GitHubContribute in GitHub: Edit online

Using the IBM Cloud console to create z/OS virtual server instances

You can use create and configure an IBM Cloud™ Virtual Private Cloud (VPC) in the IBM Cloud console and then create a z/OS virtual server instance.

If you want to complete the following tasks by using the CLI or REST APIs, see Setting up your API and CLI environment External link icon.

Objectives

To create and configure your VPC and other attached resources, complete the following steps:

  1. Create your SSH key.

  2. Create a VPC and subnet to define the network. When you create your subnet, attach a public gateway if you want to allow all resources in the subnet to communicate with the public internet.

  3. To limit the subnet's inbound and outbound traffic, you can configure an access control list (ACL). By default, all traffic is allowed.

  4. Create a virtual server instance. By default, a 250 GB boot volume is attached to the z/OS virtual server instance.

  5. If you want more storage, create a block storage volume and attach it to your instance.

  6. To define the inbound and outbound traffic that is allowed for the instance, configure its security group.

  7. If you want your instance to be reachable from the internet, you can create a VPN server as a gateway in the VPC or use the floating IP address for direct access. For more information, see Client-to-site VPN servers and Reserving a floating IP address External link icon.

After you enter data on the provisioning pages, select the Get sample API call button to view the sequence of API requests that correspond to your settings. Viewing the API calls is a good way to learn about the API and understand actions and their dependencies.

Creating your SSH key

Make sure that you have an SSH key. The key is used to connect to the virtual server instance. For example, generate an SSH key on your Linux server or Mac system by running the following command:

ssh-keygen -t rsa -C "user_ID"

This command generates two files. The generated public key is in the id_rsa.pub file under an .ssh directory in your home directory, for example, /Users/<USERNAME>/.ssh/id_rsa.pub.

For Windows systems, you can use PuTTYgen External link icon to generate an SSH key.

For more information, see SSH keys External link icon.

After creating the SSH keys, you must upload your created SSH keys to the IBM Cloud console. To add or delete SSH keys in the IBM Cloud console, complete the following steps:

  1. In IBM Cloud console External link icon, navigate to Menu icon Menu icon > VPC Infrastructure > Compute > SSH keys. Any existing SSH keys are displayed. You can use the ... menu to copy the UUID of an SSH key or delete an SSH key.

  2. To add an SSH key, click Add SSH Key.

  3. On the Add SSH key page, enter a name for your SSH key, select a resource group, and select a region.

    You are shown a list of the available regions for your specific resource group.

  4. Locate your public SSH key. It might be in an .ssh directory within your home directory, for example, /Users/<USERNAME>/.ssh/id_rsa.pub.

    The directory might contain two files with the same file name. The "public" SSH key contains the extension .pub. The content of the public SSH key file typically begins with ssh-rsa and ends with your username.

  5. You can open the public SSH key file with a text editor. Then, copy and paste the entire contents of the SSH file into the Public key space on the form.

  6. Click Add SSH key to create your SSH key in the IBM Cloud console. It now displays in VPC Infrastructure > Compute > SSH keys.

For more information, see Managing SSH keys External link icon.

Creating a VPC and subnet

To create a VPC and subnet, complete the following steps:

  1. Open IBM Cloud console External link icon.

  2. Click Menu icon Menu icon > VPC Infrastructure > Network > VPCs and click Create.

  3. Enter a name for the VPC, such as my-vpc.

    Make sure that you're creating a VPC with generation 2 compute resources.

  4. Select a resource group for the VPC. Use resource groups to organize your account resources for access control and billing purposes. For more information, see Best practices for organizing resources in a resource group External link icon.

  5. Optional: Enter tags to help you organize and find your resources. You can add more tags later. For more information, see Working with tags External link icon.

  6. The process assigns a default ACL. Later in this tutorial we'll configure rules for the ACL.

  7. Select whether the default security group allows inbound SSH and ping traffic to virtual server instances in this VPC. We'll configure more rules for the default security group later.

  8. Optional: Select whether you want to enable your VPC to access classic infrastructure resources. For more information, see Setting up access to classic infrastructure External link icon.

  9. Optional: Clear the Default address prefixes option if you don't want to assign default address prefixes to each zone in your VPC. After you create your VPC, you can go to its details page and set your own address prefixes.

  10. By default the create VPC process defines three subnets. If you need to edit the properties that are defined for the subnet, click the pencil icon for the subnet that you want to edit. You can also remove a subnet that is pre-defined by clicking the minus icon. If you need to add a subnet, complete the following steps.

