FAQ for IBM Cloud Internet Services

What is included in the Free Trial plan?

The Free Trial plan allows one zone per account. You should create only one instance and verify the zone name before adding it. The zone name must be verified before it is accepted. If you delete a zone during the Free Trial period, you cannot add the same zone or a different zone again under the Free Trial plan.

How many Free Trial instances are allowed per account?

Only one Free Trial instance is allowed per account for the lifetime of the account. If you create a Free Trial instance, whether you delete it or allow it to expire, you cannot create another Free Trial instance. However, you can create instances under paid plans at any time.

Can Standard Next be downgraded to the Free Trial plan?

No. Downgrading from Standard Next plan to a Free Trial plan is not supported. You can't downgrade any plan to the Free Trial plan.

What happens when a Free Trial plan expires?

To avoid data loss, upgrade the instance to a paid plan before the expiration date. After expiration, you can either upgrade the plan or delete the instance. If the instance is not upgraded or deleted within 45 days of creation, CIS automatically deletes:

• The configuration domain
• Global load balancers
• Origin pools
• Health checks

What happened to the Enterprise Package plan?

As of 11 August 2023, the Enterprise Package plan was discontinued. The functionality of this plan was split across various tiers and is now available in Enterprise Essential, Enterprise Advanced, and Enterprise Premier plans. For more information, see Transition updated plans.

Is DDoS attack traffic billed?

No. CIS provides unlimited and unmetered DDoS protection. Traffic identified as part of a DDoS attack is excluded from billing. There are no limits on the size, duration, or number of identified attacks.

How does CIS protect against unexpected billing charges?

CIS does not meter or bill for traffic that is blocked by DDoS mitigation, firewall, or rate limiting. Only traffic that passes through CIS and reaches the origin is counted for usage or billing.

CIS also helps keep egress bandwidth charges from your origin under control by only passing along good requests that the origin needs to respond to. All CIS plans offer unlimited and unmetered mitigation of DDoS attacks. You are never charged for attack traffic, and there’s no penalty or chargeback for traffic spikes caused by attacks.

Why does a user receive authentication errors after being granted access?

Authentication errors usually occur because the user was not assigned the required service access roles. CIS uses two types of roles:

• Platform access: Allow users to create and manage service instances.
• Service access: Allow users to perform service-specific operations within an instance.

Both role types must be assigned as appropriate for the user’s responsibilities. To update roles in the console, go to Manage > Security > Identity and Access.

How do I find the service instance ID?

To find your service instance ID, copy the CRN on the Overview page. For example:

crn:v1:test:public:internet-svcs:global:a/2c38d9a9913332006a27665dab3d26e8:836f33a5-d3e1-4bc6-876a-982a8668b1bb::

The last part of the CRN is your service instance: 836f33a5-d3e1-4bc6-876a-982a8668b1bb.

Alternatively, you can click the row containing the CIS instance on the resource list main page and copy the GUID for the service instance ID.

Why is my domain in Pending state, and how do I activate it?

A domain remains in Pending status until the required name server (NS) records are correctly configured.

When you add a domain (or subdomain) to CIS, you are provided with two CIS name servers. You must configure both name servers in one of the following locations:

• At your domain registrar (when adding a domain)
• At your existing DNS provider (when adding a subdomain)

CIS periodically checks public DNS for the required NS records. After the name server change is detected (which can take up to 24 hours), the domain status changes to Active. You can manually trigger a check by selecting Recheck name servers on the Overview page.

How do I identify my domain registrar?

You can look up your domain registrar using the ICANN WHOIS tool: https://whois.icann.org/

To add your domain to CIS, you must have administrator privilege to edit the domain's configuration at the registrar to update or add the name servers for your domain. If you don't know who the registrar is for the domain you're trying to add to CIS, it is unlikely you have the administrator privilege. Work with the owner of the domain in your organization to make the necessary changes.

Can I delegate a subdomain to CIS while keeping my current DNS provider?

Yes. You can delegate a subdomain to CIS without changing the authoritative DNS provider for the parent domain.

When you add the subdomain to CIS, you receive two CIS name servers. Create NS records for the subdomain at your existing DNS provider that point to those CIS name servers. After the NS records are publicly visible and verified, CIS activates the subdomain. If you do not manage the parent domain, work with the domain owner to add the required NS records.

Can I onboard a domain to CIS without changing the authoritative DNS provider?

Yes. CIS supports a CNAME (partial) setup. This configuration allows you to proxy specific hostnames through the CIS network while keeping your existing authoritative DNS provider. In a partial setup:

• You create CNAME records at your authoritative DNS provider.
• Those CNAME records point to CIS.
• Only the specified hostnames are proxied.

DNS resolution behavior differs from a full name server setup.

What is the default DNS TTL value?

For A and CNAME records, the default automatic TTL is 300 seconds.

