Written by
Simon Daniel Moser (smoser@de.ibm.com)
Distinguished Engineer, IBM Cloud Container Services (IKS, ROKS, Code Engine)
Jeremias Werner (jerewern@de.ibm.com)
STSM - IBM Cloud Code Engine & Functions
Enrico Regge (reggeenr@de.ibm.com)
Architect - IBM Cloud Code Engine
Introduction and problem statement
Code Engine is IBM Clouds premier Serverless Container Service, because it makes running a container in the cloud so easy and frees its users from much of the operational burden of maintaining and operating their own infrastructure.
But there is one feature that Code Engine customers have been constantly asking about, and that is connecting their Code Engine application, job or function to a “backend” that runs outside of Code Engine, and doing that over a private network connection.
Why is that a problem, you’re asking ? The technical explanation is that Code Engine is an IBM Cloud service that runs on IBMs Virtual Private Cloud Infrastructure, and because it is a managed service (otherwise, it would not be able to relief the customers from the burden of maintaining and operating their own infrastructure), the VPC network is owned and operated by the IBM Code Engine team. That means, usually if you want to connect from a VPC to (let’s say) another VPC, you’d define two VPE Gateways (one on the source VPC, and one on the target VPC), and you’d connect them up to let the data flow. But, given the Code Engine VPC is not owned by the customer who owns the application, and Code Engine cannot provide a way for a customer to define it’s own VPE in its VPC for security reason, a customer seems to be stuck when he wants to connect his app to someplace else. But is this really the case ? In this article, we’ll explain what you can do to overcome this issue.
Connection Use Cases
Before we dive into solutions, let’s take a step back and look at three distinct connection use-cases that the Code Engine team has been getting requests for:
-
Connecting from Code Engine to e.g. a virtual machine in a different VPC (including using a direct link from that VPC to connect further on to an on-premise network or system)
-
Connecting from Code Engine directly to a system outside of IBM Cloud (e.g. directly to a on-premise system)
-
Connecting from Code Engine to a system in IBM Cloud classic infrastructure (e.g. a bare metal server)
Each of those use cases requires can theoretically be solved with the solution we are about to describe, but you should keep in mind that for some scenarios there might be more elegant solutions on the horizon, although not fully available at the time of writing of this blog post.
Solution
Let’s assume we’ll want to expose an API backend, that requires specialized hardware and is therefore deployed on VPC virtual machines. Instead of exposing such an API directly, we’ll want to front it with an application deployed on Code Engine, which provides a secure and reliable HTTPs endpoint and adds advanced scaling and caching capabilities.
By default, Code Engine applications would not be able to reach the API backend, unless the backend is exposed to the public internet. Assuming we’ll only want to expose the API backend to some selected callers within the private IBM Cloud network, adding a Satellite Connector instance between the Code Engine component and the virtual machines is a viable solution. At a high-level, the request flow of such a setup looks as follows: