IBM Cloud Docs
Understanding your responsibilities when using Virtual Private Cloud

Understanding your responsibilities when using Virtual Private Cloud

Learn about the management responsibilities that you have when you use IBM Cloud® Virtual Private Cloud (VPC). IBM Cloud VPC customer responsibilities apply across all VPC infrastructure services, unless otherwise noted. For overall terms of use, see Cloud Services terms.

Overview of shared responsibilities

IBM Cloud VPC is an infrastructure-as-a-service (IaaS) offering in the IBM Cloud shared responsibility model. Review the following table of who is responsible for particular cloud resources when you use IBM Cloud VPC. Then, you can view more granular tasks for shared responsibilities in Tasks for shared responsibilities by area.

Table 1. Responsibilities by resource
Resource Incident and Operations Management Change Management Identity and Access Management Security and Regulation Compliance Disaster Recovery
Data Customer Customer Customer Customer Customer
Application Customer Customer Customer Customer Customer
Operating system Customer Customer Customer Customer Customer
Virtual servers Shared Shared Shared Shared Shared
Virtual storage Shared Shared Shared Shared Shared
Virtual network Shared Shared Shared Shared Shared
Hypervisor IBM IBM IBM IBM IBM
Bare metal servers Shared Shared Shared Shared Shared
Physical servers and memory IBM IBM Shared Shared IBM
Physical storage IBM IBM IBM IBM IBM
Physical network and devices IBM IBM IBM IBM IBM
Facilities and data centers IBM IBM IBM IBM IBM

Tasks for shared responsibilities by area

After you reviewed the overview, see what tasks you and IBM share responsibility for when you use IBM Cloud VPC.

Incident and operations management

Incident and operations management includes tasks such as monitoring, event management, high availability, problem determination, recovery, and full state backup and recovery.

Table 2. Responsibilities for incidents and operations
Task IBM Responsibilities Your Responsibilities
Infrastructure IBM deploys a fully managed, highly available, secured, IBM-owned infrastructure. The Customer uses the provided API, CLI, or UI console to provision compute and storage, and to adjust networking configurations to meet the needs of their workload. To automate the provisioning and management of VPC service instances, you can use automation tools, such as IBM Cloud Schematics or Terraform.
Availability IBM fulfills requests for VPC infrastructure, such as VPCs, subnets, virtual server instances, Block Storage volumes, security groups, access control lists, floating IP addresses, public gateways, and SSH keys across multiple availability zones (AZs) and multi-zone regions (MZRs). The Customer designs and deploys their workload in a way that achieves high availability by using our provided tools, such as multiple availability zones. At a high level, you are responsible for deploying workloads in different zones of the region, by using at least two load balancers that are located in different zones, and either by using DNS records to point to the load balancers or ensuring that your application can handle the list of IP addresses that it can connect to. For more information, see Deploy isolated workloads across multiple locations and zones.
Bring your own CIDR IBM provides the ability to bring your own CIDR block to a subnet. The Customer ensures the CIDR blocks that they specify for their VPC do not conflict with CIDR blocks that are used by any other network that they plan to connect to their VPC.
Monitoring IBM provides built-in virtual server instance monitoring and IBM Cloud Monitoring. The Customer monitors the health of their workload by using either the built-in virtual server instance monitoring or IBM Cloud Monitoring.
Logs IBM provides access to logs for debugging purposes. The Customer uses IBM Log Analysis to check logs, as needed.
Workloads IBM provides tools and features for customer use. The Customer uses the provided tools and features to configure and deploy their highly available and resilient workloads by setting up permissions, integrating with other services, externally serving and monitoring health, as well as saving, backing up, and restoring data.
Flow logs IBM provides the ability to collect flow log data from various endpoints. The Customer understands the IBM Cloud Flow Logs for VPC data retention process and ensures that their destination Cloud Object Storage bucket is properly secured and encrypted.

Change management

Change management includes tasks such as deployment, configuration, upgrades, patching, configuration changes, and deletion.

Table 3. Responsibilities for change management
Task IBM Responsibilities Your Responsibilities
OS-based update repositories IBM provides private network access to OS-based update repositories. The Customer maintains OS patches, version updates, and security updates.

Identity and access management

Identity and access management includes tasks such as authentication, authorization, access control policies, as well as approving, granting, and revoking access.

Table 4. Responsibilities for identity and access management
Task IBM Responsibilities Your Responsibilities
IBM Cloud IAM IBM provides the function to restrict access to resources through the IBM Cloud console and REST APIs. The Customer is responsible for managing access to resources through IBM Cloud Identity and Access Management (IAM).

Security and regulation compliance

Security and regulation compliance includes tasks such as security control implementation and compliance certification.

Table 5. Responsibilities for security and regulation compliance
Task IBM Responsibilities Your Responsibilities
Compliance IBM maintains controls commensurate to current industry compliance standards. IBM also maintains General Data Protection Regulation (GDPR) readiness for customer compliance. See Understanding IBM Cloud compliance for details. The Customer is responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation.
Security features IBM enables security features, such as encrypted disks. The Customer uses the provided security features, such as restricting user access to the appropriate resources and resource groups.
Vulnerabilities IBM continuously monitors stock images to detect vulnerability and security compliance issues. The Customer is responsible for their education on possible vulnerabilities and security issues through security bulletins that describe actions to remediate any vulnerabilities. A Customer can use the IBM Cloud status website to find announcements and security bulletin notifications about key events that affect the IBM Cloud platform, infrastructure, and major services.
Audit records IBM provides audit records of the VPC resource lifecycle through IBM Cloud Activity Tracker. The Customer uses IBM Cloud Activity Tracker tooling to monitor audit records.
Security groups and ACLs IBM provides the ability to restrict access to virtual server instances by using security groups and networks ACLs. The Customer uses security groups and network ACLs to secure their virtual server instances, such as restricting what IP addresses can SSH into the instance.
Public Network Access IBM provides options to use a public gateway or floating IP addresses. The Customer chooses how to connect their workload to the public internet, if applicable, either through a public gateway or floating IP.
Access restriction IBM provides security measures for customers to restrict access to resources and resource groups. The Customer restricts user access to the appropriate resources and resource groups.
Activity tracker IBM provides logging and monitoring tools. The Customer integrates IBM Cloud Activity Tracker and IBM Cloud Monitoring data into their auditing and monitoring processes.
Encryption IBM Cloud VPN for VPC supports encrypted traffic by using IKE/IPsec policies. The Customer ensures that their connection is encrypted end-to-end, if required.

Disaster recovery

Disaster recovery includes tasks such as providing dependencies on disaster recovery sites, provision disaster recovery environments, data and configuration backup, replicating data and configuration to the disaster recovery environment, and failover on disaster events.

Table 6. Responsibilities for disaster recovery
Task IBM Responsibilities Your Responsibilities
Load balancer and VPN disaster recovery IBM Cloud Load Balancer and VPN for VPC have off-site storage and replication of configuration data in an out-of-region disaster recovery node with daily backups. This data is fully managed by IBM Cloud and no customer input is required to ensure service recovery, although there can be up to a 24-hour loss of configuration data. The Customer sets up their backup and recovery strategies for workload data.