CenturyLink Cloud Service Guide

Updated February 20, 2020

This Service Guide (“SG”) sets forth a description of the CenturyLink Cloud Service (“CenturyLink Cloud” or “Service”) including technical details and additional requirements or terms, if any. This SG, the Supplemental Terms, and the Service Level Agreement (SLA) are subject to and incorporated into the governing agreement and Service Schedule between the parties. The specific details of the Service ordered by Customer will be set forth on the relevant Service Order.

Service Description

CenturyLink Cloud is a suite of cloud services which includes use of virtual servers, orchestration, network, and application services in a multi-tenant service data center environment. CenturyLink provides the infrastructure—including space and power, compute resources, storage resources, virtualization operating system, networking resources—and use of the Control portal and API for provisioning and management.

CenturyLink Cloud Services are available in several regional markets globally, including North America, EMEA, and Asia Pacific. Pricing details and any price variances between regions can be found on the CenturyLink Cloud website: https://www.ctl.io/pricing.

CenturyLink Cloud Services’ pricing is listed in USD on the website, however, if Customer elects to be billed in a currency other than USD within the Cloud portal or on a Service Order document, the Services will be invoiced in the chosen currency equivalent as of the date of the invoice and each month thereafter based on the exchange rate as of the date of invoice. For the avoidance of doubt, CenturyLink uses dynamic exchange rates to calculate all non-USD billing. This means the exchange rate published on the day each respective monthly invoice is created will be the exchange rate used to appropriately convert the invoiced amounts from USD to the applicable currency.

Service Elements


Servers & Create Server

Customers have the ability to purchase virtual servers throughout the Term of the Service.

Each virtual machine is a portion of the larger pool of pre-installed and integrated compute, storage, and network functionality. The customer can define the size of the virtual machine from 1 to 16 vCPUs and 1 GB to 128 GB of memory. The CenturyLink provided operating system templates include CentOS, Debian, RedHat Enterprise Linux, Ubuntu, and Windows Server.

Two types of cloud servers are available: Standard and Bare Metal.

  1. Standard Cloud Servers

    Standard Cloud Servers use persistent SAN based block storage with an optional Simple Backup Service for file-based backup & recovery.

  2. Bare Metal Servers

    Dedicated physical, non-virtualized nodes that provide workload isolation with very predictable performance. Bare Metal Servers also provide an option for hosting software, which does not have licensing options conducive to virtual machines.

    Unlike Standard Cloud Servers, Bare Metal Servers have fixed CPU, RAM and storage configurations. Windows Server, RHEL, CentOS, and Ubuntu operating systems templates are available for Bare Metal Servers. Bare Metal Servers deploy in less than one hour and are accessed via Control portal or APIs. Customers control Bare Metal Servers via Control portal and the API, but do not have access to the IPMI (Intelligent Platform Management Interface) console directly. In the event that a customer inhibits CenturyLink access to the IPMI, network connectivity may be disabled.

    All local non-SSD storage associated with Bare Metal Servers are capable of being fully encrypted by Customer, and all SSD storage supports Instant Secure Erase (ISE) or is zeroed out after releasing a server. For storage supporting encryption by default, new encryption keys are automatically generated for Customer to use with each newly provisioned server. Encryption is controlled exclusively by the disk array controller and not within the OS or elsewhere. CenturyLink controls the encryption keys and each key is tied directly to the logical volume on the array controller. When the logical volume is deleted there is no recovery path as the associated key is destroyed at the same time by the array controller. Thus, the data is rendered unrecoverable as part of a routine rediscovery and provisioning process for servers being decommissioned.

    There are seven operations that can be performed against a virtual cloud server within the server page. Applicable operations for Bare Metal Servers are “On”, “Off”, and “Reset”.

