IBM webMethods Hybrid Integration

IBM webMethods Hybrid Integration

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.



#Automation

 View Only

How to Connect AWS Applications to IBM webMethods Hybrid Integration App Connect Capability using AWS PrivateLink

By Daniel Curry posted 25 days ago

  

Overview

IBM webMethods Hybrid Integration allows the creation of integrations using the IBM App Connect capability. By default, integration flows running in App Connect are accessible via public internet endpoints. However, many enterprise customers require their internal applications to securely access these integration flows without exposing them to the public internet.

This article demonstrates how to enable ingress connectivity - allowing applications running in a customer's private AWS VPC to securely call App Connect integration flows using AWS PrivateLink. When using this approach, the App Connect endpoints are only accessible from the customer's private network and are not exposed to the public internet.

This enables enterprise-grade security for integration scenarios where internal applications need to invoke cloud-based integration flows while maintaining complete network isolation.

Use Case Scenario

A financial services company operates a loan processing system that has strict requirements for secure networking connectivity. They want to leverage IBM App Connects powerful integration capabilities to:

  1. Validate loan applications by calling multiple partner APIs.
  2. Enrich customer data by integrating with data from the company's systems of record.
  3. Send notifications through various channels (email, SMS, webhooks).
  4. Archive documents to cloud storage services.

However, their security requirements mandate that:

  • The loan processing application must remain in their private VPC.
  • No public internet exposure of integration endpoints.
  • All traffic must flow through private, encrypted connections.
  • Compliance with financial industry regulations.

The solution uses AWS PrivateLink to create a private connection from their VPC to the App Connect service, allowing their loan processing application to securely invoke integration flows without any public internet exposure.

Architecture Flow

[Loan Processing App] → [Private Subnet] → [VPC Endpoint] → [AWS PrivateLink] → [VPC Endpoint Service] → [App Connect Integration Runtime] → [External APIs/Services]

Key Components:

  1. Customer VPC: Contains the loan processing application in a private subnet.
  2. VPC Endpoint: AWS PrivateLink endpoint in the customer's VPC.
  3. Route53 Private Hosted Zone: DNS configuration for private access.
  4. VPC Endpoint Service: Configured in the App Connect/IWHI environment.
  5. App Connect Runtime: Hosts the integration flows that process requests.
  6. External Services: Third-party APIs accessed by the integration flows.

The integration flow receives loan application data from the private application, orchestrates calls to multiple external services (credit bureaus, document storage, notification services), and returns the consolidated results - all while maintaining the security boundary of the customer's private network.

Prerequisites

To follow this tutorial and set up a similar system, you will need:

  1. One of these Required Role(s) in webMethods Hybrid Integration:
    • Service admin: Enables you to manage capabilities in a specific environment.
    • iPaaS admin: Enables you to manage capabilities across all environments in a specific subscription.
    • For more information about permissions, see the Roles documentation .

  2. Enable Private Network Connections and App Connect Capabilities:
    • You must have the App Connect capability enabled and added to your environment.
    • You must have the Private network connections capability enabled and added to your environment.
    • For more information, see Configuring private network connections .

  3. AWS Account Access with permissions to:
    • Create and manage VPCs.
    • Create VPC Endpoints (Interface Endpoints).
    • Create and manage Route53 Private Hosted Zones.
    • Configure security groups.
    • Create IAM roles (for service consumer ARN).
    • Launch EC2 instances (for testing).

  4. Familiarity with AWS PrivateLink:
  5. Important Restrictions:
    • Private network connections are not currently available in Microsoft Azure regions.
    • You can only create private network connections within the same region as your App Connect environment.
    • To view your environment region, click Manage capabilities → Environment details tab.
    • This guide focuses specifically on App Connect capability private network connections.

Architecture Overview

The complete architecture for ingress connectivity looks like this:

Ingress connectivity architecture

Traffic Flow:

  1. Application in customer's private subnet makes HTTPS request to integration endpoint.
  2. DNS query resolves to VPC Endpoint private IP via Route53 Private Hosted Zone.
  3. Request is routed to VPC Endpoint (Interface Endpoint) in the same VPC.
  4. AWS PrivateLink securely forwards the request to the VPC Endpoint Service.
  5. Network Load Balancer distributes traffic to App Connect runtime instances.
  6. Integration flow processes the request and returns response through the same private path.

