FAQs about VRF account migration

By default, classic accounts that were established before 30 November 2023, are included in the IBM Cloud general routing table. Previously, if you wanted to convert a classic account to a VRF-style account, you were required to open a support case with IBM® Support. Beginning 30 November 2023, any new classic account or any existing classic account that is "empty" (for example, without any provisioned VLANs), will be automatically converted to a VRF-style account the next time that account initiates a private network connection.

Will this affect current accounts that currently have existing servers or other Private Network connections?

No. This change affects only newly created classic accounts or existing "empty" accounts that have no private network connections (for example, no private VLANs, servers, or other private network connectivity).

Are there any products that are incompatible with a VRF-style account?

Classic IPsec VPNs are incompatible with VRF-style accounts. After an account is migrated to a VRF-style account, you cannot order classic IPsec VPNs going forward.

If you require an IPSec VPN, you must order either a gateway appliance or a regular bare metal or virtual server with VPN software to facilitate the connection. In addition, classic SSL VPNs are no longer globally routed. This means that you must connect through a VPN into the specific data center endpoint that you want to reach.

I can no longer do VLAN spanning. Is this expected behavior?

Yes. After you migrate to a VRF-style account, the option to turn VLAN Spanning "off" is not available.

By default, in a VRF-style account, all subnets and VLANs on the account can communicate with each other. If you need subnet/VLAN segregation, you must order a gateway appliance (one for each POD, where necessary) to appropriately block traffic.