    • On. Applies to cloud servers that are powered off. Initiates the operating system boot sequence. Billing charges for memory, CPU, and operating system (if applicable) start accruing, and monitors are re-enabled.
    • Off. This is a forced shutdown of a server. It is the equivalent to unplugging a physical machine. All memory and CPU charges stop accruing, monitors are disabled, and the machine ends up in a powered off state. Any operating system charges (if applicable) and storage charges continue accruing. If the server is moved to archive storage, then any applicable operating system charges cease.
    • Pause. When a virtual machine is paused, its state is frozen (e.g. memory, open applications) and monitoring ceases. Billing charges for CPU and memory stop. A paused machine can be quickly brought back to life by issuing the “On” power command. Any applicable operating system charges continue to accrue while a machine is paused.
    • Reset. Similar to the relationship between “Off” and “Stop OS”, the reset command is a forced power off + power on combination. It is equivalent to the reset button on a physical computer.
    • Stop OS. Initiates a graceful shutdown of the corresponding server or servers. Like the “off” power command, all memory and CPU charges cease, monitors are disabled, and the machine is left in a powered off state.
    • Reboot OS. Executes a graceful reboot of the target server or servers. Unlike the forced “reset” power command, this instructs the operating system to initiate a proper stop and restart.
    • Maintenance. This command puts a server or servers into maintenance mode which means that monitors are disabled.

When a server is created as part of the Create Server process which is set forth in the Control portal, the pricing information is provided within the Control portal as the configuration is adjusted by the user. Users can specify networking details including DNS information, network connectivity, or vLAN attachment. The user can also specify a server lifespan to delete the server at a user specified time.

Servers are organized within a “Server Group(s)” which are based on their resident data center, and can have resource limits, default server settings and access permissions set for individual users. Server Group resource limits are defined by the maximum number of CPUs, memory and storage. Reports and alert monitors can be created for servers within Server Groups which include ping, CPU utilization and disk utilization monitors. Users added to alerts will receive an email in the event a specified monitor metric exceed the user specified condition which includes the interval, trigger and alert limit. Schedules can also be set for Server Groups to perform regular tasks such as server archive, delete, shutdown, reboot, power on, create snapshot, and delete snapshot based on a user specified time and frequency. Scheduled tasks set on a Server Group will not be run on Bare Metal servers in the Group. Maintenance windows can also be specified by Server Group which will disable all monitoring and alerts during this time.

Resource Limits in the Control portal can also be applied to all Server Groups within a specified data center for total CPU, memory and storage as well as specific user rights to resources within that data center.

Server Archive
The Server Archive lists the Standard servers that have been powered down but have retained the server image. Archived servers can be restored into service or deleted from the archive. Archive storage is charged at the archived storage rate. This feature is not available with Bare Metal servers.

For Standard servers only, templates are provided by CenturyLink for many popular operating systems but private server templates can also be created or uploaded by customers. These private server templates are added to the Server Templates catalog where the template size is provided along with total storage required. Customer can use CenturyLink provided templates as a baseline to configure the operating system, install and configure applications and data, and use the Convert to Template function, which will create a template from the selected server. The server admin or root password must be provided to create a template from the VM. Templates are available for specific datacenters. Customers who wish to copy templates to multiple datacenters should open a trouble ticket with the NOC. Template storage is billed on a GB basis at the Standard Storage rate.

Customers can also upload their own templates for an additional fee. Customers initiate the process by opening a NOC ticket, and then FTP the server template to a provided FTP site. The OVF image format is recommended. Once uploaded, the NOC with ingest the server template into the platform and it will be listed in the Server Template catalogue. Server templates can be converted into a server, used to create a new server, or deleted from within the Template catalogue.

Managed Services

Customers who purchased CenturyLink Cloud prior to December 1, 2019 can access the complete description of available managed services here.

Customers who purchased CenturyLink Cloud on or after December 1, 2019, may utilize the Managed Service Anywhere feature provided with a fee-based subscription to CenturyLink’s Cloud Application Manager services. CenturyLink Managed Services Anywhere is an extensive suite of managed services, including Application Lifecycle Management, workload deployment, OS and application patching, monitoring, troubleshooting, and Cost Optimization and Analytics across a variety of private and public cloud platforms. Detailed information available in the Cloud Application Manager Service Guide.


