Operator role View instances and manage
aliases, bindings, and credentials
Not applicable Not applicable
Editor role Create, delete, edit, and view
instances. Manage aliases,
bindings, and credentials
Create, delete, edit, suspend,
resume, view, and bind only
specified instances in the
resource group
View and edit name of resource
group
Administrator role All management actions for
services
All management actions for the
specified instances in the
resource group
View, edit, and manage access
for the resource group

Service Access Role
The following table provides example actions that can be taken depending on the assigned roles based on using the Object
Storage service.
Service Access Role Actions Example Actions for Object
Storage Service
Reader Perform read-only actions within
a service, such as viewing
service-specific resources
List and download objects
Writer Permissions beyond the reader
role, including creating and
editing service-specific resources
Create and destroy buckets and
objects
Manager Permissions beyond the writer
role to complete privileged
actions as defined by the service,
plus create and edit service-
specific resources
Manage all aspects of data
storage, create and destroy
buckets and objects

Big Picture

IBM Account Types
19
© 2019 IBM Corporation 19
Lite Account Pay-As-You-Go Subscription
Pros:
• Zero charge guaranteed
• Account never expires , no credit card
required.
• Access to Lite service plans
• Best for learning or building proof of
concepts
Cons:
• No access to full catalog
• No access to all free plans
• Access only to “default” resource group
• No fit for production use
• No access to Advanced and Premium
support
Pros:
• Access to Full catalog
• Access to all the Free plans
• Best for both production and learning or
building proof of concepts
• Can create multiple Resource Groups
• Access to Advanced and Premium support
plans
Cons:
• No Discounts on the Bill
Pros:
• Access to Full catalog
• Access to all the Free plans
• Best for both production and learning or
building proof of concepts
• Can create multiple Resource Groups
• Access to Advanced and Premium support
plans
• Discounts based on committed usage

20IBM Confidential | © 2018 IBM Corporation
IBM Cloud Enterprises
IBM Cloud enterprise provide a way to centrally manage the billing and track the usage across multiple
accounts
Enterprises require subscription billing
A single invoice for all usage within the enterprise
From the enterprise account, you can view resource usage from all accounts in the enterprise. Starting at the
enterprise level, you see estimated usage costs that are broken down by account and account groups

Building Blocks of Cloud Enterprises
Enterprise Account:
Account Group:
Accounts:
• An Enterprise Account serves as the parent account to all other accounts in the enterprise
• An enterprise can contain up to 10 tiers of accounts and account groups. In its most basic form, an enterprise has two tiers: The enterprise
account, and a single child account.
• Account Groups used to organize related accounts. Account groups can't contain resources themselves
• You can add and remove account groups and move accounts between account groups.
• Accounts are just like stand-alone IBM Cloud accounts in that they contain resources and resource groups, Cloud Foundry
orgs and spaces, and independent access permissions
• The users and their assigned access in the enterprise account are entirely separate from those in the child accounts,
and no access is automatically inherited between the two types of accounts.

Big Picture
An enterprise can contain up to 10 tiers of accounts and account groups

IBM Cloud VPC Infrastructure
IBM Cloud Virtual Private Cloud is the next generation IBM Cloud Platform. VPC gives you the security of
a private cloud, with the agility and ease of a public cloud.
VPC Infrastructure is available in 5 regions ( Dallas, London, Frankfurt, Tokyo, Sydney)
Only public virtual servers available for the VPC Infrastructure
A VPC is divided into subnets, using a range of private IP addresses.
VPC is with Region Scope
By default, all resources (such as VSIs) within the same VPC can communicate with each other, regardless
of their subnet
Subnets are contained within a single zone, and they cannot span multiple zones

Address Prefixes
VPC itself doesn't require a CIDR block to be assigned , but every zone in a region requires a prefix to be
defined
Each subnet must be contained within the Zone address prefix
Each IBM Cloud VPC can have up to five address prefixes for each zone
IBM Cloud VPC defines a default address prefix for each zone
You can't delete a default prefix for the zone
You can't use the entire zone prefix for a subnet

Internet Connectivity
Three ways how VPC resources get outbound internet access:
• Use a public gateway (PGW) to enable communication to the internet for all virtual server
instances on the attached subnet.
• Use a Floating IP (FIP) to enable communication to and from a single virtual server instance (VSI) to
the internet.
• The backend system performs 1-to-1 NAT operations between the Floating IP and the Private IP of vNIC
of the VSIs
• No Free Floating IPS , charged at $1 per month, even if used for few days
• Use a VPN gateway.
• PGW uses Many-to-1 NAT, which means that thousands of instances with private addresses will use 1
public IP address to talk to the public Internet.
• PGW does not enable the Internet to initiate a connection with those instances

Internet
Connectivity

VPNaaS
VPN is the default solution to connect between two VPCs provided there is no overlap of IP addresses
IBM Cloud VPN for VPC only supports Policy based routing

Load Balancer for VPC
Load Balancer for VPC operates at the regional level
The backend instances for the load balancer has to be within the VPC and doesn't support IP based backend VSIs,
the IP addresses might change if required
The Load balancers for VPC supports Private , Public and Layer-7 load balancing with SSL offloading
at the load balancer end for https connections