Implementation Guide

This tutorial will guide you through the complete setup process following the official IBM webMethods Hybrid Integration workflow. The process involves:

  1. Configure the inbound connection in IWHI - Start the wizard and provide your AWS account details.
  2. Wait for environment preparation - IWHI prepares the VPC Endpoint Service.
  3. Create VPC infrastructure in AWS - Set up VPC, subnets, and VPC Endpoint.
  4. Create Route53 Private Hosted Zone - Configure DNS for private access.
  5. Complete the connection - Finish the wizard and verify connectivity.
  6. Deploy and test - Create integration flows and test from your VPC.

Step 1: Start the Configure Inbound Connection Wizard in IWHI

1.1: Access Private Network Connections

  1. Log into your IBM webMethods Hybrid Integration console.
  2. On the main menu, click Private network connections.
    Private Network Connections
  3. On the Private network connections tab, click Create.
  4. Select the AWS PrivateLink (Inbound) tile.
  5. (Optional) You can use the default name for the connection or create your own.
    • Names must start and end with a lowercase alphanumeric character.
    • Names must be between 2-20 characters.
    • Example: "loan-app-ingress".
      Select Tile
  6. Click Next
    • The Configure inbound connection wizard opens.

▸ 1.2: Enter AWS Account Details

  1. In the wizard, you'll be prompted to enter your AWS account details.Enter Account Details
  2. Enter the Amazon Resource Name (ARN) of the service consumer:
    • The service consumer is the AWS account where the private endpoint will be created.
    • Providing the ARN means that connection requests from your AWS account will be automatically accepted.
    • You can create an AWS IAM role to use as the service consumer.

    ARN Format:
    For more information about AWS ARN formats, see Amazon Resource Names in the AWS documentation.

    Example:
    arn:aws:iam::123412341234:user/samsmith

    For more information about creating IAM roles, see IAM role creation in the AWS documentation.
  3. Click Next

▸ 1.3: Wait for Environment Preparation

  1. The wizard will display a message: "Preparing environment".
    Preparing Environment.
  2. Your webMethods Hybrid Integration environment is being prepared so that it can be called by an AWS PrivateLink endpoint.
  3. This process typically takes 3-5 minutes.
  4. You can use this time to familiarize yourself with the AWS documentation about how to create a VPC endpoint .
  5. When the status message updates to "Environment is ready", click Next.
    Environment is ready

    The wizard will now display the "Set up connections" page with the information you need to configure AWS resources.

1.4: Note the Connection Details

On the "Set up connections" page, you'll see the following information that you'll need for AWS configuration:

  1. Service name: A unique identifier for your webMethods Hybrid Integration environment.
    • Format: "com.amazonaws.vpce.{region}.vpce-svc-{service-id}".
    • Example: "com.amazonaws.vpce.eu-central-1.vpce-svc-0a1b2c3d4e5f6g7h8".
    • Copy and save this - you'll need it to create the VPC Endpoint.

  2. Private DNS name: The DNS name pattern for accessing App Connect runtimes.
    • Format: "*.private.{environment-id}.appconnect.ipaas.ibmappdomain.cloud".
    • Example: "*.private.a-vir-s1.appconnect.ipaas.ibmappdomain.cloud".
    • The "*" represents the App Connect runtime hostname.

  3. Domain name: The base domain for the Route53 hosted zone.
    • This is the last part of the Private DNS name.
    • Example: "ipaas.ibmappdomain.cloud".

  4. Record name: The subdomain for the DNS record.
    • This is the first part of the Private DNS name.
    • Example: "*.private.a-vir-s1.appconnect".
      Set up Connection

      Create a private hosted zone
    Keep this page open - you'll refer to it while configuring AWS resources.

Step 2: Create VPC Infrastructure in AWS

Now you'll create the necessary AWS infrastructure to connect to the IWHI environment.

▸ Naming Convention

For this tutorial, we'll use the naming prefix "loan-app" for all AWS components. Feel free to replace this with your own naming convention.

