IBM Data and AI Ideas Portal for Clients

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

If you have not registered on this portal please register at http://ibm.biz/IBM-Data-and-AI-Portal-Register . To complete registration you will need to open the email you will receive from Aha to confirm your identity.

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Help IBM prioritize your ideas and requests

The IBM team may need your help to refine the ideas so they may ask for more information or feedback. The offering manager team will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at IBM works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notification on the decision

Some ideas can be implemented at IBM, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.

Additional Information

To view our roadmaps: http://ibm.biz/Data-and-AI-Roadmaps

Reminder: This is not the place to submit defects or support needs, please use normal support channel for these cases

IBM Employees:

The correct URL for entering your ideas is: https://hybridcloudunit-internal.ideas.aha.io

Data Catalog dynamic IP address frustrates IP address security filters in remote clouds and on-premise systems.

I'm testing the Data Catalog's ability to access a remote(to IBM's cloud) relational database.  I provisioned a NoSQL database using AWS RDS service.  I wanted to set the AWS security group to only permit access from the IP address used by the Data Catalog.  I used AWS logging to determine the IP address used by Data Catalog and set the security group to permit access from that IP.  Data Catalog was able to access the MySQL database and access the data.  However, the next day it stopped working.  Reviewing the access logs on AWS showed the IP address used by the Data Catalog had changed.  I tried this several different times and at some point the IP address of the Data Catalog would change (the "From" address as seen by the AWS security group.) The class-A subnet also changed making it impossible to create a generic IBM cloud filter.  I realize IP addresses are a bad approach but, unfortunately, are in use as security filters by clouds and on-premise systems. 

Is there any way to specify a public IP address for the Data Catalog to use that doesn't change?   

I don't know if the observed behavior is coming from Data Catalog or the networking layer of Bluemix and/or Softlayer. 

My next step is to try setting up a Security Gateway between Bluemix and AWS with the idea I can get the Data Catalog to use the Security Gateway to tunnel over to a virtual lan segment at AWS where the database resides. 

 

Thank you

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Dec 14 2018
  • Not Under Consideration
Who would benefit from this IDEA? As a customer I want to access an on-premise or remote cloud protected by IP address based security filtering
Idea Priority Low
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    14 Dec, 2018 05:59pm

    Work with Domenico Conia ... essentially each IBM data center has an IP range for outgoing connections.  We need to get that documented.

    Hi David,
    I did a good discussion and also some of these info was present in the deck
    you saw 30min ago in the "Public Isolation" Webinar.

    I don't have time today to prepare a good simple diagram
    but here the answer to your question.

    Short answer:  YES , as I said you before the traffic coming from a customer account is in the 90% of the cases simple to "white-list".

    _________________________________________________
    A- Customer account managed by IBM:
        Secure Perimeter can be Vyatta 5600 or Fortigate FW

    B- Customer account managed by the customer
        Secure perimeter can be  Vyatta 5600 or Fortigate FW
        or any "customized" secure solution they want to put.
     
    The main architecture is not changing, with Scenario B the customer is responsible to manage the security


    There are 2 Scenarios available today :

    1-Vyatta Based Perimeter     ==> Source NAT is always configured on the Vyatts by BMX network engineer
                                                      so all the out-coming traffic to internet has 1 or  a few specific public IPs as source
                                                      (configured on the Vyatta or equivalent firewall)
                                                      CF Accounts

    2- Armada Based Perimeter  ==> Source NAT is still configured but on IP Tables
                                                      Project name: "BedRock" 
                                                     Fred Tucci is the lead architect for this project.
                                                     They use Front End Armada nodes as "secure perimeter" with IP Tables on board
                                                     Application runs on Back End Armada Nodes.
                                                     Armada Accounts

    Both scenario (Vyatta-Vyatta less) MUST be monitor to avoid the risk of
    missing-wrong firewall rules.
    IPTables (scenario 2) can be a mess with a lot of clusters...so Fred is probably using automation
    to deploy and monitor the IP Tables. IF one rule is wrong (e,g, they forgot any any any allowed)
    an alarm is notified.

    On Scenario 1-Vyatta- this is alsways included in the BMX security architecture (vyatta fw rules are monitored).

    FUTURE Scenario:                         
    3- Another scenario (not possible today, could be in a few months hopefully) is BYOP
        With BYOP the customer could assign speficic addresses as Source or his environment
             

    Kind regards
    _____________________________________________________
    Domenico Conia
    IBM Italia S.p.A.                              Mobile: +39 3357446011
    IBM Watson Data Platform             Infrastructure team
    Certified Expert IT Architect Cloud & Security
    domenico.conia@it.ibm.com

    IBM Italia S.p.A. Sede Legale: Circonvallazione Idroscalo - 20090 Segrate (MI) Cap. Soc. euro 347.256.998,80 C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 Societa' con unico azionista Societa' soggetta all'attivita' di direzione e coordinamento di International Business Machines Corporation (Salvo che sia diversamente indicato sopra / Unless stated otherwise above)


IBM's success depends on gathering feedback from customers like yourself. Aha Ideas Portal is the third party tool through which IBM Offering Managers gather feedback from customers such as yourself.
IBM is a global organization with business processes, management structures, technical systems and service provider networks that cross borders. As such, the information collected through Aha Ideas Portal (Customer Name, Customer Email Address) will be stored by them in the United States, and handled only as per IBM's instructions and policies. Your data (Name and Email Address) will NOT be shared with other IBM customers.
In order to safeguard your information in Aha, do not leave your workstation unattended while using this application, log off after using it, and print only if necessary. If you need to make a hardcopy, remember to pick up the print-out immediately, keep it under lock, and destroy it immediately when no longer needed.
NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "anonymous@euprivacy.out" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions