One of the great things about being in a connected world is the ability to have private only systems talk to each other through gateway devices. Today you will look at using the Bluemix VPN Service connected to a SoftLayer Vyatta Network Gateway Device to enable communication between Private-Only Bluemix containers and SoftLayer instances.
Besides the VPN service, an IBM container is required in order to test the connection between Bluemix and SoftLayer. To push the test container into the Bluemix account, the Cloud Foundry command line app and its associated IBM Container plugin needs to be installed, following these instructions.
After the Cloud Foundry CLI and IBM container plugin has been installed, log in by issuing the following command:
cf login. The following prompts will appear:
$ cf login API endpoint: https://api.ng.bluemix.net Email> firstname.lastname@example.org Password> Authenticating... OK Select an org (or press enter to skip): 1. tinylab 2. tinylayer Org> 1 Targeted org tinylab Select a space (or press enter to skip): 1. dev 2. tunnel 3. demospace Space> 2 Targeted space tunnel API endpoint: https://api.ng.bluemix.net (API version: 2.40.0) User: email@example.com Org: tinylab Space: tunnel
To start working with the container service, run the command
cf ic login. The command will download the associated certificates that allow communication with the Bluemix container registry service.
$ cf ic login Deleting the old configuration file... Retrieving client certificates from IBM Containers... Storing client certificates in /Users/ryan/.ice/certs/... Storing client certificates in /Users/ryan/.ice/certs/containers-api.ng.bluemix.net/cad48f71-c998-4ebd-8b12-65489188c91d... OK The client certificates youre retrieved. (yadda yadda yadda)
The Bluemix VPN Service requires at least one running container in order to expose the container group networking to the VPN service. The following Dockerfile is used to build and push a simple apache container image to the Bluemix container registry. The container will include any files in the public-html folder in the current working directory. Create that directory if it does not exist and a simple index.html page.
FROM httpd:2.4 COPY ./public-html/ /usr/local/apache2/htdocs/ EXPOSE 80 VOLUME ["/url/local/apache2/htdocs"]
Retrieve the container namespace. This is used when pushing the container to Bluemix
$ cf ic namespace get tinybot
In the same directory as the Dockerfile use the build command to build the container and push the container image to the Bluemix account:
$ cf ic build -t registry.ng.bluemix.net/tinybot/apache:v1 . Sending build context to Docker daemon 112.6 kB Step 1 : FROM httpd:2.4 ---> 8919e97cfbc2 Step 2 : COPY ./public-html/ /usr/local/apache2/htdocs/ ---> Using cache ---> aca4ed2ca247 Step 3 : EXPOSE 80 ---> Using cache ---> 7560e3d90f07 Step 4 : VOLUME /url/local/apache2/htdocs ---> Using cache ---> 08ac969c541b Successfully built 08ac969c541b The push refers to a repository [registry.ng.bluemix.net/tinybot/apache] (len: 1) 08ac969c541b: Image already exists aca4ed2ca247: Image already exists aed455149560: Image already exists f36c3a629f42: Image already exists cd658ce1233c: Image already exists 38d79807548c: Image already exists 73e8d4f6bf84: Image already exists v1: digest: sha256:e3f08d67b4a08531821bfa171f7c89e368980f2a32f7a8e7fa33d1332ad88a17 size: 29830
Once the container image is pushed to the registry, access the Bluemix web Dashboard and click Start Containers to create a new IBM container. Select the apache container and on the subsequent page provide a name for the container and choose the container size. Ensure that under Public Ports it shows
80/tcp. Click the CREATE button and after a few minutes the container will be active.
- Figure 1: List of Available Containers on your account
- Figure 2: Container creation page
With the container created use the
cf ic ps -a command to view the container details and status:
$ cf ic ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f372d24b-94d registry.ng.bluemix.net/tinybot/apache:latest "" 20 minutes ago Running 20 minutes ago 80/tcp myapachetest
To test the connectivity to the container from a SoftLayer instance use the
inspect command to get the containers private IP.