  11. Click Add subnet and enter a name for the new subnet in your VPC, such as my-subnet.

  12. Select a location for the subnet. The location consists of a region and a zone.

    The region that you select is used as the region of the VPC. All additional resources that you create in this VPC are created in the selected region.

  13. Select a resource group for the subnet.

  14. Enter an IP range for the subnet in CIDR notation, for example: 10.240.0.0/24. In most cases, you can use the default IP range. If you want to specify a custom IP range, you can use the IP range calculator to select a different address prefix or change the number of addresses.

    A subnet cannot be resized after it is created.

  15. Attach a public gateway to the subnet if you want to allow all attached resources to communicate with the public internet.

    You can also attach the public gateway after you create the subnet.

  16. Click Create virtual private cloud.

To create additional subnets in this VPC, click the Subnets tab and click New subnet. When you define the subnet, make sure to select my_vpc in the Virtual private cloud field.

Configuring the access control lists (ACL)

You can configure the ACL to limit inbound and outbound traffic to the subnet. By default, all traffic is allowed.

Each subnet can be attached to only one ACL. However, each ACL can be attached to multiple subnets.

To configure the ACL, complete the following steps:

  1. In the navigation pane, click Network > Subnets.

  2. Click the subnet that you created.

  3. In the Subnet details area, click the name of the ACL.

  4. Click Add rule to configure inbound and outbound rules that define what traffic is allowed in or out of the subnet. For each rule, specify the following information:

    • Select whether to allow or deny the specified traffic.
    • Select the protocol to which the rule applies.
    • For the source and destination of the rule, specify the IP range and ports for which the rule applies. For example, if you want all inbound traffic to be allowed to the IP range 192.168.0.0/24 in your subnet, specify Any as the source and 192.168.0.0/24 as the destination. But if you want to allow inbound traffic only from 169.168.0.0/24 to your entire subnet, specify 169.168.0.0/24 as the source and Any as the destination for the rule.
    • Specify the rule's priority. Rules with lower numbers are evaluated first and override rules with higher numbers. For example, if a rule with priority 2 allows HTTP traffic and a rule with priority 5 denies all traffic, HTTP traffic is still allowed.

    See Configuring rules External link icon for an example.

  5. When you finish creating rules, click the Access control lists breadcrumb at the beginning of the page.

For more information, see About access control lists External link icon.

Creating a z/OS virtual server instance

You can create one or more virtual server instances in your IBM Cloud VPC by using the IBM Cloud console.

To create a virtual server instance, start with following steps:

  1. In the IBM Cloud console External link icon, go to Menu icon Menu icon > VPC Infrastructure > Compute > Virtual server instances.

  2. Click Create.

  3. Select or enter the information in Table 1.

Field Value
Location Locations are composed of regions (specific geographic areas) and zones (fault-tolerant data centers within a region). Select an available region where you want to create your virtual server instance.
Name A name is required for your virtual server instance.
Resource group Select a resource group for the instance.
Tags You can assign a user tag to the instance so that you can easily filter instance resources in your resource list. For more information, see Working with tags External link icon.
Access management tags Access management tags help you apply flexible access policies on specific resources. For more information, see the Controlling access to resources by using tags External link icon UI tutorial.
Table 1. Selections to begin instance creation

Then, complete the following steps:

  1. Click Change image, and select an image (that is, operating system and version) for the instance. If the geographic location where you are creating an instance supports it, you have the option to select s390x architecture.

    You can use the z/OS stock image with the latest program temporary fixes (PTFs). You can also select Custom images to use the custom image and data volume snapshot that you created with Wazi Image Builder. The image is called wazi-custom-image by default.

    All operating system images use cloud-init that you can use to enter user metadata that is associated with the instance for post provisioning scripts. Metadata isn't supported for z/OS virtual server instances.

  2. Click Change profile to select the vCPU and RAM combinations for the instance. For more information, see s390x instance profiles External link icon.

    z/OS virtual server instances require a minimum profile of 2 vCPUs x 16 GB RAM (2x16). One vCPU of the selected profile is reserved for running the service. When you select the profile for any z/OS stock images with RAM smaller than 8 GB, you might encounter the IAR057D External link icon message.

  3. Select an existing SSH key or add an SSH key that is to be used to access the virtual server instance. To add an SSH key, click New key and name the key. After you enter your previously generated public key value, click Add SSH key. You can select multiple SSH keys if you want to allow those SSH key owners to access your instance.

    When you create a z/OS virtual server instance from z/OS stock image or a Wazi aaS custom image, the SSH keys that are selected in this step are ignored. When the instance is running and z/OS is successfully IPLed, you can SSH into the VSI by using an SSH key that was configured into the snapshot or custom image from which the new instance was created.