▸ 2.1: Create VPC and Subnets

If you don't already have a VPC, create one:

  1. Log into your AWS Console and navigate to the VPC service.
  2. Ensure you're in the correct region (must match your IWHI instance region).
  3. Click Create VPC and select VPC and more.
  4. Configure the VPC:
    • Name tag auto-generation: "loan-app-vpc".
    • IPv4 CIDR block: "10.0.0.0/16".
    • IPv6 CIDR block: No IPv6 CIDR block.
    • Tenancy: Default.
  5. Configure subnets:
    • Number of Availability Zones: 1.
    • Number of public subnets: 1.
    • Number of private subnets: 1 (for applications).
  6. Configure NAT Gateway:
    • This allows private subnet instances to access the internet for updates.
    • Ignoring for this tutorial as no need for our VPC to call the public Internet.
  7. DNS options:
    • Enable DNS hostnames: Yes.
    • Enable DNS resolution: Yes.
  8. Click Create VPC.
    Create VPC
    Resource Map

▸ 2.2: Create VPC Endpoint

Now create the Interface VPC Endpoint that connects to the IWHI App Connect service:

  1. In the VPC console, navigate to Endpoints in the left sidebar.
    Endpoints
  2. Click Create endpoint.
  3. Endpoint settings
    Name tag:
    • Provide a name tag that describes your new endpoint.
    • Example: "loan-app-appconnect-endpoint".
    • This represents the webMethods Hybrid Integration environment and that it's an inbound service.
    Type:
    • Select Endpoint services that use NLBs and GWLBs.
    Service name:
    • Copy the Service name from the "Set up connections" page in the IWHI wizard.
    • Paste it into the Service name field in AWS.
    • Example: "com.amazonaws.vpce.eu-central-1.vpce-svc-0a1b2c3d4e5f6g7h8".
    • Click Verify service.
    • You should see a message: "Service name verified".
    VPC:
    • Select your VPC (e.g., "loan-app-vpc").
    • Subnets: Select the private subnets where your applications will run.
    • Choose subnets in multiple AZs for high availability, for our case we just have the one private subnet available: "loan-app-vpc-subnet-private1-us-east-1b".
    DNS options:
    • Enable private DNS name: false (we'll use Route53 for DNS).
      Create Endpoint
  4. Security groups:
    • Create a new security group or select an existing one that allows similar traffic.

    Inbound rules must allow:
    • Type: HTTPS.
    • Protocol: TCP.
    • Port: 443.
    • Source: Your VPC CIDR (e.g., "10.0.0.0/16") or specific application security groups.
    Outbound rules:
    • Type: All traffic.
    • Destination: "0.0.0.0/0".

      Create Security Group
      Security Groups
  5. Click Create endpoint.
    Create Endpoint


    The endpoint creation will take 5-10 minutes. The status will change from "Pending" to "Available".

    Note the VPC Endpoint ID - you'll need it for the Route53 configuration. It will look like:

    vpce-0d0c61697f89a5660

Step 3: Create Route53 Private Hosted Zone

Now you'll create a private hosted zone with DNS records that point to your VPC Endpoint.

▸ 3.1: Create the Hosted Zone

Hosted Zone
  1. In the AWS Console, navigate to Route53.
  2. In the left sidebar, click Hosted zones.
  3. Click Create hosted zone.
  4. Hosted zone configuration:

    Domain name:
    • Copy the domain name from the "Set up connections" page in the IWHI wizard.
    • Paste it into the Domain name field - be sure to remove the asterisk prefix.
    • This is the last part of the Private DNS name value.
    • Example: "private.a-vir-s1.appconnect.ipaas.ibmappdomain.cloud".

    Description (optional):
    • Provide a description of the domain.
    • Example: "Private hosted zone for App Connect integration endpoints".

    Type:
    • Select Private hosted zone.

    VPCs to associate with the hosted zone:
    • Region: Select your region (e.g., "us-east-1").
    • VPC ID: Select your VPC (e.g., "loan-app-vpc").