CenturyLink Cloud Blueprints (“Blueprints”) are executable templates that can create servers, install software, and execute scripts for Standard servers only. Most major operations within the CenturyLink Cloud Service are executed as Blueprints and customers can also define their own Blueprints to assist in DevOps, deployment and standardized use of the cloud.

Blueprints Queue

The Blueprints Queue shows the status of all Blueprints running within a specific datacenter. CenturyLink provides publicly available Blueprints and users can create private Blueprints to be shared within their account.

Blueprints Library

The Blueprints Library lists available Blueprints that can be searched by keyword and filtered by author, solution type, operating system, and company size. A library listing show the name of the Blueprint, the configured compute and storage resources within the Blueprint, cost of deploying the Blueprint, version, visibility, tags, community rating and user reviews. The tabs within the Blueprint show the individual servers contained within the Blueprint and their individual configuration along with the number of packaged scripts and software, the sequence of operations within the Blueprint itself and bundled software. Users can click the Deploy Blueprint button to launch the Blueprint or be presented with the required user input to launch a Blueprint.

Design Blueprint

The Blueprint Designer provides a four-step process to create a Blueprint. First the user specifies basics about the Blueprint including the name, version, visibility, and description. Servers are added to the Blueprint with user specified quantities, template, and configuration and associated software and scripts. Next, tasks are created and the order of the tasks specified. Blueprints can also be nested within Blueprints as a specified task. Lastly the Blueprint is reviewed and the cost of the Blueprint is provided. The user can submit the Blueprint for publishing.

Scripts & Software

The open source and public domain Scripts and Software catalogues allows users to browse and create script and software packages. These packages are configured to run scripts, run executables, and install software. Packages are zip file which contain a package XML based manifest, executable and resources. Users can upload both script and software packages via the control interface and provide metadata describing the package and supported OS types.

FTP Users

This Control portal allows users to create an FTP account and credentials for an FTP site used to assist in uploading software and scripts with the platform.

SafeHaven Disaster Recovery as a Service (DRaaS)

The following service description applies to SafeHaven version 5.0. The service description for SafeHaven version 4.0 can be found at SafeHaven Disaster Recovery as a Service 4.0.

CenturyLink’s SafeHaven Disaster Recovery as a Service (“SafeHaven DRaaS”) software is a distributed software architecture that delivers group consistency and run book automation for multi-tiered applications, automates data center disaster recovery orchestration, enables continuous recovery with group consistency and checkpoints, and provides recovery/redundancy for physical and virtualized IT servers. SafeHaven DRaaS also includes a graphical user interface and is compatible with multiple server operating systems. Within this Section, SafeHaven DRaaS may also be referred to as “SafeHaven DRaaS Service” or “Service”.

As used herein, “data centers” refers to the infrastructure on which SafeHaven Replication Node (“SRN”) and Central Management Server (“CMS”) are deployed and configured. Customer may designate any supported data center as the production data center, and the remaining supported data centers would thereby be the recovery data center.

In addition to the applicable Service Schedule, Customers will also be required to sign a Statement of Work and applicable contract documents for all onboarding activities prior to commencement of SafeHaven DRaaS Services. SafeHaven DRaaS is not available to Customers who click to accept the CenturyLink Cloud Master Services Agreement online.

The SafeHaven software is comprised of certain open source software. Customers must install the relevant software on all desktop or laptop computers that Customer will use for SafeHaven DRaaS administration. Please see the Knowledge Base article SafeHaven 5: Open Source Components for additional details.

DRaaS includes the system components listed below and follows a structural hierarchy in the following order:

  • Cluster
  • Data Center
  • SafeHaven Replication Node (SRN)
  • Protection Group
  • Protected VM/Disk


A SafeHaven Cluster means the group of data centers Customer selects to use with their SafeHaven DRaaS Service. Each SafeHaven cluster can service up to 64 data centers. For CenturyLink Cloud, the data centers are virtual data centers, however a Customer may utilize any combination of virtual data centers and dedicated data centers; provided however, dedicated data centers will require the purchase of certain CenturyLink Managed Hosting services.

