This is a foundational blog that provides guidelines on setting up compute, storage, and networking infrastructure for IBM Power Virtual Servers in a hybrid cloud environment.
The use case covered in this blog applies to select IBM Power Virtual Server data centers where only IBM Cloud classic infrastructure is available, and virtual private cloud (VPC) is not supported.
The environment described in this blog is best suited for lift and shift workloads with quick application movement while maintaining the existing on-prem architecture.
This blog provides guidance to:
- Prepare a minimal IBM Cloud classic infrastructure setup with Power Virtual Servers.
- Set up networking between on prem and IBM Cloud (that includes IBM Cloud classic and Power Virtual Servers).
- Use IBM Cloud services such as IBM Cloud Object Storage for data storage.
The blog does not cover vendor-specific instructions/commands for cloud gateway appliances.
Note: As a prerequisite to view/instantiate IBM Cloud resources, the user must have appropriate IBM Cloud (https://cloud.ibm.com) permissions.
IBM Cloud infrastructure components
The following figure depicts a typical IBM Cloud classic infrastructure deployment for a hybrid cloud use case.
Figure 1: A typical IBM Cloud classic infrastructure deployment
The following list explains the key IBM Cloud components mentioned in Figure 1:
- IBM Power Virtual Server workspace manages the Power Virtual Server instances. The instances are used to run enterprise IBM Power workloads in an IBM Cloud environment.
- Bare metal servers (optional) are used to support x86-based workloads.
- IBM Cloud gateway appliance provides firewall, virtual private network (VPN), and network address translation (NAT) functionalities with enterprise-grade routing to selectively route private and public traffic through an enterprise-level firewall.
- Cloud connections facilitate Power Virtual Server workspace connectivity to IBM Cloud classic infrastructure resources.
- IPsec VPN (site-to-site VPN tunnel) is used for secure data transport connectivity between on-prem data center (on-prem gateway) and IBM Cloud gateway appliance over the public internet.
- IBM Cloud Object Storage provides a highly scalable and resilient managed data service on IBM Cloud.
IBM Cloud resource provisioning guidelines
In this section, we cover details on provisioning cloud compute and networking resources.
Create a Power Virtual Server workspace
Create a Power Virtual Server workspace in the desired data center location. The Power Virtual Server workspace houses IBM Power resources (Power Virtual Server instances, subnets, and so on).
Create a Power Virtual Server private subnet for internal communication between Power Virtual Server instances.
Refer to https://cloud.ibm.com/power/overview for details.
Provision Power Virtual Server instances
Create Power Virtual Server instances (IBM AIX / Linux / IBM i) with appropriate compute, network, and storage resources for the enterprise’s workload deployment.
Refer to https://cloud.ibm.com/power/servers for more details.
Provision bare metal server for x86 workload (optional)
For x86 hybrid cloud workload support, IBM Cloud classic provides bare metal server options (for example, Microsoft Windows x86 servers).
Look up in https://cloud.ibm.com/catalog for the available ‘Bare Metal Server’ options with the required gateway appliance configurations.
Provision and configure cloud networking resources
This section of the blog provides guidance on setting up IBM Cloud classic networking infrastructure.
The following figure depicts a typical network connectivity pattern (with representative values) in a hybrid cloud environment.
Figure 2: Networking through IBM Cloud classic infrastructure
IBM Cloud gateway
The first step toward setting up networking through the hybrid cloud is to create an IBM Cloud gateway appliance. There are multiple vendor options available in IBM Cloud as seen in the following screenshot.
Refer to https://cloud.ibm.com/catalog/ for the available ‘Gateway Appliance’ options, configurations, and instantiation guidelines.
Create cloud connections
Cloud connections enable you to establish connections between a Power Virtual Server workspace and other IBM Cloud resources.
In the use case described in this blog, cloud connections provide interconnectivity between the Power Virtual Server workspace and an IBM Cloud classic network.
Refer to https://cloud.ibm.com/power/cloud-connections for details.
Set up GRE tunnel for data transport
Power Virtual Server use Generic Routing Encapsulation (GRE) tunnels to enable connectivity to IBM Cloud classic network by using a router appliance.
A GRE tunnel is overlaid on the cloud connection, and it brings in the ability for the data to transit through the IBM Cloud classic network.
The tunnel connects two endpoints in a point-to-point logical link.
Power Virtual Server workspace GRE endpoint
The Power Virtual Server GRE endpoint is created during the cloud connection setup itself. Refer to the screenshot in the previous section, where the ‘Use GRE for VMware and other Classic connectivity’ option is enabled.
