Even though cloud provides high secure service but still there is hesitation to move all the secure data into the cloud. Organization mainly who does financial transaction, does not want to move the data into the cloud because of many reasons
1.¬†¬†¬†¬†¬† Companies are mostly feared about losing the data, as they would have very less control once the data is moved to the cloud.
2.¬†¬†¬†¬†¬† Sometimes the organization or country region policy prevent them to upload the live data outside the region/country.
3.¬†¬†¬†¬†¬† Upgrading the legacy application to the cloud is much costlier than maintaining the live on-premise application.
IBM Bluemix also supports hybrid design where in one part of the application can be deployed on cloud and other part can also be able to talk to on-premise system. This provides high secure connection and seamless integration.¬† To connect to local server/application it does not require any DNS service or static IP address.
Bluemix provides many services to connect to on-premise network in a secure manner.
Frequently used services are:
Virtual private network(VPN) : The IBM Virtual Private Network (VPN) service provides a secure IP-layer connectivity between your on-premise data center and your IBM Bluemix cloud. It leverages Internet Protocol Security (IPsec) protocol suite for protecting IP communication between endpoints residing on your private subnets. An IPsec-compatible VPN gateway is required in your on-premise data center for establishing secure connectivity with IBM VPN service.
Secure gateway: The Secure Gateway Service provides a quick, easy, and secure solution for connecting anything to anything. By deploying the light-weight and natively installed Secure Gateway Client, you can establish a secure, persistent connection between your environment and the cloud. Once this is complete, you can safely connect all your applications and resources regardless of their location. Rather than bridging your environments at the network level like a traditional VPN that begins with full access and must be limited from the top down, Secure Gateway provides granular access only to the resources that you have defined.
How to Setup Secure Gateway Connection
In this recipe, we will use Node red starter to connect to secure gateway and access on-premise service. We will go through step by step process to setup secure gateway connection and to connect from Bluemix.
Steps to configure secure gateway
1.¬†¬†¬†¬†¬† Search secure gateway service in categories section.
2.¬†¬†¬†¬†¬† Click on secure Gateway service, this will navigate to secure gateway page. This page contains brief description about service and reference document to setup the service. Click on create button.
1.¬† Once you create service, you will be navigated to secure gateway dashboard. Dashboard shows the connection and in about inbound/outbound call. From dashboard click on Add gateway icon (marked in red box).
2. ¬†Add gateway name. This is required to open connection between on premise server and bluemix. Click on Add Gateway to create new gateway.
3. once you added the gateway you will able to see configured gateway in top left side icon like below mentioned here. Click on setting icon
4. setting window shows gateway security key, id and node details.
Node is the URL which we will be using¬† to call from on-premise server.
5. Close this window. In dashboard, you can see multiple tab (client and destination). First, we will configure destination and then we will configure the client to call on-premise service from Bluemix. Click on destination tab you will see below icon.
6. Secure gateway supports bi-directional communication. We can receive request from on-premise to cloud and from cloud to on-premise server.
We will setup to call on-premise server from cloud. Guided setup tab will help to configure the basic settings and Advance set up tab is to configure network /protcol and other required setting for security. For this receipe will use guided setup for destination setting.
7. Click on Next arrow button(go with default settings as it is). Next wizard will ask about on-premise server host name and port. I am connecting to my local machine where¬† my service is running on port 9444.
8. Next wizard will ask about the protcol. I have not changed the default setting. If you want to communicate with on different protcol you can change that. If your service require any SSL certificate you have to import that here. For demo purpose my service does not require any certificate. So I am keeping it blank.
9. Next section is to configure authentication.¬†
10 Next window will ask about IP and port patterns. You can provide the list of IP which is authorized to access this service. This is another security layer provided by gateway.
11. Optional field to provide destination name. If you have defined multiple destination then providing destination name is recommended.
12. Click on Add Destination button. We will be navigated to dashboard and you will be able to see the destination widget. Since we have to added the client it is showing 0 connection in the widget.
13. You can always edit the destination setting by clicking on widget. All the other settings like URL and security key ,you can see on setting icon.
We are done with the server side configuration. Next section we will configure the client service.
Client side settings
- Click on Client tab √† Connect Client .
2. Next window will show list of Client installer. For demo purpose I am using IBM installer with windows version. You can choose any installer based on your operating system. For more details you can visit the bluemix doc (https://console.bluemix.net/docs/services/SecureGateway/sg_021.html#sg_021)
3.¬†Once download is done. run exe file and install the client on window machine.
4. At the end of the installation, Wizard will prompt you to¬†enter gateway id , security tokens and ACL. Either you can add these entry now or else you can ignore this. I will add those details at later stage.¬†
5.¬†Now go the secure gateway installation folder. In my machine it is installed under <installation Directory> \Secure Gateway Client\ibm\securegateway\client.¬† double click on secgw.cmd
6. This will open up the command prompt and will ask to add gateway id and secturity token to connect to bluemix gateway.
Enter all the details and enter “y’ to use client UI.
By default, URL is http://localhost:9003/dashboard. If you want to change port or URL address you can change that configuration in ‚Äúsecuregw_service.config‚ÄĚ file.
7. If Gateway id and security token is not provided at the time of starting the client¬† then UI will prompt for the gateway Id.
8. Dashboard will show ACL , View logs and connection information.
10.¬†Click on Access Control List to provide the permission to access hosted IP and port. My Service is running in local machine on tomcat server. You can provide service URL and port which you want to access from this gateway. You can add multiple IP and port here.
Done with the client side setting.
Node Red Service Setting
Now to access the rest webservices which is deployed on on-premise machine,¬†I will create Node-Red service in Bluemix.
Node-RED is a programming tool for wiring together hardware devices, APIs and online services in new and interesting ways.
It provides a browser-based editor that makes it easy to wire together flows using the wide range of nodes in the palette that can be deployed to its runtime in a single-click.
For more detail please visit the https://nodered.org/
1.¬†Open Bluemix .Go to Catalog and search for node-Red Starter
2.¬†Provide App name. by default, blue mix create the host name with the app name. if this host name is not available then Bluemix will ask you to change the hostname. Click on create button
3. once you create Node Red service , you¬†have to follow the wizard to create Node Red service in IBM Cloud.
Login to Node red service with new credential.
Drag inject, httpRequest and debug node in the flow editor. Connect all the node so that flow is created. Now double click on httpReqest and add all the required filed.
Your Node structure will looks like this
You have to add the URL, method and return type in http Request Node
You can get the url (Cloud Host:Port) from destination configuration for nodered-demo destination from secure gateway service.
Once you have added all the details then click on deploy button to save and compile the node.
Now click on timestamp, it will initiate the flow and will show the output in debug window.
You will be able to see the output of your response in Debug window in editor window.