IBM Cloud Docs
Getting started on IBM Cloud checklist

Getting started on IBM Cloud checklist

Use these onboarding checklists to create and configure your IBM Cloud® account. This guide is intended to help you quickly navigate the available documentation to get your account set up, secure your cloud resources, track costs and billing, set up on-premises cloud connectivity, and help you efficiently meet your business needs in your IBM Cloud account.

Explore the platform

If you have little to no experience with IBM Cloud, or you need a refresher on the IBM Cloud platform, start with the following tasks.

Table 1. Getting started tasks for exploring the platform
Task Description
Review the What is the IBM Cloud platform? documentation to get familiar.

To create and manage resources in IBM Cloud, you can use any of the following tools:
The console is the user interface that you use to create and manage all your IBM Cloud resources. You can create a free account, log in, access documentation, access the catalog, view pricing information, get support, or check the status of IBM Cloud components. For more information, see Navigating the IBM Cloud console.
The command line interface (CLI) is a set of plug-ins and tools that you can use to create and manage your resources. For more information, see Getting started with the IBM Cloud CLI.
The Cloud Shell gives you a personal cloud-based shell workspace with the full IBM Cloud CLI and more command-line tools with no installation needed. Learn more about Working in IBM Cloud Shell.
Schematics provides powerful set of Infrastructure as Code (IaC) tools - Terraform, Ansible, Helm - as a service to program your cloud infrastructure. Schematics can run your end-to-end automation to build one or more stacks of cloud resources, manage their lifecycle, manage changes in their configurations, deploy your app workloads, and perform Day 2 operations. Review the Getting started: IBM Cloud Schematics documentation.
IBM Cloud services provide APIs that comply with OAuth 2.0 authentication standards and accept bearer tokens that are provided by IBM Cloud's Identity and Access Management (IAM) service. Explore the API docs for the services that you plan on using.

Set up accounts and enterprises

This checklist is for administrators who are responsible for creating and setting up an account structure in IBM Cloud and enabling users within their company to create and manage cloud resources. IBM Cloud offers you the ability to create a stand-alone account and an enterprise.

Stand-alone account
This type of account allows an account owner, for example a department or business unit administrator to add users to the account, assign access roles and permissions, manage billing and payments, and more.
Enterprise
An enterprise manages the billing for the entire company, with usage costs from multiple accounts being rolled up and paid for from the enterprise account. Accounts that are created as part of an enterprise are just like stand-alone accounts, but the main difference is that these accounts don't manage their own billing or payments.

Use the following checklist to track all of the tasks to create and configure your IBM Cloud account or enterprise.

Table 2. Getting started tasks for setting up accounts and enterprises
Task Description
Your IBM Cloud account includes many interacting components and systems for resource, user, and access management. Understanding concepts like how certain components are connected or how access works help you effectively set up your account. For more information, see What's in an account.
When you create an enterprise to manage your billing, you can move existing stand-alone accounts to it, or create new accounts as needed. Consider the following when determining whether you need an enterprise or a stand-alone account:

  • In an enterprise, subscription discounts and cloud credits are available to all accounts that are in the enterprise.
  • Stand-alone accounts control their own billing. If your company is globally distributed, you might have a mix of multiple enterprises and stand-alone accounts to support regional billing requirements.

Review the What is an enterprise? documentation to determine whether you need an enterprise.
Even if you plan on using an enterprise, you need to create an IBM Cloud account. You can create your account by going to the account registration page and providing an email address and other additional information. The email address that is used to register becomes the account owner, but you can change this if required later on by following the steps in Transferring ownership of your account.

When setting up an account for your company or organization, it is best to use a functional ID, some teams call them service accounts, associated with your company. Keep in mind that you will need to monitor for automated emails sent to this email address for warnings about service usage, services being deprecated, new services available, and more.

When you log in to the account for the first time, you are required to provide a credit card or subscription code to complete your account set up. Later, you can add users by inviting them to the account or by federating to your own corporate directory.

Users that are added to your account are not required to create their own account.

For more account-related FAQs, visit FAQ library for managing your account, resources, and access.

By default, when you create an account you use an IBMid for user identity. IBMid is the ID as a Service (IDaaS) from IBM® used to access IBM web-based services, including IBM Cloud resources. The IBMid is based on your company's email address and a password that is managed by IBMid. IBMid allows you to federate to your own corporate directory or a third-party Identity Provider (IdP) service that you might already be using such as Okta.

