Power Virtual Server

Power Virtual Server

Explore the cloud-based infrastructure offering from IBM that enables businesses to run IBM Power workloads in a virtualized environment on IBM Cloud.


#Power
 View Only

Create an IBM Power Virtual Server environment and connect to your enterprise via site-to-site VPN for VPC

By Powell Quiring posted Wed April 03, 2024 12:12 PM

  

The same IBM Power servers that run your business on premises are available in IBM Power Virtual Server workspaces in the IBM Cloud platform. Use these on-demand resources to explore new possibilities, enable development and test environments, or extend your production environment. Consumption based pricing means you pay for only what you use and cloud elasticity allows for the expansion and contraction of your cloud footprint based on your business needs.

This blog introduces virtual private cloud (VPC) virtual private network (VPN) to connect IBM Cloud to on premises and then walks through the steps of creating a Power Virtual Server workspace and connecting it to the VPN through a transit gateway.

The architecture is captured in Figure 1.

Architecture diagram
Figure 1: Architecture diagram

The numbers in Figure 1 depict the steps in the architecture.

  1. Create a transit VPC and VPN.
  2. Create a Power Virtual Server environment.
  3. Create a transit gateway and connect to both the transit VPC and Power Virtual Server workspace.
  4. Create a VPC address prefix in transit VPC.

Before proceeding with these steps, as a prerequisite, you need to carefully define the non-overlapping Classless Inter-Domain Routing (CIDR) blocks.

Plan the non-overlapping CIDRs

Find more information, refer to Power Systems communication through a transit VPC in IBM Cloud Docs. A primary concern is to carefully define the non-overlapping CIDR blocks as shown in Figure 2.

CIDR blocks
Figure 2: CIDR blocks

1. Create a transit VPC and VPN

The solution tutorial Power Systems communication through a transit VPC captures a number of concerns that may be of interest to Power Virtual Server users in IBM Cloud. This blog focuses on just the bidirectional connectivity between on-prem instances and Power Virtual Server instances through a VPN for VPC connection.

This blog simulates the on-prem environment with a VPC that is connected to a second transit VPC using a VPN gateway connection. It takes only a few minutes to set up using the scripts provided in the companion repository.

Complete the following prerequisites:

  • Install Terraform
  • Obtain an IBM Cloud identity and access management (IAM) API key

Perform the following steps to create a transit VPC and VPN:

  1. Export your API key for Terraform usage:

    export IBMCLOUD_API_KEY=YourAPIKEY

  1. Clone the repo and initialize the teraform.tfvars file from the file that contains a template specifically used for the purpose of this blog (template.blog.powervs.terraform.tfvars). It contains the configuration to connect the enterprise VPC to the transit VPC using VPN:git clone https://github.com/IBM-Cloud/vpc-transit
    cd vpc-transit
    cp config_tf/template.blog_powervs.terraform.tfvars config_tf/terraform.tfvars
  1. Make the required changes to terraform.tfvars as explained in the comments. The example considered in this blog requires a data center that supports Power Edge Router in a region that supports VPC as defined in the table in Creating a Power Virtual Server. As per the information in the table, consider Dallas (us-south) with VPC zone us-south-1 and Power Virtual Server data center Dallas 10 (DAL10). To use a different region, zone, and data center make the associated changes as defined in the table.

    edit config_tf/terraform.tfvars

  1. Apply just a few of the initial layers to create only the enterprise VPC, transit VPC, some test virtual server instances, and the VPN connection between the enterprise and the transit VPC. Note the : in the first command, it is not a typo.

    export IBMCLOUD_API_KEY=YourAPIKEY
    ./apply.sh : test_instances_tf
    ./apply.sh enterprise_link_tf

  1. On the Virtual server instances for VPC page in IBM Cloud documentation, note the Enterprise Floating IP addresses which is referred as $EFIP later in the tutorial. You can see entries as shown in the following screen capture but your IP addresses might be different.
    Virtual server instances for VPC

    EFIP=169.62.21.234

It will be handy to keep the value in a temporary file to copy to the shell in later steps.

