copyright

lastupdated

keywords

subcollection

years
2020, 2024

2024-08-06

isolation for IBM Cloud CLI, service endpoints for IBM Cloud CLI, private network for IBM Cloud CLI, network isolation in IBM Cloud CLI, non-public routes for IBM Cloud CLI, private connection for IBM Cloud CLI, private endpoints, regions that support private endpoints, private service endpoints, cli private endpoints

cli

Securing your connection when using the {{site.data.keyword.cloud_notm}} CLI

{: #service-connection}

To ensure that you have enhanced control and security over your data when you use the {{site.data.keyword.cloud}} Command Line Interface, you have the option of using private routes to {{site.data.keyword.cloud_notm}} endpoints. Private routes are not accessible or reachable over the internet. By using the {{site.data.keyword.cloud_notm}} private endpoints feature, you can protect your data from threats from the public network and logically extend your private network. {: shortdesc}

The CLI uses the private endpoint support that is provided by the {{site.data.keyword.cloud_notm}} platform. Platform services that are used by the core CLI, such as IAM, provide private endpoint support.

If your deployment uses the VPC environment of {{site.data.keyword.cloud_notm}}, private endpoints are exposed through global endpoints. If your deployment uses the Classic environment, regional support is provided for a limited number of CLI commands. The following regions support private endpoints in Classic environments:

us-south
us-east

Enabling virtual routing and forwarding

{: #cli-private-vrf}

First, enable virtual routing and forwarding in your account, and then you can enable the use of {{site.data.keyword.cloud_notm}} private service endpoints. For more information about setting up your account to support the private connectivity option, see Enabling VRF and service endpoints.

To learn more about private connections on {{site.data.keyword.cloud_notm}}, see Secure access to services using service endpoints.

Logging in to the CLI with a private endpoint

{: #cli-private-login}

You can log in to either a private endpoint for Classic or for VPC. To log in using Classic infrastructure, log in to a private endpoint by using the CLI by using the following command:

ibmcloud login -a private.cloud.ibm.com

To log in by using the VPC infrastructure, add the --vpc flag to the command:

ibmcloud login -a private.cloud.ibm.com --vpc

Targeting a supported region (required for Classic use)

{: #cli-private-region}

To use private endpoints for deployments in the Classic environment, a region must be targeted when a private endpoint is set in the {{site.data.keyword.cloud_notm}} CLI.

To target a supported region, use the following command:

ibmcloud target -r [region]

Creating a private endpoint gateway (required for VPC use)

{: #cli-private-vpc}

To use private endpoints for deployments in the VPC environment, you must create a virtual private endpoint gateway. For more information, see About virtual private endpoint gateways.

A list of all {{site.data.keyword.cloud_notm}} services that are configurable through a virtual private endpoint gateway is at VPE Supported Services.

To ensure basic CLI capability against the private endpoint, you must configure the gateway to include these services:

Account Management: Endpoint URL (https://private.accounts.cloud.ibm.com){: external}
Cloud Object Storage (use direct): Endpoint URL
Identity and Access Management: Endpoint URL
Global Catalog: Endpoint URL
Global Search: Endpoint URL
Global Tagging: Endpoint URL
Usage Metering: Endpoint URL
Enterprise Management: Endpoint URL
Resource Controller: Endpoint URL
User Management: Endpoint URL

Determining which CLI plug-ins support private endpoints

{: #cli-private-plugins}

The ibmcloud plugin list command reports whether an installed CLI plug-in supports private endpoints. If a plug-in that you use does not show private support, you must continue to use it with your API set to the public endpoint cloud.ibm.com.

Installing CLI plug-ins over a private connection

{: #cli-private-plugins-install}

To configure the CLI to install plug-ins over a private connection, you must set up the API of the CLI. Follow the login instructions to set up the API and indicate VPC as applicable.

Determining which commands support private endpoints

{: #cli-private-commands}

The following commands support private endpoints:

api
login
target
logout

Most commands under the following namespaces work when you are using private endpoints:

account
billing
iam
resource
catalog

If the CLI is set to access private endpoints and you try to run a command or plug-in that does not yet support private endpoints, you might see an error. {: note}

The following core commands do not yet support private endpoints:

account
billing
  org-usage
catalog
  template-run
sl
  all commands
app (deprecated)
  all commands
service (deprecated)
  all commands

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

service-connection.md

service-connection.md

Securing your connection when using the {{site.data.keyword.cloud_notm}} CLI

Enabling virtual routing and forwarding

Logging in to the CLI with a private endpoint

Targeting a supported region (required for Classic use)

Creating a private endpoint gateway (required for VPC use)

Determining which CLI plug-ins support private endpoints

Installing CLI plug-ins over a private connection

Determining which commands support private endpoints

Files

service-connection.md

Latest commit

History

service-connection.md

File metadata and controls

Securing your connection when using the {{site.data.keyword.cloud_notm}} CLI

Enabling virtual routing and forwarding

Logging in to the CLI with a private endpoint

Targeting a supported region (required for Classic use)

Creating a private endpoint gateway (required for VPC use)

Determining which CLI plug-ins support private endpoints

Installing CLI plug-ins over a private connection

Determining which commands support private endpoints