Can I configure a CNAME at the root of my domain?

Yes. CIS supports "CNAME Flattening," which allows you to configure a CNAME at the root (apex) of your domain. Instead of returning the CNAME record itself, CIS resolves the CNAME target and returns the corresponding A or AAAA records. This allows the root domain to behave like a CNAME without violating DNS standards.

What is a proxied record, and when should I use one?

A proxied DNS record routes traffic through CIS before it reaches your origin server. Only proxied records receive CIS benefits, including IP masking, where a CIS IP is substituted for your origin IP to protect it:

$ whois 104.28.22.57 | grep OrgName
OrgName:        IBM

If you would rather bypass CIS on a domain (we still resolve DNS), then non-proxying the record is a possible solution.

How do I resolve DNS validation error 1004?

For page rules to work, DNS needs to resolve for your zone. As a result, you must have a proxied DNS record for your zone.

Can I use CIS with private (RFC1918) IP addresses?

Yes, but with limitations. If you configure a non-proxied DNS record that points to a private (RFC1918) IP address:

• CIS performs DNS resolution only.
• Advanced features, such as CDN, WAF, and DDoS protection are not applied.

CIS does not provide connectivity to private networks. Network access to the private IP must be handled by your infrastructure.

Why do I see a browser privacy warning?

The TLS certificates issued by IBM Cloud CIS cover the root domain (example.com) and one level of subdomain (*.example.com). If you’re trying to reach a second-level subdomain (*.*.example.com), a privacy warning appears in your browser, because these host names are not added to the SAN.

Allow up to 15 minutes for one of our partner Certificate Authorities (CAs) to issue a new certificate. A privacy warning appears in your browser if your new certificate has not yet been issued.

How do I resolve error 526: Invalid SSL certificate?

Error 526 indicates that the origin server is presenting an invalid or untrusted SSL/TLS certificate.

When the CIS proxy is enabled and the SSL mode is End-to-end CA Signed (default for new domains), the origin must present a valid certificate that is signed by a trusted certificate authority.

To resolve the error:

• Ensure the origin certificate is valid (not expired or self-signed).
• Verify that the certificate matches the hostname.
• Confirm the certificate chain is complete.
• Install a valid CA-signed certificate on the origin server.

If necessary, you can change the SSL mode to a less strict setting. However, this is not recommended for production environments because it reduces security.

How does CIS mitigate SSL/TLS negotiation and handshake attacks?

CIS mitigates SSL/TLS negotiation and handshake-based attacks by terminating TLS sessions at the edge network before traffic reaches the origin server. It enforces secure TLS settings and cipher suites to protect against known vulnerabilities such as BEAST, POODLE, and CRIME. CIS forwards traffic to the origin only after a successful TLS handshake, preventing TLS exhaustion attacks. Automated DDoS systems then analyze traffic patterns, cipher behavior, and request metadata to detect and block additional SSL/TLS based attacks.

What is a distributed denial-of-service (DDoS) attack?

A distributed denial-of-service (DDoS) attack attempts to make an online service unavailable by overwhelming it with traffic from multiple sources.

Attackers use compromised systems to generate large volumes of traffic or malformed requests that:

• Exhaust server resources
• Disrupt network connectivity
• Prevent legitimate users from accessing the service

DDoS attacks can target applications (Layer 7), protocols (Layer 3/4), or network infrastructure.

What are LOIC and HOIC attack tools?

The Low Orbit Ion Cannon (LOIC) and High Orbit Ion Cannon (HOIC) are tools associated with DoS attacks and often referenced in discussions of Layer 7 DDoS mitigation.

LOIC generates large volumes of TCP, UDP, or HTTP requests to overwhelm a target. It is known for:

• Simple interface and low barrier to use
• High volumes of repetitive traffic
• Overwhelming smaller or poorly protected systems

HOIC is an evolution of LOIC, generating higher-volume, more flexible HTTP traffic, targeting multiple sites simultaneously, and supporting “boosters” to extend attack scope. This makes HOIC attacks harder for signature-based defenses to detect.

Both tools exploit network behaviors to cause denial of service. Use outside controlled testing environments is illegal and unethical. Organizations should rely on defenses such as rate limiting and managed DDoS protection.

What should I do if I am under a DDoS attack?

If you suspect an active DDoS attack:

1. Enable “Defense mode" from the Overview page.
2. Set your DNS records for maximum security.
3. Do not rate-limit or throttle requests from CIS, IBM needs the bandwidth to assist you with your situation.
4. Block specific countries and visitors, if necessary.

These actions allow CIS to inspect, absorb, and mitigate attack traffic at the edge network.

How does CIS protect against low-and-slow DDoS attacks?

CIS protects against low-and-slow attacks by acting as an HTTP reverse proxy in front of the origin. The proxy buffers and validates requests at the edge, waiting for a complete HTTP request before forwarding it. Slow, incomplete, or malformed requests are absorbed or dropped, and never reach the origin.

