IBM Cloud Global

Cloud Global

Our mission is to provide clients with an online user community of industry peers and IBM experts, to exchange tips and tricks, best practices, and product knowledge. We hope the information you find here helps you maximize the value of your IBM Cloud solutions.

 View Only

Access Watsonx Cloud services using Virtual Private Endpoint

By NITIN HURALIKUPPI posted 4 days ago

  

Access Watsonx Cloud services using Virtual Private Endpoint and secure connection leveraging VPC virtual firewall

(Note: Guide explains with reference to Watsonx Assistant but applies to Watsonx Discovery, Speech to Text, and Text to Speech cloud services as well)

IBM Virtual Private Endpoint (VPE) enables you to access IBM Cloud services such as Cloud Watsonx Assistant privately using your own VPC IP addressing. VPE IPs are the virtual IPs, allocated by you from VPC subnet. Generally, VPEs are associated to endpoint gateway created per Cloud service.

Why VPE matters:

In a Public Cloud environment, it’s important to enforce private secure cost-effective connectivity to your Cloud services. VPE allows you to use your own IP addressing space, which is private,able to route between VPCs and with on-premises, and be secured with virtual firewall such as Network ACLs and security groups. 

High-level connectivity:

Connectivity illustrates customer access to Watsonx Assistant cloud service from on-premises via VPE IP addresses.

When customer provisions Cloud Watsonx Assistant service (Plus plan or beyond)  in us-south location as an example, service going to provide user with both public and private endpoints.

Note that, to access service using endpoint you can pass either a bearer token in an authorization header or an API key (can view API key by clicking show credentials) for Watsonx Assistant service APIs.

Resolving private endpoints will yield IPs in address ranges 166.8.0.0/14 which are Cloud dedicated service endpoints address space that are non-routable addresses outside Cloud.

# nslookup api.private.us-south.assistant.watson.cloud.ibm.com

Server:   127.0.0.53

Address:  127.0.0.53#53

Non-authoritative answer:

api.private.us-south.assistant.watson.cloud.ibm.com    

Name: watsoncse-pprd-cerb.us-south.serviceendpoint.cloud.ibm.com

Address: 166.9.48.86

Name: watsoncse-pprd-cerb.us-south.serviceendpoint.cloud.ibm.com

Address: 166.9.51.37

Name: watsoncse-pprd-cerb.us-south.serviceendpoint.cloud.ibm.com

Address: 166.9.58.35

Integrating Watson assistant service with VPE gateway service

Above screenshot illustrates details after creation of VPE gateway for service.

Note that for IBM Cloud service,

  • ·      Select Watsonx Assistant Cloud service offering from the menu to show up available Watsonx Assistant instance in selected region as shown below.

  • ·Select right subnet associated with appropriate NACLs defined to allow desired source IPs and protocol.
  • ·Bind across multiple zones, the reserve VPE IPs to the Gateway for redundancy and high availability. Further tighten the access to VPE gateway with security group rules bound specific to VPE gateway instance.

Cloud Watson services endpoints are enabled with Server Name Indication (SNI) and hence creating an a-record that maps customer-defined domain to VPE IPs is not allowed. Requires using api.private.us-south.assistant.watson.cloud.ibm.com domain from on-premises

How to resolve api.private.us-south.assistant.watson.cloud.ibm.com from on-premises?

For testing purpose, you can create an a-record on on-premises test-server that maps  domain api.private.us-south.assistant.watson.cloud.ibm.com  to VPE IPs (10.240.0.4, 10.240.0.20 and 10.240.0.36) but recommend using  IBM custom DNS resolvers and forward domain (api.private.us-south.assistant.watson.cloud.ibm.com) queries from on-premises DNS to IBM custom DNS resolver IPs.

Now resolving private endpoints will yield IPs in VPC address ranges which are defined by you and able to route addresses outside Cloud.

# nslookup api.private.us-south.assistant.watson.cloud.ibm.com

Server:   10.240.0.10

Address:  10.240.0.10#53

Non-authoritative answer:

Name:        api.private.us-south.assistant.watson.cloud.ibm.com

Address: 10.240.0.4

Name:        api.private.us-south.assistant.watson.cloud.ibm.com

Address: 10.240.0.20

Name:        api.private.us-south.assistant.watson.cloud.ibm.com

Address: 10.240.0.36

Cloud Watson Assistant API usage examples with service apikey:

Note that, you can pass either a bearer token in an authorization header "authorization: Bearer ${IAM_TOKEN}or an API key while using Watsonx Assistant service APIs.