Classic Access
We can enable a VPC for connectivity with the classic infrastructure including direct Link connectivity during VPC creation ,
which is then called as "Classic Access VPC"
There can be only one classic Access VPC per region per account
These special "Classic Access VPCs" use the same routing capability (implicit router) as your IBM Cloud™ classic
infrastructure
When you've set up a VPC for classic access, every compute host (VSI or Bare Metal) without a public interface in your classic
account can send and receive packets to and from the classic access VPC
The classic account must be converted to VRF before enabling classic Access to the VPC
The classic account can be converted to VRF by opening a support case with IBM Cloud network engineering team

Classic Access (Contd..)
All subnets in a VPC with classic access will be shared into the Classic Infrastructure VRF, which uses IP addresses in the
10.0.0.0/8 space
To avoid IP address conflicts, do not use IP addresses on the 10.0.0.0/8 space when creating subnets in a Classic Access
VPC.
Create a Classic Access VPC from the Create VPC page, by clicking on the checkbox titled Enable access to classic
resource, under the Classic access label
There is no data transfer charges between VPC and classic infrastructure

Service End Points
With IBM Cloud™ service endpoints, you can connect to IBM Cloud services over the IBM Cloud private network

Enabling Service End Points
Enabling Service End Points is of two steps:
1) Covert the classic account to VRF by opening a support case to IBM cloud network
team
2) Enable the Service End Points through command line :

Security in VPC infrastructure
Security Groups ACL
Control level VSI Instance Subnet
State Stateful - Once an inbound connection
is permitted, it is allowed to reply
Stateless - Both inbound and outbound
connections must be explicitly allowed
Supported Rules Uses allow rules only Uses allow and deny rules
How rules are applied All rules are considered Rules are processed in sequence
Relationship to the associated
resource
An instance can be associated with
multiple security groups
Multiple subnets can be associated
with the same ACL

Big Picture

Demo

Virtual Server Instances ( VSI)
VSIs come with 3 family options : Balanced , CPU and Memory, with predefined configuration called
"Profiles"
AWS On demand Instances vs IBM Cloud Public Virtual server
AWS Spot Instances vs IBM Cloud Transient Virtual server
AWS Dedicated instances vs IBM Cloud Dedicated Virtual server
AWS Reserved Instances vs IBM Cloud reserved virtual server
IBM Cloud VPC Infrastructure supports only public virtual servers today

Virtual Server Instances ( contd..)
We need to generate SSH keys before creating a VSI
Each Network interface of a VSI can be part of different subnet within an AZ
You cannot designate the specific IP address of the VSI. You can only specify the IP range for the subnet. Once you
attach a VSI to a subnet, the system assigns a private IP from that subnet
No Auto scaling groups !!!!

Images for VSIs
Only the Below stock images are supported
CentOS 7.x
Debian 8.x, 9.x
Red Hat Enterprise Linux 7.x
Ubuntu 16.04, 18.04
Windows 2012, 2012 R2, 2016
Images are cloud-init enabled, we can pass the user data
Instances require an image that supports Hardware Virtualization Machine (HVM) boot mode

Storage for VSIs
When you create an Instance , a 100 GB boot volume is automatically created and attached to instance with a maximum of 3000
IOPS
We can't customize the size of the boot volume size
Secondary Block storage data volumes can be attached to any available instance within your region with a maximum size of 2TB
Storage volumes are encrypted always using IBM managed encryption keys
While creating secondary block storage volumes, we can choose among three predefined IOPS profiles
1. 3 IOPS per GB (General workload)
2 . 5 IOPS per GB (CPU Intense)
3. 10 IOPS per GB ( Memory Intense) )
Other than the predefined IOPS profiles, we can also choose custom IOPS from 100 to 20000 IOPS depends on the volume size

Limitations
• No VPC Peering
• No Robust Monitoring , Activity history and Logging solution for VPC Infrastructure
• Custom Image creation
• Resizing the VSI
• Block storage snapshot backups
• VPC is not supported at Washington , DC region
• We can't create custom roles, IAM policies
• IPV6 support is not available
• We can't BYOIP on floating IPs
• There is no refresh page in the web Console
• We can update VPC routing table only through VPC routes API
• VPC flow logs is not available
• No Autoscaling
These limitations doesn’t cover PaaS services and specific to VPC related services only

Limitations (contd..)
• Only limited stock images
• Block storage can be up to 2 TB only
• Password authentication is not supported and we can't generate keys in the console
• We can't customize the size of the boot volume
• No mention about local storage for VMs
• No DHCP options
• Limited VSI profiles and VSI types
• No Placement Groups
• No visibility on HDD/SSD disk type options
• No support for IP based load Balancing and Multi-regional load balancing
• No native cloud orchestration and configuration management tool
• Direct Link can be leveraged only through Classic Infrastructure
• No Integration of IAM with Active Directory services
• IBM Cloud Enterprise is limited to cost and billing management
These limitations doesn’t cover PaaS services and specific to VPC related services only

Conclusion
IBM Cloud VPC Infrastructure is still in making with lot of
potential for innovations and catch up with other market leaders

IBM Cloud VPC Deep Dive

Recommended

Recommended

More Related Content

What's hot

What's hot (8)

Similar to IBM Cloud VPC Deep Dive

Similar to IBM Cloud VPC Deep Dive (20)

More from Nagesh Ramamoorthy

More from Nagesh Ramamoorthy (15)

Recently uploaded

Recently uploaded (20)

IBM Cloud VPC Deep Dive