A Central Management Server is an Ubuntu 16-based lightweight virtual appliance (virtual machine) in a recovery data center that connects all the data centers/appliances together and provides access to the DR environment via a SafeHaven console (GUI), which is a standalone java client (provided by CenturyLink) utilized to access the SafeHaven cluster.

The console remotely sends commands to the CMS installed at the recovery site (as more fully described below). Commands are encrypted automatically by embedded SSL in the console and the CMS. Customers use the SafeHaven console to administer and manage their DR environment and initiate point-and-click recovery operations upon individual virtual machines, groups of servers and data drives, or entire data centers. Recovery operations include:

  • Migration. Transfer of a Protection Group to a SafeHaven DRaaS recovery site.
  • Test-Failover. This operation activates a “clone” instance of a Protection Group at a selected checkpoint in the DR data center without affecting production activity in the production data center.
  • Failover. This operation activates the replica instance of a Protection Group in the DR data center at a selected checkpoint.
  • Failback. This operation restores a Protection Group to the original production data center.
  • Automatic detection and reporting of SRN failures and Protection Group errors.

Each SafeHaven cluster includes a single active Central Management Server (CMS). The CMS utilizes the SafeHaven virtual appliance installed at the recovery site and is part of the SafeHaven architecture that:

  • Receives commands from the SafeHaven console and relays them to the appropriate SRN in the appropriate data center.
  • Monitors heartbeats from the SRNs.
  • Receives state information from SRNs and relays it to the SafeHaven console.

Data Center Layer

The data center layer is the set of data centers Customer chooses to provision as the recovery site(s) within a cluster via the SafeHaven console.

SafeHaven classifies data centers based on the API used for orchestration of recovery operations and recognizes the following five data center types.

  1. CenturyLink Cloud virtual data center: Disaster Recovery (“DR”) orchestration is through the CenturyLink Cloud API for CenturyLink Virtual and Bare Metal Servers. CenturyLink Cloud can be used as the production and/or the recovery site.
  2. Amazon Web Services: A third party data center that can be used as a recovery site for production workloads. Customers may use their own AWS account or purchase AWS through CenturyLink’s Cloud Application Manager Services. Cloud Application Manager Services require separate contractual documents to be signed with CenturyLink.
  3. Microsoft Azure: A third party data center that can be used as a recovery site for production workload through Azure APIs. Customers may use their own Azure account or purchase Azure through CenturyLink’s Cloud Application Manager Services. Cloud Application Manager Services require separate contractual documents to be signed with CenturyLink.
  4. Customer’s VMware on Premise: A third party data center whereby DR orchestration is through VMware vSphere 4.0 (or later release) via API calls to VMware vCenter Server.
  5. Manual Production Site or dedicated data center: A manual site is any site, whether CenturyLink or third party, in which API’s are not currently supported by SafeHaven use, however production and recovery sites can be powered on and off manually. Manual meaning there is no console for Customers to administer remotely. There is no orchestration via API for manual production sites, but the DR site (CenturyLink Cloud, AWS or Azure) is fully automated. This Data Center type can also be used to provide DR protection for physical servers, standalone ESXi hosts, CenturyLink Private Cloud on VMware Cloud Foundation platform, Dedicated Cloud Compute platform, and servers virtualized with Hyper V Generation 1.

For Clauses 2-5 immediately above, where the data center type is identified as third party, the following additional conditions apply: Where Customer is using their own account, Customer is solely responsible for configuring their account(s), using the third party services in a manner that provides security and redundancy, including enhanced access controls, encryption and backup, and ensuring CenturyLink has all appropriate permissions, credentials and access in order for CenturyLink to perform installation and configuration of SafeHaven. CenturyLink is not responsible or liable for any losses or damages related to the third party services, (direct or via any indemnity) including any liability, losses or damages related to unauthorized access or content or data loss and any losses or damages arising from or related to the installation and operation of SafeHaven on third party systems.