$ cf ic inspect f372d24b-94d |grep IPAddress "IPAddress": "172.31.0.3",
The Bluemix containers support requesting and binding Public IP's, but for some use cases this is not required nor ideal. This is where the VPN connection comes in to play. Once a connection has been established to the secure VPN tunnel, an endpoint on one side of the tunnel can communicate with any endpoint on the other side of the tunnel without requiring any special client software.
The Bluemix VPN Service uses the time-tested, mature Internet Protocol Security (IPsec) protocol suite to build a secure communication channel between a private on-premises data center and IBM Bluemix cloud resources. You can read over the official documentation here.
After the VPN service has been created in Bluemix portal, click on CREATE GATEWAY to create the Gateway connection.
This will take a few moments and when it completes, grab the IP of the new Gateway to use in the next step as well as the Container group IP ranges. The default IKE and IPSec policies can be used for the VPN connection to the SoftLayer Vyatta.
With the Gateway IP and Container group IP's in hand, next up is to configure the Vyatta. Log in to the Gateway as a Service dashboard, find the Vyatta that will be used for the tunnel and click Manage Tunnels. On the next page click Add Tunnel. On the subsequent page you can leave all of the default options checked.
Scroll to the bottom of the page and click Next. On the 'Select VLAN(s)' page ensure that the public and private Associated VLANs are highlighted (1919 and 1710 in my example) and then click Next.
On the network configutation page, make the following changes:
Click Next to review the tunnel configuration and then select the check box to agree with the gateway configuration overwrite. Click next and then Finish to start the Vyatta reconfiguration process to create the tunnel to Bluemix. An email will be generated when the Vyatta has been re-configured.
Back in the Bluemix dashboard, provide the following details to establish a connection between the SoftLayer Vyatta, and the IBM VPN gateway.
After a few minutes, the VPN Connection will be created. If the page does not update after a few moments, refresh your browser to check on the connection. If the tunnel is up the page will report the VPN Site Connection as Active.
Confirm the tunnel is up on the Vyatta device. Issue the following commands to check if the IPsec connection has been established with Bluemix:
vyatta@tunnel:~$ show vpn ipsec status IPSec Process Running PID: 19581 4 Active IPsec Tunnels IPsec Interfaces : bond1v1 (no IP on interface statically configured as local-ip for any VPN peer) vyatta@tunnel:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 188.8.131.52 184.108.40.206 Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- 1 up 0.0/0.0 aes128 sha1 yes 1103 3600 all 2 up 0.0/0.0 aes128 sha1 yes 1042 3600 all 3 up 0.0/0.0 aes128 sha1 yes 1033 3600 all 4 up 0.0/0.0 aes128 sha1 yes 823 3600 all
Provision a new VSI behind the Associted VLAN of the Vyatta Gateway device. To Obtain the Associated VLAN log in to the SoftLayer portal and navigate to Network > Gateway Appliances > Click on the Vyatta being used for the tunnel. Once the VSI has been created, log in and set a static route to allow communication with the Bluemix VPN through the Vyatta. You will use the VSI's Gateway IP when setting the route:
root@bmtest:~# ip route|grep eth0 10.0.0.0/8 via 10.54.202.65 dev eth0 10.54.202.64/26 dev eth0 proto kernel scope link src 10.54.202.109 root@bmtest:~# route add -net 172.31.0.0 netmask 255.255.0.0 gw 10.54.202.65
Once the route has been added, test the connection by pinging the IBM container.
$ root@bmtest:~# ping -c 3 172.31.0.3 PING 172.31.0.3 (172.31.0.3) 56(84) bytes of data. 64 bytes from 172.31.0.3: icmp_seq=1 ttl=62 time=44.4 ms 64 bytes from 172.31.0.3: icmp_seq=2 ttl=62 time=44.1 ms 64 bytes from 172.31.0.3: icmp_seq=3 ttl=62 time=44.0 ms --- 172.31.0.3 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 44.008/44.187/44.445/0.253 ms
Test the connection to the Apache service on the container.
$ root@bmtest:~# curl http://172.31.0.3 <html> <head> <title>Hello From Docker</title> </head> <body> <h1>Hello from an IBM Container</h1> <p>This is the home page for the HelloWorld youb application. </p> </body> </html>