Federating to your own directory simplifies the process of adding users to your account as they will not require an IBMid with a separate password. However, there are cases where it might not be feasible for you to use IBMid federated to your corporate directory.

An alternative is to create an IBM Cloud App ID instance in your account and connect it to your chosen identity provider.

Consider the following options that are available to you:

  • No federation: Your company email domain is not federated with IBMid, and you choose to keep it as is. Any user that uses your email domain can create their own IBMid, and the password they create is managed by IBMid. They can invite other users with an IBMid to their IBM Cloud account.
  • Federate with IBMid: If your company's email domain is already federated, you can start configuring access to your account. If it is not already federated, a manual process with the IBMid federation team is required to establish federation. The decision to federate to your company's own directory needs to involve the person in your company that can make company-wide decisions when it comes to connecting to external parties for identity services. You need to ensure that this person is included in the process. Federating with IBMid can have an impact on web services that your company already uses with IBM.
  • Federate with App ID and your IdP: This option requires the creation of an App ID instance. It is a self-service option with a low-usage fee. Choosing this option requires a custom URL to log in to IBM Cloud. In addition, an App ID instance and configuration of the federation to your IdP is required for every IBM Cloud account.

For a deeper dive, use the following guides and documentation:

Use the following documentation topics when you are ready to federate:
With an IBM Cloud subscription, you get discounted usage for platform services and support by committing to a minimum spending commitment for a certain period of time. After you buy a subscription for platform or support credit, you must add the credit to your account by applying a subscription code to your stand-alone account or enterprise. Applying the code ensures that the credit is added to your account, and you don't have unexpected overage charges. Make sure to add any purchased subscriptions to your account before creating resources. For more information, see applying subscription codes.
When you create an enterprise, the account that you used to initiate the process is automatically added to the enterprise, and a new enterprise account is created to manage the billing for the enterprise. Follow the steps in the Setting up an enterprise documentation to create an enterprise. Keep in mind that when using an enterprise, users within each account in the enterprise can create, use, and collaborate on resources just as they can in a stand-alone account.
If you chose to create an enterprise, you might require that administrators manage the enterprise performing functions, such as creating account groups, creating and managing accounts. Review the access that is required, and add users as needed. For more information, see Assigning access for enterprise management.
Use resource groups to organize an account's resources for access control and billing purposes. For example, creating a resource group per project allows costs to be tracked at the project level even when your resources are distributed across regions. Learn more from the What makes a good resource group strategy? best practices guide, and when you are ready, create your resource groups.
Depending on your account type, you can choose to receive email notifications about IBM Cloud platform-related items such as announcements, billing and usage, additional notification preferences and ordering. You can update your preferences to receive email notifications about resource related, these notifications are for only the resources you use. For more. For more information, see Setting email preferences for notifications.

Secure your account and resources

As an account owner or a user in the account with the required access roles that are assigned for managing account settings and IAM access for users, you can complete tasks on the following checklist. Review and complete the following tasks to learn about how you can ensure the security of your account and resources.

Table 3. Getting started tasks for securing your account and resources
Task Description
Multifactor authentication (MFA) adds an extra layer of security to your account by requiring all users to authenticate by using an extra authentication factor beyond an ID and password. This is also commonly known as two-factor authentication (2FA).

Review the types of multifactor authentication that can be enabled for your account.
Follow the steps in enabling MFA for your account to configure the setting that is most appropriate for your company.
Learn about what IBM Cloud IAM is, how IAM works, what features are available, and how to access the console, CLI, and APIs to work with IAM in your account. Learn more about how IBM Cloud IAM works.
You can use the IBM Cloud Activity Tracker service to track how users and applications interact with IBM Cloud resources that you have created. Follow the instructions in Provisioning an Activity Tracker instance to create an instance in your wanted cloud region.

For environments seeking to maintain Financial Services Validated status on IBM Cloud, you should instead follow the instructions in Use Activity Tracker Event Routing. You must create an instance of the Activity Tracker service in the Frankfurt (eu-de) region to start tracking IAM events. Learn more about the auditing events that are sent to that region.
You can stream data from an IBM Cloud Activity Tracker instance to another IBM Cloud Activity Tracker instance across regions or to other corporate tools such as Security Information and Event Management (SIEM) tools. Learn more about streaming data.
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud resources based on the network location of access requests. These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials.