For all five data center types above, Customer is fully responsible for performing operations required to control and manage the Service including failover, failback, encryption and data management requirements and other operations documented in these “Disaster Recovery” Knowledge Base articles. Any required network or internet connectivity between any of the data center types listed above is solely the responsibility of the Customer. Customer acknowledges that CenturyLink’s responsibility herein is related to enabling production and recovery environments and storage as detailed herein and such responsibility does not extend to any information, data or content that the Customer may send and/or store within such production or recovery sites. Customer is solely responsible for all data or content, in transit and at rest, whether in the DR or Production environment or in the storage space on disc as detailed in the SRN section below. CenturyLink is not liable for any losses or damages direct or via indemnity related to such data or information including any liability, losses or damages related to unauthorized access or content or data loss.


The SRN is an Ubuntu 16 based lightweight virtual appliance (virtual machine) which transfers and retains production data. This includes all SRNs provisioned within the SafeHaven cluster. Each SRN is associated with a data center as shown in the SafeHaven hierarchy. A given data center may include multiple SRNs. The SRN virtual appliance which is a component of the SafeHaven software is set up to automatically:

  • Provision and delete Protection Groups (as more fully described below).
  • Generate and maintain a replica image of each Protection Group in a remote data center.
  • Generate and maintain a scrolling log of up to 2048 checkpoints for each Protection Group.
  • Relay SafeHaven commands from the CMS to the cloud infrastructure.
  • Transmit a heartbeat to other SRNs and the CMS.
  • Relay state information to the CMS.

SRNs replicate at the LUN level transmitting updated blocks for each Protection Group to a peered SRN in a remote data center. Although each active Protection Group has a replica in only one other site, an SRN may support a set of Protection Groups that each have replica instances in distinct remote data centers.

Customer is responsible for purchasing and providing the following additional storage requirements or CenturyLink may not be able to provide the Service:

  • Customer must provide the required amount of disk space (i.e. “storage pool”) so the SRNs can perform their operations. The SRN will utilize the disk space made available by the Customer. Customer’s failure to maintain adequate disk space will cause the SRN operations to fail and will affect CenturyLink’s ability to provide the Service.
  • The production SRN must be provided with a storage pool of sufficient size to mirror the protected VMs.
  • The recovery SRN must be provided with a storage pool of sufficient size to host the protected VM disks inside the recovery site.
  • SRNs must also have enough storage for Protection Group checkpoints. The amount of storage allocated determines how many checkpoints will be retained in the checkpoint history.

Protection Groups

A Protection Group is a set of servers and hard disks grouped by SafeHaven that failover and failback together to the same instant in time and are shutdown and brought-up according to a prescribed recovery plan. Each Protection Group corresponds to a distinct set of servers and hard disks replicated to a remote site by SRNs. When protecting a multi-tiered application, administrators should provision a Protection Group that includes the set of all servers and hard disks that participate in the multi-tiered application. SafeHaven is set up to allow the applicable systems to recover via a remote data center with mutually consistent data images as they were at specific instances in time. Each data center within a cluster can include both active Protection Groups and replica instances of remote Protection Groups.

Protection Groups are logical mappings between the production and recovery servers. Protection Groups are created from within the SafeHaven console and users have the choice to either include one or multiple servers inside a single protection group. All the recovery operations are initiated from a Protection Group level.

Protected VM/Disk

Write traffic for each protected VM and hard disk is locally and synchronously mirrored within the production data center so that it is written both to the primary data store and also to a local SRN. For Windows Server Operating Systems 2008R2 and later, the SafeHaven local replication agent is employed and in Linux Operating Systems, Rsync is employed.


SafeHaven checkpoints correspond to LUN-level Copy on Write snapshots and are block-consistent representations of a Protection Group at an instant in time.

Open Source Software

DRaaS uses SafeHaven software to employ the relevant open source software. Details of the various components can be found in the Knowledge Base article SafeHaven: Open Source Components. All users of the Service are subject to the terms and conditions of any applicable open source license agreements.


Due to the self-service nature of the Service, upon termination of the SafeHaven DRaaS Services, Customer is responsible for deleting all SafeHaven software, any related cloud infrastructure and components employed to provide the Service and any and all data or content Customer chose to replicate and/or store to an applicable data center while using the Services.