Creating new assistant:

# curl -X POST -u "apikey:{api_key}" --header "Content-Type: application/json" --data "{\"name\":\"API test assistant\",\"language\":\"en\",\"description\":\"Example assistant created using API.\"}" "https://api.private.us-south.assistant.watson.cloud.ibm.com/v2/assistants?version=2024-08-25"

{

  "assistants": [

    {

      "name": "API test assistant",

      "language": "en",

      "description": "Example assistant-3 created using API.",

      "assistant_id": "1d3b1842-9f94-474f-9056-3225de95e9ed",

      "multi_lingual": {

        "enabled": false

      },

      "assistant_skills": [

        {

          "type": "dialog",

          "skill_id": "92c057a3-666e-4715-8d18-cacbf75a6bf5"

        },

        {

          "type": "action",

          "skill_id": "4702d0aa-4467-48d7-8348-eaaa162e319c"

        }

      ],

      "assistant_environments": [

        {

          "name": "live",

          "environment": "live",

          "environment_id": "4b4f3b54-b8d0-4abc-b096-f0499c191fd1"

        }

      ]

    }

  ],

  "pagination": {

    "refresh_url": "/v2/assistants?version=2024-08-25"

  }

}

Creating new session:

# curl -X POST -u "apikey:{api_key}" "https://api.private.us-south.assistant.watson.cloud.ibm.com /v2/assistants/4b4f3b54-b8d0-4abc-b096-f0499c191fd1/sessions?version=2024-08-25"


"session_id"
:
"af11c111-860d-4071-b6d2-550bf20c016e"
}

Input Message:

# curl -X POST -u "apikey:{apikey}" --header "Content-Type:application/json" --data "{\"input\": {\"text\": \"Hello\"}}" " https://api.private.us-south.assistant.watson.cloud.ibm.com/v2/assistants/4b4f3b54-b8d0-4abc-b096-f0499c191fd1/sessions/ af11c111-860d-4071-b6d2-550bf20c016e/message?version=2024-08-25"

{
  "output": {
    "generic": [
      {
        "response_type": "text",
        "text": "Hello! What can I do for you?"
      }
    ],
    "intents": [
      {
        "intent": "hello",
        "confidence": 0.9281370162963867
      }
    ],
    "entities": []
  },
  "context": {
    "global": {
      "system": {
        "turn_count": 1,
        "user_id": "55cd47b1-3847-430b-ba28-1739e0654576"
      },
      "session_id": "af11c111-860d-4071-b6d2-550bf20c016e"
    },
    "skills": {
      "main skill": {
        "system": {
          "state": "eyJzZXNzaW9uX2lkIjoiNTVjZDQ3YjEtMzg0Ny00MzBiLWJhMjgtMTczOWUwNjU0NTc2Iiwic2tpbGxfcmVmZXJlbmNlIjoibWFpbiBza2lsbCIsImFzc2lzdGFudF9pZCI6ImViM2RmZGRlLTJkNDUtNDBmYS05NDZlLTk2ODVmNTU2NzhhOSIsImluaXRpYWxpemVkIjp0cnVlLCJkaWFsb2dfc3RhY2siOlt7ImRpYWxvZ19ub2RlIjoicm9vdCJ9XSwibGFzdF9icmFuY2hfbm9kZSI6ImdyZWV0aW5nX29wdGlvbl8zIn0="
        }
      }
    }
  },
  "user_id": "55cd47b1-3847-430b-ba28-1739e0654576"
}

References:

VPC VPE gateways product guide - https://cloud.ibm.com/docs/vpc?topic=vpc-about-vpe

Cloud IAM guide - https://cloud.ibm.com/docs/account?topic=account-iamtoken_from_apikey

DNS service - https://cloud.ibm.com/docs/dns-svcs?topic=dns-svcs-custom-resolver

Cloud Watson Assistant API -  https://cloud.ibm.com/apidocs/assistant-v2#introduction

0 comments
24 views

Permalink

https://community.ibm.com/community/user/blogs/nitin-huralikuppi/2025/08/13/access-watsonx-cloud-services-using-virtual-privat