2. Create a Power Virtual Server environment

In this step, a Power Virtual Server workspace, Secure Shell (SSH) key, subnet, and an instance will be created.

  1. Follow the initial instructions as mentioned in Creating a Power Virtual Server workspace. The steps are:
    1. Log in to the IBM catalog with your credentials.
    2. In the Search the catalog field, enter Power Virtual Server and click the Workspace for Power Virtual Server tile.
    3. Click Create a workspace.
    4. In the Location section, from the Data Center list, select a Power Edge Router data center in the same region as the VPC as described earlier (for example, Dallas 10) and click Continue.
    5. In the Details section, enter blog in the Name field.
    6. Select the same resource group configured in terraform.tfvars earlier.
    7. Retain the default values for the other parameters and click Continue.
    8. Click Finish.
    9. Select the I agree to the Terms and conditions checkbox.
    10. Click Create.
      Create workspace
  2. Click the Refresh button and wait for the workspace to display the status as Active.
  3. On the left navigation panel, from the Workspaces list, select the workspace you just created.
  4. Click SSH keys on the left navigation panel and perform the following steps to create a new SSH key.
    1. On the SSH keys page, click Create SSH key.
    2. In the New SSH key dialog, enter tmp into the Key name field.
    3. Copy the contents of the config_tf/id_rsa.pub file to the Public key text box. This file was created by the apply.sh script.
    4. Click Add SSH key.
  5. Perform the following steps to add a private subnet:
    1. Expand Networking and then select Subnets in the left navigation panel.
    2. On the Subnets page, click Create subnet.
    3. On the New subnet page, enter private in the Name field.
    4. Enter 10.1.0.0/24 in the CIDR field for zone 1 (as defined in the Plan the non-overlapping CIDRs section).
    5. Note that the remaining fields are filled in automatically for you.
    6. Click Create subnet. The new subnet that you just created is added to the Subnets page.
  6. In the left navigation panel expand Compute and select Virtualserverinstances and perform the following steps to create a new virtual server instance.
    1. On the Virtual server instances page, click Create instance.
    2. In the General section: 
      1. Type powerprivate as the instance name.
      2. From the SSH key list, select the tmp SSH key created earlier.
      3. Retain the default values for the remaining fields.
      4. Click Continue.
    3. In the Boot image section:
      1. From the Operating system list, select AIX.
      2. From the Image list, select 7200-05-06.
      3. Retain the default values for the remaining fields.
      4. Click Continue.
    4. In the Profile section:
      1. From the Machine type list, select the required item.
      2. Retain the default values for the remaining fields.
      3. Click Continue.
    5. In the Storage Volumes section:
      1. Retain the default values.
      2. Click Continue.
    6. In the Network interfaces section:
      1. Ensure that Public networks is set to Off.
      2. In Private networks, click Attach.
      3.  In the Attach an existing network dialog, from the Existing networks list, select private that was just created.
      4. Retain the default values for the remaining fields and click Attach.
      5. Click Finish.
    7. Select the I agree to the Terms and conditions checkbox.
    8. Click Create.
    9. On the Virtual server instances page, click the Refresh button and wait for the instance to display the status as Active.

Make a note of the IP address for the virtual server instance just created. It is the IP on the private subnet and will be referred to as $PPIP (Power Private IP) later in this blog. Your IP might look similar to the following IP but might be different.

PPIP=10.1.0.246

3. Create a transit gateway and connect to both the transit VPC and the Power Virtual Server workspace

Open the Transit Gateway page and perform the following steps.

  1. Click Create transit gateway.
  2. In the Transit gateway name field, enter powertransit.
  3. From the Resource group list, select the one used for the resources earlier.
  4. In the Location section, select the Local routing tile.
  5. From the Location list, select a location to match the VPC, for example, Dallas.
  6. In the Connections section, for Connection 1, select VPC from the Network connection list.
  7. From the Region list, select an option (for example, Dallas).
  8. From the Select VPC list, select Transit.
  9. Leave Prefix filtering unchanged.
  10. Click Add connection.
  11. Click Power Systems Virtual Server.
  12. Click Location and specify the location of the Power Virtual Server created earlier, for example, Dallas 10.
  13. From the Available connections list, select the Power Systems Virtual Server workspace, blog.
  14. Click Create.