The Service provides the ability to create complex network topologies to securely segment application tiers or entire systems. Using the Control portal, customer can provision private VLANs and delete unused ones. Each customer gets an initial private VLAN to use; additional VLANs can be added (for a fee), up to a total of 3 VLANs per account.

External Public IP Addresses

The Service provides optional external IP addresses (for a fee). Customers can use Public IP addresses provided by the Service through Network Address Translation (NAT).


By default, all external network access to servers in the Service is turned off by firewall policy. Users may open external access to servers by creating the appropriate firewall policy. Users are responsible for the security implications of the firewall rules they create.

Firewall policies may be created enabling network connections within a data center (“Intra Data Center”) and/or network connections across data centers (“Cross Data Center”). Users may specify the Source and Destination accounts in the Control portal, networks/subnets, specific IP address ranges and ports exposed by firewall policies.

A firewall Change Log displaying recent activity is also available on the Firewalls portal page.

Internet Bandwidth Billing

Each data center with CenturyLink Cloud Services is connected to the Internet via redundant, high-speed connections. In addition, each location is connected using multiple providers, with multiple major Internet backbones into each facility. This approach decreases the likelihood of customer downtime during carrier outages and is designed to provide more reliable connectivity. Inbound traffic from the Internet to CenturyLink Cloud, intra-data center, and cross data center traffic is free of charge and not metered.


Standard Client-to-Site VPN
Each customer gets a dedicated VPN server for establishing client access to their cloud network. Users can set up standard client-to-site VPN connections by installing the Open VPN client for Windows or Apple OS X as directed in the portal and in the Knowledge Base.

VPN certificates may be created, downloaded and deleted. VPN settings are editable. VPN servers can be restarted through the Control portal. The maximum number of client VPN connections is 19.

Site-to-Site VPN
The CenturyLink Cloud platform offers self-service support for configuring gateway-to-gateway, persistent IPsec VPN Tunnels. This model protects communications between two specific networks, such as an organization’s main office network and a branch office network, or two business partner’s networks. The Control portal supports creating and deleting IPsec VPN Tunnels, but not editing. Users can delete and create IPsec VPN tunnels when a change is needed.


The Services section of the CenturyLink Cloud Control portal provides both platform services and higher level functions that leverage and compliment servers, networks and blueprints. These services include object storage, DNS, site redirect, SMTP relay, load balancer, and backup.

Relational DB Service

Relational DB Service is a Database as a Service (DBaaS) offering powered by CenturyLink Cloud Servers. Relational DB Service provides immediate access to a MySQL-compatible or MSSQL database instance and includes daily backups. Users have the option to purchase replication for high availability.

Relational DB Service includes:

  • All applicable licensing and software assurance related to the database server instance
  • Configuration of database server instance
  • Deployment of a default schema for MySQL instances
  • Basic monitoring of OS resources and general health
  • Daily Backups with configurable backup time and retention up to 35 days
  • Point-in-time restore from backup capability
  • Database and OS patches
  • Database configuration
  • Replication configuration (if purchased)
    • SQL: In-datacenter replication with auto-failover
    • MSSQL: In-datacenter or cross-datacenter replication with push-button failover
  • SSL certificate provided, giving customers the option to encrypt their data in transit
  • Private routing for MSSQL instances, provisioned to customer’s VLAN
  • Logging visibility
  • Server metrics available in real-time and history (CPU, Disk, Memory)
  • Real-time log monitoring of database related logs

Relational DB Customers can initiate the following tasks via automation:

  • Create and delete database instances
  • Download SSL Certificate
  • View backups
  • Change backup time
  • Change backup retention
  • Deletion of backups
  • Manual failover (if replication is purchased)
  • Scale CPU, RAM and storage of the instance by single increments
  • Create and modify notifications
  • Create and update configuration profiles and unique database configuration parameters for MySQL instances
  • Perform a point-in-time restore from backup

Relational DB Customers can use any MySQL/MSSQL client to manage the database instance. For example:

  • User identity and access management
  • Auditing
  • Database tuning & analysis
  • Connect to the database with a SSL encryption key created for you
  • Manage table and index partitioning
  • DDL and DML
  • Monitor the database using 3rd party tools

Object Storage

Object Storage is a storage service for digital assets stored in “buckets.” The object storage service replicates a single object three times within the selected region. User accounts are created for object storage and given an access key and secret access key. Users can also define bucket access permissions per group and user. The Object Storage service is Amazon S3 compatible so users can use Amazon S3 compliant tools and API commands to access the objects.