Learn more about what context-based restrictions are and follow the guide to secure your resources using context-based restrictions.

You can choose from various secrets management and data protection products that help you to protect your sensitive data and centralize your secrets. Review Which data protection service is best for me? to better understand the different offerings that you can use with IBM Cloud to protect your application secrets. Use the following guides to create and configure your Secrets Manager instance:
IBM Cloud provides a secure cloud platform that you can trust. IBM Cloud compliance results from a platform and services that are built on best-in-industry security standards, including GDPR, HIPAA, ISO 9001, ISO 27001, ISO 27017, ISO 27018, PCI, SOC2, and others. For more information, see Understanding compliance in IBM Cloud.

Manage billing and usage

Account owners and users with the administrator role on the billing account management service have access to monitor and manage billing, usage, invoices, payments, and more. Complete the following checklist to get familiar with the best practices and tools that you use to manage and track billing and usage in the account.

Table 4. Getting started tasks for managing billing and usage
Task Description
Learn about the IBM Cloud billing options and tools that you can use to track your usage and manage invoicing and payments. Check out the How can I manage billing and usage in IBM Cloud video.
Suspended billing is an option that is available for virtual server instances running on VPC. It is not available for bare metal or dedicated hosts on VPC. With suspended billing, there are some resources, for example network and storage that continue billing. Learn more about suspended billing for VPC.
You can enable spending notifications for Pay-As-You-Go or Subscription accounts, these alerts are configurable for the entire account or for individual services. Set up spending notifications.
Setting up a subscription is covered in Set up accounts and an enterprise checklist. You can add more subscriptions and monitor subscription usage on the Commitments and subscriptions page in the IBM Cloud console. Learn more about managing subscriptions.
Setting up a commitment or subscription is covered in Set up accounts and an enterprise checklist. You can add more commitments or subscriptions as well as monitor usage on the Commitments and Subscriptions page in the IBM Cloud console. Learn more about Enterprise Savings Plan and Managing subscriptions.

To manage and view your invoices, visit the Invoices page from the billing and usage dashboard in the IBM Cloud console. See Viewing your invoices. You can also build your own reports by using the API and SDK that are available.

Connect your network to IBM Cloud

As the need for global reach and 24/7 operations of web applications increases, the need to host services in multiple cloud data centers increases too. Data centers across multiple locations provide resilience in the case of a geographic failure and bring workloads closer to globally distributed users, which reduces latency and increases perceived performance. The IBM Cloud network enables users to link workloads hosted in secure private networks across data centers and locations. Use the following checklist to review the available options and to connect your existing on-premises environments to IBM Cloud.

Table 5. Getting started tasks for connecting your network to IBM Cloud
Task Description
Dispersed cloud resources are resources in more than one location or in more than one subnet or VLAN. These types of resources require a routing function to communicate among themselves, even within a private network context. New accounts that are created in IBM Cloud have a "multiple isolation" tenancy communication option, which is often called a customer VRF, enabled. Verify that it is enabled in your account, or enable it after confirming potential service disruptions if you have existing resources in your account. Follow the steps in the Enabling VRF in the console documentation.
It is also recommended to enable your account for using service endpoints. When IBM Cloud service endpoints are enabled in your account, you can choose to expose a private network endpoint when you create a resource. You can then connect directly to this endpoint over the IBM Cloud private network rather than the public network. Because resources that use private network endpoints don't have an internet-routable IP address, connections to these resources are more secure. Follow the steps that are outlined in Enabling service endpoints.
Virtual Private Networking (VPN) access enables you to manage all servers and services that are associated with your account, remotely, over the IBM Cloud private network. Depending on the infrastructure that you plan to use in IBM Cloud, there are a few options available for VPN:

Direct Link is an alternative to a traditional site-to-site VPN solution. It can provide higher-throughput connectivity between a remote network and IBM Cloud environments. Use this decision tree to help you decide which Direct Link solution works best for you. For more information, see How do I know which Direct Link solution to order?
IBM Cloud Direct Link offerings provide connectivity from an external source into a customer's IBM Cloud private network. Direct Link can be viewed as an alternative to a traditional site-to-site VPN solution, which is designed for customers that need more consistent, higher-throughput connectivity between a remote network and their IBM Cloud environments. When selecting to use Direct Link, it is recommended that most customers choose Direct Link 2.0. Learn more about Direct Link (2.0).
Allows customers to terminate a single-tenant, fiber-based cross-connect into the IBM Cloud network. This offering can be used by customers with colocation premises that are next to IBM Cloud PoPs and data centers, as well as network service providers that deliver circuits to customer on-premises or other data centers. For more information, see Ordering IBM Cloud Direct Link Dedicated.
Offers private access to your IBM Cloud infrastructure and to any other clouds linked to your service provider through your local IBM Cloud data center. This option is perfect for creating multi-cloud connectivity in a single environment. IBM connects customers to the IBM Cloud private network, by using a shared bandwidth topology. As with all Direct Link products, you can add global routing that enables private network traffic to all IBM Cloud locations. For more information, see Ordering IBM Cloud Direct Link Connect.
When selecting to use Direct Link, it is recommended that most customers choose Direct Link 2.0, since it provides more options and flexibility. If you have a real need for Direct Link 1.0, make sure to review the list of IBM network reserved IPs that might conflict with your on-premises environment. Review IBM Cloud IP ranges.
If you are planning on using any of the following: GRE or IPsec tunnels, BCR pairing, multi VLAN tenants, custom inbound or outbound ACLs, ASN pre-pend, and static routes, open a support case and request assistance from IBM Cloud Design Engineering to confirm that your requirements are in line with your Direct Link selections.

Enable logging and monitoring

Analyze logs, collect metrics, and configure near real-time alerts on your cloud resources and applications.

Table 6. Getting started tasks for enabling logging and monitoring
Task Description
You can use IBM Cloud Log Analysis to manage operating system logs, application logs, and platform logs in the IBM Cloud. Platform logs are logs that are exposed by enabled services and the platform in IBM Cloud. You must configure a logging instance in a region to monitor these logs. Learn more about configuring IBM Cloud Log Analysis platform logs.
IBM Cloud Log Analysis offers administrators, DevOps teams, and developers advanced features to filter, search, and tail log data, define alerts, and design custom views to monitor application and system logs. Learn more about getting started with IBM Cloud Log Analysis.
You can stream data from an IBM Cloud Log Analysis instance to another IBM Cloud Log Analysis instance across regions or to other corporate tools such as Security Information and Event Management (SIEM) tools. Learn more about streaming data.
The logging agent collects and forwards logs to your IBM Cloud Log Analysis instance. After you provision an IBM Cloud Log Analysis instance, you must configure a logging agent for each log source, for example in classic infrastructure or VPC infrastructure, that you want to monitor. Learn more about logging agents.
IBM Cloud Monitoring is a cloud-native, and container-intelligence management system that you can include as part of your IBM Cloud architecture. Use it to gain operational visibility into the performance and health of your applications, services, and platforms. It offers administrators, DevOps teams, and developers full stack telemetry with advanced features to monitor and troubleshoot, define alerts, and design custom dashboards. Learn more about getting started with Monitoring.

Depending on the compute resource type that you are monitoring, follow these guides to configure the monitoring agent in classic infrastructure or VPC infrastructure:
You can use IBM Cloud Monitoring to push a set of selected metrics to a Kafka service such as IBM® Event Streams for IBM Cloud®. For more information, see Streaming metrics to a Kafka service.

Streamline access management with identities, groups, and policies

Use the following checklist to create user and service identities in your accounts. Then, create access and resource groups for organizing users and resources to streamline the access management process. Account owners or users with the administrator role on all IAM account management services, which includes services such as the user management, access groups, identity service, and more can complete these tasks.