To see the list or routes for the transit gateway:

  1. Select the Routes tab on the top of the page.
  2. Click Generate report.

The report shows:

  • 10.1.0.0/24 - connection to the transit VPC.
  • 10.1.15.0/24 - connection to the Power Virtual Server workspace.

But the 192.168.0.0/24 route to the on-premises enterprise is missing! This means that transit gateway will not route traffic destined to an enterprise instance, such as 192.168.0.4, from the Power Virtual Server connection to the transit VPC.

We can see how to fix this in the next section.

Create a VPC address prefix in transit VPC

The transit gateway needs to learn the CIDR blocks on each of the connections. It will learn VPC CIDR blocks from VPC Address prefixes.

Open the Virtual private clouds page and perform the following steps:

  1. Click the transit VPC name.
  2. In the Address prefixes section notice 10.1.15.0/24.
  3. Click Manage address prefixes.
  4. In the Address prefix table, click Create.
  5. Enter 192.168.0.0/24 in the IP range field.
  6. Specify the REGION-1I zone for example Dallas-1 in the Location list.
  7. Click Create.

Verify that the transit gateway has learned the route by generating a new route report as described in the previous section.

Test

It is now possible to use SSH to connect to the enterprise test virtual server instance and verify connectivity. Make sure that the current working directory is the directory created with the git command earlier, and where the ./apply command was executed. Use the EFIP and PPIP values defined earlier in the blog.

.../vpc-transit % EFIP=a
.../vpc-transit % PPIP=b
.../vpc-transit % ssh -i config_tf/id_rsa root@$EFIP
...
*** System restart required ***
Last login: Tue Mar 5 14:25:23 2024 from 50.53.29.176
root@abc-enterprise-z1-worker:~#

You can ping the Power Virtual Server instance:

root@abc-enterprise-z1-worker:~# PPIP=b
root@abc-enterprise-z1-worker:~# ping $PPIP
PING 10.1.0.217 (10.1.0.217) 56(84) bytes of data.
64 bytes from 10.1.0.217: icmp_seq=1 ttl=22 time=3.37 ms
64 bytes from 10.1.0.217: icmp_seq=2 ttl=22 time=1.46 ms

Exit the enterprise test instance by pressing Ctrl+C and return to the shell on your personal workstation.

You can use the ssh command to jump through the enterprise directly to the Power Virtual Server instance. This command is a slightly complicated:

ssh -oProxyCommand="ssh -W %h:%p -i config_tf/id_rsa root@$EFIP" -i config_tf/id_rsa root@$PPIP

Clean up

Perform the following steps to delete the transit gateway:

  1. Open the Transit gateways page.
  2. Click the name of the transit gateway.
  3. On each of the connections in the table, click the ellipses menu in the instance row of the table and select Delete.
  4. From the Actions list in the upper-right side, select Delete.

Perform the following steps to delete the Power Virtual Server resources:

  1. Open the workspace.
  2. Click Virtual server instances on the left navigation pane.
  3. Click the ellipses menu in the instance row of the table and click Delete.
  4. On the left navigation pane, click Networking->Subnets.
  5. Click the ellipses menu in the instance row of the table and click Delete.
  6. Click Workspaces in the left navigation pane.
  7. Click the ellipses menu in the instance row of the table and click Delete.

Delete the VPN and the simulated enterprise from the working directory.

./apply.sh -d enterprise_link_tf
./apply.sh -d : test_instances_tf

Conclusion

Businesses looking to expand their IBM Power virtual footprint using the latest technology can start today. Use the cloud platform for testing, disaster recovery, and production. Create and delete servers as needed and only pay for what you use.

Read the Power Systems communication through a transit VPC and learn how to connect using the high performance networking of IBM Cloud with the privacy and security that meet your requirements. It also covers connectivity to fully managed services such as IBM Cloud Databases and Cloud Object Storage.

0 comments
25 views

Permalink

https://community.ibm.com/community/user/blogs/powell-quiring/2024/04/03/power-virtual-server-vpn-vpc