CIS also enforces timeouts and applies WAF and firewall checks without requiring a traffic threshold, preventing attacks, such as Slowloris and RUDY from exhausting server resources.

Can I exclude specific user agents from HTTP DDoS mitigation?

Yes, you can create a custom rule override and use the expression fields to match against HTTP requests with the User-Agent header. There are a variety of fields that you can use.

You can then adjust the sensitivity level or mitigation action.

Use this capability carefully to avoid weakening protection for legitimate traffic patterns.

How does CIS handle traffic scrubbing?

CIS uses its 388 Tbps global edge network to mitigate high-volume DDoS attacks without scrubbing centers. Attacks are analyzed and blocked at the edge, near the source. Only protected traffic (clean requests and responses) is billed. Malicious traffic is excluded.

What is the default health check timeout value?

The default health check timeout for the Free Trial and Standard plans is 60 seconds.

Can health checks be configured for non-HTTP/HTTPS traffic?

No, health checks only support HTTP/HTTPS.

Can global load balancers be configured for non-HTTP/HTTPS protocols?

No. Global load balancers only support HTTP/HTTPS.

What happens if all origins in a pool are disabled?

Yes. If all origins in a pool are disabled, traffic is routed to the next-priority pool or fallback pool.

Which network does CIS use for global traffic and health checks?

CIS runs its data plane on Cloudflare’s global Anycast network, which spans hundreds of cities worldwide. This network ensures fast, reliable traffic routing and DDoS mitigation.

Health check requests originate from this distributed network, so the available regions for health checks are based on the Cloudflare Global Anycast Network.

Does CIS apply content compression (gzip or Brotli)?

Yes. CIS applies gzip and Brotli compression to some content types and can compress items based on the browser’s User-Agent to improve page load times.

If your origin already uses gzip, CIS honors those settings when the web server includes them in headers.

CIS only supports gzip for origin content and delivers content as gzip, Brotli, or uncompressed. Its reverse proxy can convert between compressed and uncompressed formats independently of caching.

The Accept-Encoding header from the client is removed and not respected.

What is the payload limit for WAF?

CIS Web Application Firewall (WAF) now inspects request payloads up to 1 MB for all plans. This allows the WAF to detect more complex threats that may appear in larger request bodies. For more information, see Request body inspection limit.

What is the API rate limit for CIS?

The global rate limit for the CIS API is 1200 requests per five minutes per user, across all interfaces (UI, CLI, Terraform, API).

What port range is used for edge-to-origin traffic?

When the proxy is enabled, traffic is routed through the Cloudflare network to the origin server. This traffic can originate from any port within the range of 1024-65535. When configuring Network Access Control Lists (NACLs) for your environment, ensure that both ingress and egress traffic from this port range is allowed.

How does CIS manage clock synchronization (NTP)?

To meet ISO 27001 requirements, all relevant systems must synchronize with a unified time source. IBM CIS ensures clock synchronization across its infrastructure by using Network Time Protocol (NTP) servers. CIS uses the following internal NTP servers:

• time.adn.networklayer.com
• time.service.networklayer.com

Does CIS support outbound (egress) traffic filtering?

No. CIS secures inbound traffic only. It doesn't inspect, log, or filter outbound traffic from cloud resources, such as virtual server instances, containers, or VPC resources.

CIS acts as a reverse proxy to protect traffic coming into your applications. CIS doesn't function as a forward proxy or egress filter.

For outbound traffic control, consider:

• VPC Security Groups: Control outbound ports/IPs at the instance level.
• VPC Network ACLs (NACLs): Subnet-level inbound/outbound rules.
• Firewall appliances: Deploy third-party firewalls within your VPC.
• DNS filtering: Use DNS-based services to restrict domains.

How do I resolve error 522 (connection timed out)?

A 522 error occurs when CIS cannot connect to your origin server. After ~15 seconds of failed connection, the request times out and the 522 page is displayed.

This usually happens if a firewall or security software blocks CIS IPs. Because CIS is a reverse proxy, connections appear to come from CIS IP ranges, which must be allowlisted. See the CIS allowlisted IP addresses page.

Also check that your server and network are healthy and not overloaded.

If issues persist, contact IBM CIS support with a recent Ray ID and confirm that:

• All CIS IP ranges are allowlisted
• Your server/network is online and healthy

How do I resolve a 502 error when saving an Edge Functions action?

Contact IBM Support and provide the script that you were attempting to save.

How do I resolve a Kubernetes Ingress hostname validation error?

The hostname in a Kubernetes ingress must consist of lower case alphanumeric characters, - or ., and must start and end with an alphanumeric character. Using _ in the load balancer name, though permitted, can cause an ingress error in Kubernetes clusters. Avoid the use of - in load balancer names to avoid issues with Kubernetes clusters.