Table 7. Getting started tasks for streamlining access management with identities, groups, and policies
Task Description
Access groups are used to organize a set of users and service IDs into a single entity to enable the assignment of policies to the group instead of assigning the same access multiple times per individual user or service ID. A logical way to assign access to resource groups is by creating one access group per required level of access. Then, each access group is mapped to the needed resource groups. Examples of access groups that you should consider would be Admin and Developer. Check out the What makes a good access group strategy best practices documentation.
You can configure, control, and manage events and logging data that is available to users by configuring groups in the logging instance. Access groups provide extra security by allowing users to see only a subset of auditing events, as opposed to all auditing events that are generated in the account. For example, you might grant a group of users access to see auditing events that are only related to development services in the account. Learn more by reviewing Using groups to control data access and RBAC, groups, and IAM integration.
A resource group is a way for you to organize your account resources in customizable groupings so that you can quickly assign users access to multiple resources at a time. It is generally recommended to create a resource group per project. Learn more about managing resource groups.
Users are invited to an account and given access to the resources. Use IAM to invite users, cancel invitations, or resend a pending invitation. You can invite a single user or multiple users. Start inviting users to an account.
Trusted profiles are used to automatically grant federated users access to your account with conditions based on SAML attributes from your corporate directory. Trusted profiles can also be used to set up fine-grained authorization for applications that are running in compute resources. This way, you aren't required to create service IDs or API keys for the compute resources. Learn more about creating trusted profiles.
A service ID identifies a service or application similar to how a user ID identifies a user. You can create a service ID and use it to enable an application outside of IBM Cloud access to resources in your account. Learn more about creating and working with service IDs.
If you have configured a Secrets Manager instance as described in Encrypt and protect your data, you can use that instance to dynamically generate a service ID and an API key each time a protected resource is read or accessed. For more information, see Creating IAM credentials.
An API key is a unique code passed into an API to identify the calling application or user. You can use platform IBM Cloud API keys that are associated with user identities, and you can create other API keys for service IDs. For more information, see Understanding API keys.
If you have configured a Secrets Manager instance as described in Encrypt and protect your data, you can use that instance to dynamically generate a service ID and an API key each time a protected resource is read or accessed. For more information, see Creating IAM credentials.
A policy consists of a subject, target, and a role. A policy grants a subject one or multiple roles to a set of resources so that specific actions can be taken. The role defines the level of access that is granted. For more information, see What are IAM policies and who can assign them?

Get support and other resources

If you experience problems with IBM Cloud, you have several options to get help determining the cause of the problem and finding a solution. If you’re logged into your account, you can go directly to the Support center to review product topics and featured FAQs, open or manage a support case, or search community content. Use this checklist to identify support options that are available, including training and tutorials.

Table 8. Getting started tasks for get support and other resources
Task Description
Stay up to date with the new features that are available on the IBM Cloud platform so that you get the most out of your IBM Cloud experience. Check out the what's new documentation for the platform and the announcements blog.
The IBM Cloud Status page is the central place to find details about all incidents, planned maintenance, announcements, release notes, and security bulletins about key events that affect the IBM Cloud platform and services. Learn more about viewing cloud status.
You can choose a Basic, Advanced, or Premium support plan to customize your IBM Cloud support experience for your business needs. The level of support that you select determines the severity that you can assign to support cases and your level of access to the tools available in the Support Center. Learn more about support plans.
If you experience problems with IBM Cloud, you can use the Support Center to create a support case. You can also create support cases for issues that are associated with access (IAM), billing and usage, account issues, and invoice or sales inquiries. Learn more about creating support cases. In the event you’re unable to access your account, please create a case here.
Solution tutorials provide step-by-step instructions on how to use IBM Cloud Log Analysis to manage operating system logs, application logs, and platform logs in the IBM Cloud to implement common patterns based on best practices and proven technologies. See Getting started with solution tutorials.
Grow your skills with learning paths. Choose a topic and get started with step-by-step technical training. Visit the IBM Cloud Center for Training.
We want to hear from you! You can submit feedback for the IBM Cloud team on the documentation or the console. You can choose from a few different methods to provide feedback. Learn about the ways that you can submit feedback.
Learn in-demand skills, build solutions with real sample code, and connect with a global community of developers. Bookmark IBM Developer.
Ask questions or view responses on Stack Overflow by using the ibm-cloud tag or expand to include more related tags.
Visit the FAQ library in the console to get answers about frequently asked questions for getting support.
A CSM is reserved for those clients who have made a significant commitment to employ IBM Cloud for their cloud-based solution. Assignment takes place by a nomination process with supporting criteria that does vary per geo location. Work through your local IBM Sales team or Inbound Sales for additional details on receiving a dedicated CSM resource.
Submit your ideas and feature requests for review and possible implementation by the Product Management team. The Product Management team is responsible for the full lifecycle of an IBM Cloud product offering. Go to the Public Ideas Portal to submit a request.