3

From Bluemix I want to access an application in a customers data center using Secure Gateway service. I also want to give access to the destination (the customer application) to the Bluemix application only.

In the Secure Gateway dashboard under Advanced options of the gateway or the destination definition is a Network option where I can specify an IP address or address range plus port or port range. The help text says: "Set this destination to private to only allow access from specific IPs and ports." This is exactly what I am looking for.

But: How can I use this with a Bluemix app? I don't know the IP address of the Bluemix app. I am aware that I can figure it out but it is not static, the moment I stop and restart an app on Bluemix, the IP address may change. So this setting of the Network option would have to be done by some API call from the Bluemix application itself. Is this possible?

If not, why have this function at all?

Kamaganahally Jaganatha
  • 347
  • 4
  • 14
Harald Uebele
  • 264
  • 1
  • 9

2 Answers2

2

The cloud application will use the "cap-sg-prd-<#>.integration.ibmcloud.com" hostname and the port they were given to connect into the cloud service. The client uses the destination configuration, which is downloaded to the client, to perform the backend, on-premises connection to their on-premises resource. So only their cloud application need to know about the cap-sg*/port number, all other connectivity is taken care by using the already established SecureGateway client connection.

Claudio De Ingeniis
  • 101
  • 2
  • But then why add this Network option feature to the Secure Gateway definition at all? The help text indicates that I can use it _to limit access to the destination_ . Which is exactly what I want: I want only **my** Bluemix application to be able to access the destination. Without establishing TLS on the connection anybody who knows the "cap-sg-prd-<#>.integration.ibmcloud.com" hostname and the port can connect to the destination, even from outside Bluemix – Harald Uebele Oct 28 '15 at 07:05
1

In the form for the IP address you can also specify hostnames. You could try to provide the hostname of your Bluemix app. In my tests I did not succeed and had the entire connections cut off. Thus I cannot recommend trying to restrict connections right now.

By binding your Secure Gateway to the app or, even better, utilizing user-provided services to bind a database to an app you can leave the connection information internal to Bluemix. Here is a blog post with steps for user-provided services and on github is a demo for on-premise database integration utilizing the user-provided services and the Secure Gateway.

The hint regarding hostnames can be found in the Bluemix documentation for the Secure Gateway. The information about the Secure Gateway in the Knowledge Center is shy about it.

data_henrik
  • 16,724
  • 2
  • 28
  • 49