In the ‘GRE destination IP’ field, specify the private IP address of the cloud gateway.
In the ‘GRE subnet’ field, enter the internal virtual IP address range for the tunnel.
Note: GRE tunneling requires a subnet for the connection and you should attach the Power Virtual Server workspace subnet to the cloud connection.
Cloud gateway GRE endpoint
To establish the cloud gateway GRE endpoint of the GRE tunnel, you need to perform the following steps:
- Configure the tunnel source and the destination addresses.
- Assign an IP address to the GRE interface.
- Add routes to reach tunnel endpoints.
- Set policies to allow traffic through the tunnel.
Note: Border Gateway Protocol (BGP) routes are exchanged between the cloud gateway and the Power Virtual Server routers so that subnets can be reached through the GRE tunnel.
Set up IPSec VPN between on-prem and cloud gateways
An Internet Protocol Security (IPsec) VPN between on-prem and cloud gateways provides an encrypted data transport between the on-prem and cloud infrastructure.
An IPsec VPN tunnel is set up in two phases as per Internet Key Exchange version 2 (IKEv2) protocol.
IKE phase 1 covers establishing a secure tunnel that is used for IKE phase 2. In this phase, the two endpoints negotiate security key exchange, hashing, authentication, encryption, and other parameters to establish a Security Association (SA)
IKE phase 2 covers establishing the IPsec tunnel (second tunnel) for user data. In this phase, the endpoints set up the phase 2 SAs based on security and other tunnel parameter negotiations.
Phase 1 SAs are used to protect IKE messages that are exchanged between the two endpoints.
Phase 2 SAs are used to protect user IP traffic, as specified by the security policy for a specific type of traffic.
Encapsulated Security Payload (ESP) is a commonly used protocol for user data encryption and authentication. Tunnel mode is typically used for site-to-site VPNs.
In general, based on the enterprise’s security requirements, the IPSec VPN tunnel parameters should be configured during the provisioning of the IPSec VPN tunnel. Detailed vendor-specific instructions are out of the scope of this blog.
Configure bare metal server connectivity with cloud gateway
As an administrator, link the eligible VLAN (bare metal server) to the cloud gateway appliance. This associates the VLAN to the gateway appliance to allow connectivity with the bare metal server’s private subnet.
Set the VLAN to the route through mode.
After you set the VLAN to route through, all subnets on that VLAN are statically routed to the gateway appliance.
The following link provides additional information on this topic: https://cloud.ibm.com/docs/vsrx?topic=vsrx-managing-vlans-and-gateway-appliances
Configure internet outgoing connectivity for Power Virtual Server instances
If there is a requirement for Power Virtual Server instances to have outgoing internet access for example, to download OS and firmware updates), the source NAT (sNAT) feature on the cloud gateway should be enabled.
As an example, for IBM Cloud Juniper vSRX, refer to the following link for information on configuring sNAT: https://cloud.ibm.com/docs/vsrx?topic=vsrx-working-with-snat
Provision IBM Cloud Object Storage
IBM Cloud Object Storage is a highly scalable and resilient managed data service on IBM Cloud. You can use the IBM Cloud Object Storage service (global) and cloud buckets (region-specific) for data storage requirements.
It is a cost-effective data storage solution for managing massive volumes of data in a cloud environment. Data protection and backup is one typical Cloud Object Storage use case in a hybrid cloud environment.
Cloud Object Storage buckets can be accessed by their public endpoints.
For more information about setting up Cloud Object Storage, refer Managing IBM Cloud Object Storage (COS) buckets in IBM Cloud documentation.
Summary
The blog provided guidelines on setting up connectivity from on prem to Power Virtual Servers using the IBM Cloud classic infrastructure.
Future enhancements
This blog is likely to be enhanced with recommendations for setting up a Power Virtual Server Cloud networking infrastructure with a dedicated link from on prem to the cloud gateway and for leveraging IBM VPC and Power Edge Router (PER).
About the authors
Vaibhav Shandilya
Solutions Architect, IBM CE for Systems APAC, svaibhavs@in.ibm.com
Mark Owusu-Ansah
IBM Public Cloud Architect, IBM Tech Sales, Americas, mark_owushu-ansah@us.ibm.com
Bibhudutta Moharana
CSM Architect, bibhudutta.moharana@ibm.com
References
Check out the following references for additional details: