Overview:
IBM Cloud Delivery Pipeline provides managed CI/CD platform for automating infrastructure and application operations. In certain automation scenarios, pipelines must securely connect to Virtual Server Instances hosted in IBM Cloud VPC. Traditionally, this access is enabled using GPVPN.
However, for non-interactive, automation-driven workflows, secure connectivity can be achieved without GPVPN by leveraging VPC Network Access Control Lists (ACLs).
Delivery pipelines in IBM Cloud execute from known region-specific IP address ranges by enabling direct pipeline-to-VSI connectivity without GPVPN, using predefined delivery pipeline CIDR ranges and subnet-level ACL enforcement.. By explicitly allowing these CIDRs at the VPC subnet boundary, VSIs can be accessed securely for automation tasks such as patching, backups, configuration management and health checks. All access remains controlled and limited to pipeline execution.
Problem statement - Existing Connectivity Model (GPVPN-Based Access):
IBM Cloud Virtual Server Instances (VSIs) are commonly accessed through GPVPN to ensure secure connectivity from external systems, including automation pipelines. GPVPN provides encrypted tunnels, centralized control and strong security guarantees, making it suitable for interactive administrator access and compliance related workloads.
However, when applied to automation delivery pipelines, this introduces more challenges to the actual access requirements.
Solution and how it works:
IBM Cloud Delivery Pipelines run from known, region-specific IP ranges. By allowing only these CIDR ranges at the VSI subnet ACL level, we can enable direct, controlled access - without opening the network broadly or using VPNs.
The connectivity model follows clear, step-by-step sequence:
1. Identify the subnet hosting the target VSI
2. Obtain the delivery pipeline CIDR ranges for the corresponding region(refer IBM docs)
3. Configure inbound ACL rules allowing pipeline traffic to the VSI subnet.
4. Configure outbound ACL rules allowing response traffic back to the pipeline.
Instead of tunnelling traffic through global VPN, access is granted by configuring VPC Network ACLs to explicitly allow traffic:
- From delivery pipeline CIDR ranges
- To the subnet hosting the target VSI
- On specific required ports only
Since ACLs operate at the subnet level and are stateless, both inbound and outbound rules are required to allow bidirectional communication.
· Inbound ACL Rules (Pipeline → VSI) allow delivery pipeline CIDRs to access the VSI subnet on required ports (ex,SSH or HTTPS).
· Outbound ACL Rules (VSI → Pipeline) allow response traffic from the VSI back to the pipeline execution environment.Failure to configure both directions will result in connection failures.
Workflow:
- Delivery pipeline execution starts from known regional IP range.
- Inbound ACL rules permit traffic to the VSI subnet.
- VSI authenticates the request using configured credentials.
- Automation task executes on VSI (patching, backup, configuration, healthcheck)
- Outbound ACL rules allow response traffic
- Pipeline execution completes and access terminates
Access is transient and scoped strictly to pipeline runtime.
Authentication and Secret Handling:
Even if network access is allowed, authentication is still required. The following controls must be implemented:
- SSH key-based authentication for VSI access
- Secrets stored in IBM Cloud Secrets Manager
- Pipeline execution governed by IAM roles and policies
- No hard-coded credentials in pipeline definitions
This ensures layered security and adherence to least-privilege principles.
Automation Use Cases:
- OS patching automation
- Backup and recovery workflows
- Configuration management (Ansible, shell scripts)
- Health checks and compliance scans
- Scheduled infrastructure maintenance
Security and Compliance Considerations:
- Access restricted to approved pipeline CIDR ranges only
- Ports limited to the minimum required
- No use of broad CIDR ranges (e.g., 0.0.0.0/0)
- Full auditability through pipeline logs and IAM records
Conclusion:
Direct VSI access from IBM Cloud Delivery Pipelines using VPC Network ACLs provides secure, scalable and alternative to GPVPN for automation workloads. This eliminates GPVPN dependency for automation use cases and auditable network boundaries. This helps with troubleshooting, failure analysis and pipeline execution.
Documentation:
Refer the following link:
https://test.cloud.ibm.com/docs/ContinuousDelivery?topic=ContinuousDelivery-pipeline-subnet-ranges