Check VPN Tunnel status
After logging into the Vyatta, check if the VPN tunnel is¬†up.
Check if default route to private Service Endpoints is set on Vyatta
If the IBM Cloud account is VRF enabled, a default route to the private Service Endpoint network (184.108.40.206/14) should be set on the Vyatta, where the next hop is the gateway IP of the Vyatta’s private network interface (dp0bond0).
Optionally: Check source IP of incoming customer traffic to private Service Endpoint
For creating the NAT rule on the Vyatta, the source IP of traffic flowing to the private Service Endpoint needs to be known. If the source IP / Subnet is not known, a simple check on the Vyatta displays the IP. Therefore, a steady incoming traffic needs to be set up by the customer (e.g. a steady ping to a private Service Endpoint – in this example 220.127.116.11, private Service Endpoint for Postgres). By monitoring the private interface (dp0bond0), the IP is revealed.
In the example above, 10.85.XX.27 is the sought source IP.
Create source NAT rule to make private Service Endpoints reachable from customer network
Since the private Service Endpoints do not have a route to non-VRF enabled / included subnets, requests coming from those networks do not receive an according answer. Therefore, the source IPs need to be masqueraded with the interface IP of the private network interface (dp0bond0). This can be achieved by the following source NAT rule:
set service nat source rule 10 destination address ‘18.104.22.168/14’
set service nat source rule 10 outbound-interface ‘dp0bond0’
set service nat source rule 10 source address ‘10.85.XX.17’
set service nat source rule 10 translation address ‘masquerade’
- destination address contains the private Service Endpoint subnet
- outbound-interface is the private network interface
- source address is the specific address or subnet from which the incoming connections are being sent (see step 3)
- translation address is set to masquerade, so that the interface IP of dp0bond0 is used as source (optionally, this address can also be set statically)
After this rule has been applied, the private Service Endpoints are reachable from the customers network.