IBM Cloud VPC Networking

IBM Cloud VPC Networking

IBM Cloud Virtual Private Cloud (VPC) provides a software-defined networking environment where you deploy compute, storage, and networking resources in an isolated virtual network. IBM Cloud VPC is the second-generation infrastructure (Gen 2) offering, replacing the legacy Classic Infrastructure with a modern API-driven network model that supports fine-grained security controls, multiple network interfaces per instance, and native integration with IBM Cloud services.

Each VPC is regional, meaning it spans all availability zones within a region but does not cross regional boundaries. You define address prefixes (CIDR blocks) for each zone and create subnets within those prefixes. Subnets are zonal — each subnet exists in exactly one availability zone. Resources deployed in different subnets within the same VPC can communicate with each other by default through the implicit router, but you control traffic flow using security groups and network ACLs.

This guide covers VPC architecture design, subnet planning, security groups and network ACLs, public gateways, floating IPs, VPN gateways, Transit Gateway for multi-VPC connectivity, and Direct Link for hybrid cloud connections.

VPC Architecture Design

Address Prefixes

When you create a VPC, IBM Cloud automatically assigns default address prefixes for each zone using the 10.x.x.x range. You can keep the defaults, modify them, or replace them with your own CIDR blocks. Best practice is to plan your address prefixes carefully to avoid conflicts with on-premises networks and other VPCs that will be connected via Transit Gateway or VPN.

# Create a VPC with custom address prefixes
ibmcloud is vpc-create prod-vpc

# Delete default address prefixes
ibmcloud is vpc-address-prefix-delete prod-vpc <prefix-id> --force

# Create custom address prefixes for each zone
ibmcloud is vpc-address-prefix-create prod-vpc us-south-1 10.10.0.0/18
ibmcloud is vpc-address-prefix-create prod-vpc us-south-2 10.10.64.0/18
ibmcloud is vpc-address-prefix-create prod-vpc us-south-3 10.10.128.0/18

Subnet Design

Subnets partition your VPC address space into smaller segments, each assigned to a specific zone. A well-designed subnet strategy typically creates separate subnets for different tiers of your application: web tier (public-facing), application tier (internal), and database tier (most restricted). Deploying subnets across multiple zones provides high availability.

# Create web-tier subnets (with public gateway)
ibmcloud is subnet-create web-z1 prod-vpc --zone us-south-1 --ipv4-cidr-block 10.10.0.0/24
ibmcloud is subnet-create web-z2 prod-vpc --zone us-south-2 --ipv4-cidr-block 10.10.64.0/24

# Create app-tier subnets (private only)
ibmcloud is subnet-create app-z1 prod-vpc --zone us-south-1 --ipv4-cidr-block 10.10.1.0/24
ibmcloud is subnet-create app-z2 prod-vpc --zone us-south-2 --ipv4-cidr-block 10.10.65.0/24

# Create db-tier subnets (private only, most restricted)
ibmcloud is subnet-create db-z1 prod-vpc --zone us-south-1 --ipv4-cidr-block 10.10.2.0/24
ibmcloud is subnet-create db-z2 prod-vpc --zone us-south-2 --ipv4-cidr-block 10.10.66.0/24

Security Groups

Security groups act as virtual firewalls at the network interface level. Every network interface must belong to at least one security group. Security group rules are stateful — if you allow inbound traffic on port 443, the return traffic is automatically allowed without an explicit outbound rule.

# Create a security group
ibmcloud is security-group-create web-sg prod-vpc

# Allow inbound HTTPS from anywhere
ibmcloud is security-group-rule-add web-sg inbound tcp \
  --port-min 443 --port-max 443 --remote 0.0.0.0/0

# Allow inbound HTTP from anywhere
ibmcloud is security-group-rule-add web-sg inbound tcp \
  --port-min 80 --port-max 80 --remote 0.0.0.0/0

# Allow inbound SSH from corporate CIDR only
ibmcloud is security-group-rule-add web-sg inbound tcp \
  --port-min 22 --port-max 22 --remote 203.0.113.0/24

# Allow all outbound traffic
ibmcloud is security-group-rule-add web-sg outbound all

# Create an app-tier security group that allows traffic from web-sg
ibmcloud is security-group-create app-sg prod-vpc
ibmcloud is security-group-rule-add app-sg inbound tcp \
  --port-min 8080 --port-max 8080 --remote web-sg

Network ACLs

Network ACLs provide stateless traffic filtering at the subnet level. Unlike security groups, network ACL rules must explicitly allow both inbound and outbound traffic, and rules are evaluated in order with the first match applied. Network ACLs are less commonly used than security groups but provide an additional defense-in-depth layer.