  5. Click Create hosted zone.
    Create Hosted Zone

Step 4: Complete the Connection in IWHI

Now return to the IWHI wizard to complete the configuration:

  1. Return to the Configure inbound connection wizard in the IWHI console.
  2. You should still be on the "Set up connections" page.
  3. After completing the AWS configuration (VPC Endpoint and Route53), click Finish.
  4. The wizard closes and you're returned to the Private network connections page.
  5. Your new AWS PrivateLink (Inbound) connection is listed in the table with a status of "Waiting for endpoint availability".
  6. After the interface VPC Endpoint is fully available in AWS (usually 5-10 minutes), the status will change to "Ready".
    Status

    Troubleshooting: If the connection status shows "Error":
    • Hover your cursor over the error icon to view the error message.
    • Click the options menu (three dots) and select View details to review the connection properties.

    Common issues:
    • VPC Endpoint not in "Available" state.
    • If needed, delete the connection and create a new one with the correct configuration.

    Step 5: Deploy Integration Flow

    Now that the private connection is established, let's deploy an integration flow in App Connect that we can test calling over the private link connection. You can deploy flows authored in both Designer or Toolkit, and for purposes of this example we will use Designer.

    ▸ 5.1: Create a Sample Integration Flow

    1. Log into the IWHI App Connect Designer.
    2. Create a new flow for API:
      • Name: "Loan Validation API".
      • Model: loan.
        create a flow for an API
    3. Let’s add a property for creditScore to the loan model.
      add a property
    4. Add an Operation to create a new Loan:
      add an operation
    5. Now implement the flow - for a production case this is where you would be adding the integration logic for validating input data, calling other services required for the loan validation etc. In our case we will simply get the flow to return a static data response so we can test the API call quickly.

      Implement the flow
    6. Save and test the flow in the Designer.

    ▸ 5.2: Deploy the Flow

    1. In the App Connect Designer, click Deploy.
    2. Select deployment options:
      • Runtime: Create a new runtime or deploy to an existing one.
    3. Click Deploy.
      Deploy

      The deployment will take 2-3 minutes. Once deployed, note the runtime hostname (e.g., "runtime-abc123").

    ▸ 5.3: Configure API Security

    1. Navigate to Manage → Runtimes.
    2. Select your Runtime.
    3. Navigate to the Security tab - here take note of the public Host of the Runtime, as well as the BasicAuth credentials required to call the runtimes endpoint.
      Select runtime

    ▸ 5.4: Construct the Private Endpoint URL

    Your integration flow will soon be accessible via the private DNS name:

    URL Format:

    https://{runtime-hostname}.private.{environment-id}.appconnect.ipaas.ibmappdomain.cloud/{base-path}/{endpoint}

    Example:

    The public URL:

    https://loan-service-https-acdev6375817.a-vir-s1.appconnect.ipaas.ibmappdomain.cloud

    The private URL:

    https://loan-service-https-acdev6375817.private.a-vir-s1.appconnect.ipaas.ibmappdomain.cloud

    Where:

    • "loan-service-https-acdev6375817" is your App Connect runtime hostname.
    • "a-vir-s1" is your environment ID.
    • "appconnect" is the capability.
    • "ipaas.ibmappdomain.cloud" is the base domain.

    The final step is to configure a DNS CNAME record within the Private Hosted Zone we created in Route53 earlier. This will forward traffic for the runtime's private endpoint through the VPC Endpoint to the connected Endpoint Service for your IWHI instance.

    Step 6: Create DNS Records per flow endpoint

    ▸ 6.1: Create DNS Record

    Now create a CNAME record that points to your VPC Endpoint:

    1. Open the hosted zone you created previously.
      hosted zone
    2. Click Create record.
    3. Record configuration:

      Record name:
      • This will be your runtime hostname from before - in my case that was:
        ‘loan-service-https-acdev6375817’.

      Record type:
      • Select CNAME.

      Alias:
      • Toggle Alias to Off.
      • Set the value to the DNS Name on the Endpoint Service we created earlier - in my case it was:
        "vpce-0d0c61697f89a5660-jmwu8f09.vpce-svc-01103498bb801b6dd.us-east-1.vpce.amazonaws.com".

      Routing policy:
      • Ensure Simple routing is selected.

    4. Click Create records.
      Create records

      Note: This DNS record enables private access to the specific App Connect runtime we setup in our IWHI App Connect instance. To route additional runtimes, you will need to create additional DNS records. Each record should be for a unique VPC endpoint.

