Understanding your responsibilities when using Virtual Private Cloud
Learn about the management responsibilities that you have when you use IBM Cloud® Virtual Private Cloud (VPC). IBM Cloud VPC customer responsibilities apply across all VPC infrastructure services, unless otherwise noted. For overall terms of use, see Cloud Services terms.
Overview of shared responsibilities
IBM Cloud VPC is an infrastructure-as-a-service (IaaS) offering in the IBM Cloud shared responsibility model. Review the following table of who is responsible for particular cloud resources when you use IBM Cloud VPC. Then, you can view more granular tasks for shared responsibilities in Tasks for shared responsibilities by area.
| Resource | Incident and Operations Management | Change Management | Identity and Access Management | Security and Regulation Compliance | Disaster Recovery |
|---|---|---|---|---|---|
| Data | Customer | Customer | Customer | Customer | Customer |
| Application | Customer | Customer | Customer | Customer | Customer |
| Operating system | Customer | Customer | Customer | Customer | Customer |
| Virtual servers | Shared | Shared | Shared | Shared | Shared |
| Virtual storage | Shared | Shared | Shared | Shared | Shared |
| Virtual network | Shared | Shared | Shared | Shared | Shared |
| Hypervisor | IBM | IBM | IBM | IBM | IBM |
| Bare metal servers | Shared | Shared | Shared | Shared | Shared |
| Physical servers and memory | IBM | IBM | Shared | Shared | IBM |
| Physical storage | IBM | IBM | IBM | IBM | IBM |
| Physical network and devices | IBM | IBM | IBM | IBM | IBM |
| Facilities and data centers | IBM | IBM | IBM | IBM | IBM |
Tasks for shared responsibilities by area
After you reviewed the overview, see what tasks you and IBM share responsibility for when you use IBM Cloud VPC.
Incident and operations management
Incident and operations management includes tasks such as monitoring, event management, high availability, problem determination, recovery, and full state backup and recovery.
| Task | IBM Responsibilities | Your Responsibilities |
|---|---|---|
| Infrastructure | IBM deploys a fully managed, highly available, secured, IBM-owned infrastructure. | The Customer uses the provided API, CLI, or UI console to provision compute and storage, and to adjust networking configurations to meet the needs of their workload. To automate the provisioning and management of VPC service instances, you can use automation tools, such as IBM Cloud Schematics or Terraform. |
| Availability | IBM fulfills requests for VPC infrastructure, such as VPCs, subnets, virtual server instances, Block Storage volumes, File Storage shares, security groups, access control lists, floating IP addresses, public gateways, and SSH keys across multiple availability zones (AZs) and multi-zone regions (MZRs). | The Customer designs and deploys their workload in a way that achieves high availability by using our provided tools, such as multiple availability zones. At a high level, you are responsible for deploying workloads in different zones of the region, by using at least two load balancers that are located in different zones, and either by using DNS records to point to the load balancers or ensuring that your application can handle the list of IP addresses that it can connect to. For more information, see Deploy isolated workloads across multiple locations and zones. |
| Bring your own CIDR | IBM provides the ability to bring your own CIDR block to a subnet. | The Customer ensures the CIDR blocks that they specify for their VPC do not conflict with CIDR blocks that are used by any other network that they plan to connect to their VPC. |
| Monitoring | IBM provides built-in virtual server instance monitoring and IBM Cloud Monitoring. | The Customer monitors the health of their workload by using either the built-in virtual server instance monitoring or IBM Cloud Monitoring. |
| Logs | IBM provides access to logs for debugging purposes. | The Customer uses IBM Log Analysis to check logs, as needed. |
| Workloads | IBM provides tools and features for customer use. | The Customer uses the provided tools and features to configure and deploy their highly available and resilient workloads by setting up permissions, integrating with other services, externally serving and monitoring health, as well as saving, backing up, and restoring data. |
| Flow logs | IBM provides the ability to collect flow log data from various endpoints. | The Customer understands the IBM Cloud Flow Logs for VPC data retention process and ensures that their destination Cloud Object Storage bucket is properly secured and encrypted. |
Change management
Change management includes tasks such as deployment, configuration, upgrades, patching, configuration changes, and deletion.
| Task | IBM Responsibilities | Your Responsibilities |
|---|---|---|
| OS-based update repositories | IBM provides private network access to OS-based update repositories. | The Customer maintains OS patches, version updates, and security updates. |
Identity and access management
Identity and access management includes tasks such as authentication, authorization, access control policies, as well as approving, granting, and revoking access.
| Task | IBM Responsibilities | Your Responsibilities |
|---|---|---|
| IBM Cloud IAM | IBM provides the function to restrict access to resources through the IBM Cloud console and REST APIs. | The Customer is responsible for managing access to resources through IBM Cloud Identity and Access Management (IAM). |
Security and regulation compliance
Security and regulation compliance includes tasks such as security control implementation and compliance certification.
| Task | IBM Responsibilities | Your Responsibilities |
|---|---|---|
| Compliance | IBM maintains controls commensurate to current industry compliance standards. IBM also maintains General Data Protection Regulation (GDPR) readiness for customer compliance. See Understanding IBM Cloud compliance for details. | The Customer is responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. |
| Security features | IBM enables security features, such as encrypted disks. | The Customer uses the provided security features, such as restricting user access to the appropriate resources and resource groups. |
| Vulnerabilities | IBM continuously monitors stock images to detect vulnerability and security compliance issues. | The Customer is responsible for their education on possible vulnerabilities and security issues through security bulletins that describe actions to remediate any vulnerabilities. A Customer can use the IBM Cloud status website to find announcements and security bulletin notifications about key events that affect the IBM Cloud platform, infrastructure, and major services. |
| Audit records | IBM provides audit records of the VPC resource lifecycle through IBM Cloud Activity Tracker. | The Customer uses IBM Cloud Activity Tracker tooling to monitor audit records. |
| Security groups and ACLs | IBM provides the ability to restrict access to virtual server instances by using security groups and networks ACLs. | The Customer uses security groups and network ACLs to secure their virtual server instances, such as restricting what IP addresses can SSH into the instance. |
| Public Network Access | IBM provides options to use a public gateway or floating IP addresses. | The Customer chooses how to connect their workload to the public internet, if applicable, either through a public gateway or floating IP. |
| Access restriction | IBM provides security measures for customers to restrict access to resources and resource groups. | The Customer restricts user access to the appropriate resources and resource groups. |
| Activity tracker | IBM provides logging and monitoring tools. | The Customer integrates IBM Cloud Activity Tracker and IBM Cloud Monitoring data into their auditing and monitoring processes. |
| Encryption | IBM Cloud VPN for VPC supports encrypted traffic by using IKE/IPsec policies.
File Storage for VPC is considered to be a Financial Services Validated service only when encryption-in-transit is enabled. |
The Customer ensures that their connection is encrypted end-to-end, if required. |
Disaster recovery
Disaster recovery includes tasks such as providing dependencies on disaster recovery sites, provision disaster recovery environments, data and configuration backup, replicating data and configuration to the disaster recovery environment, and failover on disaster events.
| Task | IBM Responsibilities | Your Responsibilities |
|---|---|---|
| Load balancer and VPN disaster recovery | IBM Cloud Load Balancer and VPN for VPC have off-site storage and replication of configuration data in an out-of-region disaster recovery node with daily backups. This data is fully managed by IBM Cloud and no customer input is required to ensure service recovery, although there can be up to a 24-hour loss of configuration data. | The Customer sets up their backup and recovery strategies for workload data. |