Public Gateways and Floating IPs

By default, resources in a VPC have no internet access. Two mechanisms provide outbound or inbound internet connectivity:

• Public Gateways: Provide outbound-only internet access for all resources in a subnet. Resources can initiate connections to the internet but cannot receive unsolicited inbound connections. Each zone can have one public gateway.
• Floating IPs: Provide both inbound and outbound internet access for a specific network interface. The floating IP is a static public IP address that routes traffic directly to one instance. Use floating IPs for bastion hosts, load balancers, or any resource that needs to accept incoming connections.

# Create a public gateway for outbound internet access
ibmcloud is public-gateway-create pg-z1 prod-vpc us-south-1

# Attach the public gateway to a subnet
ibmcloud is subnet-update web-z1 --pgw pg-z1

# Reserve a floating IP for a specific instance
ibmcloud is floating-ip-reserve bastion-fip \
  --nic primary --in bastion-instance

VPN Gateway

IBM Cloud VPN for VPC provides site-to-site IPsec VPN connectivity between your VPC and on-premises networks or other cloud environments. The VPN gateway is a managed service that handles the IPsec tunnel setup, key exchange, and high availability automatically.

# Create a VPN gateway
ibmcloud is vpn-gateway-create prod-vpn prod-vpc web-z1 \
  --mode policy

# Create a VPN connection to on-premises
ibmcloud is vpn-gateway-connection-create prod-vpn \
  --name onprem-connection \
  --peer-address 203.0.113.1 \
  --psk "your-pre-shared-key" \
  --local-cidrs 10.10.0.0/16 \
  --peer-cidrs 172.16.0.0/12

Transit Gateway

IBM Cloud Transit Gateway enables you to connect multiple VPCs within the same region or across regions, as well as connect VPCs to Classic Infrastructure. Transit Gateway uses the IBM Cloud backbone network, providing high-bandwidth, low-latency connectivity without the complexity of managing individual VPC peering connections.

# Create a transit gateway
ibmcloud tg gateway-create \
  --name prod-transit-gateway \
  --location us-south

# Add VPC connections
ibmcloud tg connection-create <gateway-id> \
  --name prod-vpc-connection \
  --type vpc \
  --network-id <vpc-crn>

ibmcloud tg connection-create <gateway-id> \
  --name shared-services-connection \
  --type vpc \
  --network-id <shared-vpc-crn>

Direct Link

IBM Cloud Direct Link provides dedicated, private connectivity between your on-premises data center and IBM Cloud. Direct Link bypasses the public internet, providing consistent performance, lower latency, and enhanced security for hybrid cloud workloads.

IBM Cloud offers two Direct Link options:

• Direct Link Dedicated: A physical cross-connect in an IBM Cloud colocation facility, providing 1 Gbps, 2 Gbps, 5 Gbps, or 10 Gbps bandwidth.
• Direct Link Connect: A virtual connection through a partner network, available in speeds from 50 Mbps to 5 Gbps. Faster to provision and does not require physical colocation.

Virtual Private Endpoints (VPE)

Virtual Private Endpoint Gateways enable you to connect to IBM Cloud services (such as COS, Db2, Event Streams, and Key Protect) using private IP addresses within your VPC. Traffic between your VPC and the service never traverses the public internet, providing enhanced security and consistent network performance.

# Create a VPE gateway for Cloud Object Storage
ibmcloud is endpoint-gateway-create \
  --name cos-vpe \
  --vpc prod-vpc \
  --target crn:v1:bluemix:public:cloud-object-storage:global:::endpoint:s3.direct.us-south.cloud-object-storage.appdomain.cloud \
  --ips web-z1,web-z2

Flow Logs

VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. Flow logs are stored in Cloud Object Storage and can be analyzed using IBM Cloud SQL Query, IBM Log Analysis, or third-party SIEM tools. Enable flow logs for troubleshooting connectivity issues, security analysis, and compliance auditing.

# Create a flow log collector for the entire VPC
ibmcloud is flow-log-create prod-flow-logs \
  --target prod-vpc \
  --bucket flow-logs-bucket \
  --bucket-endpoint s3.direct.us-south.cloud-object-storage.appdomain.cloud \
  --active true

Network Architecture Best Practices

• Deploy subnets across at least two availability zones for high availability.
• Use security groups as the primary access control mechanism; add network ACLs for defense-in-depth.
• Use public gateways for outbound internet access; avoid floating IPs except for bastion hosts.
• Connect VPCs using Transit Gateway rather than individual VPN connections.
• Use Virtual Private Endpoints for all IBM Cloud service access from within VPCs.
• Plan IP address ranges to avoid overlap with on-premises and other cloud networks.
• Enable VPC Flow Logs for security monitoring and troubleshooting.
• Use DNS Services for private DNS resolution within and across VPCs.