    Step 7: Test from Customer VPC

    Now let's test the connection from an application running in your private VPC.

    ▸ 7.1: Launch EC2 Instance in Private Subnet

    Launch EC2
    1. In the AWS Console, navigate to EC2 → Instances.
    2. Click Launch instance.
    3. Configure the instance:
      • Name: "loan-app-test-instance".
      • AMI: Amazon Linux 2023.
      • Instance type: t3.micro (free tier eligible).
      • Key pair: Create or select an existing key pair.
    4. Network settings:
      • VPC: "loan-app-vpc".
      • Subnet: Select a private subnet (e.g., "loan-app-vpc-subnet-private1-us-east-1b").
      • Auto-assign public IP: Enable (Only for our SSH testing).
      • Security group: Create new or select existing.
      • Inbound rules: Allow SSH from My IP for SSH access to test.
      • Outbound rules: Allow HTTPS (443) to VPC Endpoint security group.

        Launch an Instance
        Network Settings
    5. Click Launch instance.

    ▸ 7.2: Connect to the Instance

    As a temporary measure to enable SSH connections from outside the VPC - you can configure the Route table for the private subnet your application is running to accept a destination for the Internet Gateway that will have been created at the VPC creation time.

    Route table

    If you do not wish to configure this as a temporary measure, there are alternative ways to connect via:

    • AWS Systems Manager Session Manager.
    • Bastion host in public subnet.
    • VPN connection to your VPC.

    Please seek AWS documentation for these approaches.

    Using SSH:

    1. In the EC2 console, select the instance.
    2. Ensure the instance is active and running.
    3. Click Connect → Session Manager → Connect.
    4. SSH client will provide instructions to SSH connect to the Instance with the PEM key setup at EC2 creation time.
      Instance

    ▸ 7.3: Test HTTPS Connectivity

    Once you have used SSH to connect to the EC2 instance, we can test some basic curl commands to verify connections to the runtimes endpoints over AWS PrivateLink.

    Test HTTPS connectivity

    Curl Command:

    curl -v https://loan-service-https-acdev6375817.a-vir-s1.appconnect.ipaas.ibmappdomain.cloud/Loan_Validation_API/loan

    You should receive an authentication error (401 or 403), which confirms the endpoint is reachable. This authentication error means the request has reached your runtime. If it didn't reach the runtime you would likely see the request hang (timeout) or a network error response.

    Expected response:

    response

    ▸ 7.4: Test the Integration API

    Now test with proper authentication.

    Call the API

    A reminder that the Basic Authenticated Header for the request can be found under the Security tab for the Runtime in App Connect:

    Security Tab
    Curl Command:

    curl -X POST https://loan-service-https-acdev6375817.a-vir-s1.appconnect.ipaas.ibmappdomain.cloud/Loan_Validation_API/loan --header 'Authorization: BASIC_AUTH_HEADER'

    Note: curl can also be used with the -u option followed by the username, which will then prompt you to enter the password

    Expected response:

    image

    Step 8: Disabling Public Routes

    To ensure your runtime is not exposed via any routes over the public internet, you can disable the public routes for all runtimes in your instance.

    ▸ 8.1: Public connections toggle

    Navigate to the Private network connections page, click Connect → Private network connections in your App Connect instance. Here you will find a toggle to disable public routes for all runtimes belonging to your instance.

    image

    This will ensure only ingress traffic over AWS PrivateLink can now reach your runtime.

    Conclusion

    This guide demonstrated how to set up secure ingress connectivity from a customer-owned AWS VPC to IBM webMethods Hybrid Integration App Connect using AWS PrivateLink.

    ▸ Key Takeaways

    1. Private connectivity enables secure integration scenarios for enterprise applications.
    2. AWS PrivateLink provides a robust, scalable solution for private networking.
    3. Proper security configuration is essential for production deployments and the security group configurations in this guide are not strictly best practice but follow the most simplistic path to a secure demonstration of PrivateLink ingress.

    ▸ Additional Resources

    0 comments
    41 views

    Permalink

    https://community.ibm.com/community/user/blogs/daniel-curry/2026/03/12/aws-apps-to-iwhi-app-connect-via-privatelink