  4. Check the boot volume. In the current release, 250 GB is allotted for the boot volume for a z/OS virtual server instance. You can click the pencil icon to edit the details of the boot volume and use Hyper Protect Crypto Services for the Encryption option. When you enable Auto-delete for the boot volume, the boot volume is deleted automatically if the instance is deleted.

  5. Optional: In the Data volumes section, click Create to attach a block storage volume to your instance if you want more storage.

    When you create a z/OS virtual server instance with the custom image, you must add a data volume by clicking Create and selecting Import from Snapshot. The snapshot is called wazi-custom-image-data by default. You can select Hyper Protect Crypto Services for the Encryption option.

  6. In the Networking section, specify the IBM Cloud VPC where you want to create your instance.

  7. Optional: In the Network interfaces section, you can click the pencil icon to edit the details of the network interface. You can click Create to include more network interfaces depending on the vCPU count that is included in the instance profile.

    You can also select which security groups to attach to each interface. By default, the VPC's default security group is attached. The default security group allows inbound SSH and ping traffic, all outbound traffic, and all traffic between instances in the group. All other traffic is blocked. You can configure rules to allow more traffic. If you later edit the rules of the default security group, those updated rules will apply to all current and future instances in the group.

    Each interface has a maximum network bandwidth of 16 Gbps. If the profile you selected for this instance has a maximum network bandwidth greater than 16 Gbps, you might want to create more interfaces to optimize network performance.

  8. In the Advanced options section, you can choose to complete more instance configurations in Table 2.

Field Value
User data You can add user data that automatically performs common configuration tasks or runs scripts. User data is not supported for z/OS virtual server instances.
Metadata Disabled by default. This setting informs the instance to collect the instance configuration information and user data. Metadata is not supported for z/OS virtual server instances.
Add to dedicated host This setting is disabled by default. To create the virtual server instance in a single-tenant space, click the toggle to enable the dedicated host. For more information, see Creating dedicated hosts and groups.
Add to placement group Placement groups are disabled by default. Click the toggle to enable placement groups. Then, select or create a placement group for the instance. If you add a placement group, the instance is placed according to the placement group policy. For more information, see About placement groups External link icon.
Host failure auto restart This setting is enabled by default. To disable host failure auto restart, click the toggle. For more information, see Host failure recovery policies External link icon.
Table 2. Advanced options

Finally, click Create virtual server instance. The status of the instance starts as Pending, changes to Stopped, and then Running. You might need to refresh the page to see the change in status.

For more information, see Creating virtual server instances External link icon.

Creating and attaching a block storage volume

You can create a block storage volume and attach it to your virtual server instance if you want more storage.

To create and attach a block storage volume, see the following topics:

To verify the newly attached block storage volume with its address assigned, you can find the information on your z/OS virtual server instance console via a broadcast message sent to you with the affected device address. See the following message as an example.

``` {: screen}
IKJ56455I IBMUSER LOGON IN PROGRESS AT 15:19:05 ON JUL
Preparing attached block storage vde of size 55G    
Attached block storage vde on address DD60           
READY
```

Configuring the security group for the instance

You can configure the security group to define the inbound and outbound traffic that is allowed for the instance. For example, after you configure ACL rules for the subnet based on your company's security policies, you can further restrict traffic for specific instances depending on their workloads.

To configure the security group, complete the following steps:

  1. In the navigation pane, click Compute > Virtual server instances.

  2. Click your instance to view its details.

  3. In the Network interfaces section, click the name of the security group.

  4. On the Rules tab of the security group, click Manage rules.

  5. Click Create to configure inbound and outbound rules that define what type of traffic is allowed to and from the instance.

    For each rule, specify the following information:

    • Specify a CIDR block or IP address for the permitted traffic. Alternatively, you can specify a security group in the same VPC to allow traffic to or from all instances that are attached to the selected security group.
    • Select the protocols and ports to which the rule applies.

    Tips:

    • All rules are evaluated, regardless of the order in which they're added.
    • Rules are stateful, which means that return traffic in response to allowed traffic is automatically permitted. For example, you created a rule that allows inbound TCP traffic on port 80. That rule also allows replying outbound TCP traffic on port 80 back to the originating host, without the need for another rule.
    • If your z/OS virtual server instance is created by using the z/OS dev and test stock image, you can refer to Reserved configurations when adding additional ports into the security group of your instance.

  6. Optional: To view interfaces that are attached to the security group, click Attached resources in the navigation pane.

  7. When you finish creating rules, click the Security groups breadcrumb at the beginning of the page.

For more information, see About security groups External link icon.