Ability™ Developer Portal v23.1
Try Sandbox for free
Get a month of free access to ABB Ability™ Platform to learn and experiment!
API Playground
Play with ABB Ability™ Platform APIs (no time limits)

VNet peering is deprecated

For more information, see the article Connecting clients to APIM with NAT Gateway.

# Virtual Network Peering

Beginning with release 19.09, all ABB Ability™ Platform deployments are secured via Azure Virtual Networks. The virtual networks (VNets) protect internal platform components by creating a private space for communication. By limiting public endpoints, the attack surface is minimized.

The Ability Instance API is never publicly accessible, and communication with these resources can only be achieved through a peered VNet (or VPN as described below). Peering is the process of establishing trust between two virtual networks.

# Implementation

In the below diagram, we have two virtual networks deployed in Azure. One VNet hosts Ability services including API Management, and the other VNet is owned by the BL and hosts their application(s). The networks are peered which allows the business app to call the Ability API. Clients only interact with the cloud-based BL endpoints. Direct client communication with the platform Instance API over the public internet is not supported.

Virtual Network Peering

# Development Environments

To support local application development, the Ability platform can be configured to work with the ABB Ability Azure SSL VPN. You can create a Service Now ticket to add this functionality to the platform using the following parameters:

Short Description: Whitelist VPN Gateway
Category: Ability Operations
Environment: Development
Sub category: ABB Ability Platform - General
Description: Whitelist ABB Ability Azure VPN Gateway for Instance API in <Platform Instance Name>

Once the platform network is configured, developers can request access to the VPN gateway by following this guide. Direct communication with the Instance API URL found in the environment's instance parameters should now be possible.

# How to Peer

For successful peering to Ability, the business line virtual network must meet the following criteria:

  • Address space does not use prefix 10.0.0.0
  • Deployed in the same Azure Location as the platform instance

To create a peering, a user must have appropriate permissions in both Azure subscriptions owning a VNet. Therefore, this can only be accomplished by Operations support. You can create a Service Now ticket to add a peering using the following parameters:

Short Description: Add VNet Peering
Category: Ability Operations
Environment: <Production/Development/Staging/Test>
Sub category: ABB Ability Platform - General
Description: Create peering between <Platform Instance Name> and <BL VNet Name> in <BL Subscription> subscription

Once peered, you can refer to the Ability deployment's instance parameters for further configuration. As an example, a user might want to enable name resolution by adding a hosts entry to their machine. The following entry consists of an Instance API peered IP and Instance API peered URL.

10.x.y.z <Platform Instance Name>.abilityplatform.abb

A restart might be required on certain operating systems. Because the API's certificate is issued against a named URL, this step might be necessary for certificate validation.

Last updated: 2/3/2022, 12:56:12 PM

Audit

Feedback