The DNS service allows users to purchase a DNS zone and specify time to live. Once the DNS zone is created, resource records can be created, modified and deleted covering A, AAAA, CNAME, KEY, LOC, MX, NS, SOA, SRV and TXT resource record types. This service can be used to create geo-load balancing traffic distribution based on rule set and weighted or geo-targeted definitions. Users can map multiple host names to a single service in order to service multiple websites or map a single host name to multiple machines leveraging simple DNS provided load balancing.

Site Redirect

Site Redirect is an option that enables the ability to do a HTTP based redirect of a web site domain name to any URL. Once configured in the Control portal, Site Redirect can take up to 1 hour to replicate the redirection settings.

Intrusion Prevention Service

The CenturyLink Cloud Intrusion Prevention Service (“IPS”) is a critical security component for helping to prevent business disruption, securing a cloud environment, and satisfying certain compliance standards. IPS leverages industry-leading technology from Trend Micro. A host-based IPS agent is deployed on a Customer’s VM to provide enhanced security protection for customer critical data. The agent uses vendor defined signatures combined with host operating system details to create a unique host-specific configuration policy designed to proactively mitigate potential attacks on the host.

A default policy is implemented on each VM that is then automatically tuned based on the host operating system and installed applications. If a vulnerability is identified, the system will log it, take appropriate action, and report on it based on the IPS policy. IPS is provisioned via Blueprints through the Control portal.

Load Balancer

The CenturyLink Cloud Service offers both dedicated and shared load balancers. This service is delivered via highly available devices. Shared load balancers are managed through the Control portal, while dedicated load balancers are managed outside the Control portal. The table below provides performance specifications for the load balancing options. Shared load balancers are used by multiple clients within a given data center, so client specific performance may vary.

Feature Shared Dedicated
Control self-service Yes No
Availability Highly Available pair Single Instance or Highly Available pair options available
Load Balancing VIP Ports TCP/80 & TCP/443 Any
Load Balancing Algorithms

Round Robin

Least Connection

Citrix Complete Listing
Costing model per VIP (NLB Group) Per Device: VPX-200 or VPX-1000 available in both Standard or Enterprise Edition
Responsibility for Support & Management CenturyLink Cloud Customer via CLI or Web based UI

HTTP throughput: up to 400 Mbps

Performance is shared among all clients

HTTP throughput: Up to 400 Mbps

SSL encrypted throughput: Up to 400 Mbps

HTTP compression throughput: Up to 350 Mbps

SSL VPN/ICA Proxy Concurrent Users: Up to 1500

New SSL requests/second: Up to 750

SSL Offloading No Yes, Customer Configured
Health Checks Yes, TCP and PING Yes, Customer Configured

When creating a load balancer group on the shared load balancer, the user can specify the group name, description, port, method, persistence and IP address assignment. Upon creating a load balancer configuration, a Virtual IP (VIP) is assigned and shown to the user.

Available options include:

  • Port – 80 – HTTP or 443 HTTPS
  • Method – Round Robin or Least Connection
  • Persistence – Standard or Sticky

A log of recent activity, billing summary and bandwidth history is available on the load balancer Overview page in the portal.

  • Shared load balancers are configurable in a self-service fashion.
  • Customers can log in directly to their dedicated load balancers.
  • With the shared load balancers the external IP sits directly on the load balancer.
  • With a dedicated load balancer the VIP is an internal IP. In order to provide external access a MIP/NAT must be added to the firewall which points to the internal VIP.
  • If Customer wants to use a load balancer to access an internal VIP over their site to site VPN they must use a dedicated load balancer. It is not possible to access an internal VIP on the shared load balancer over a site to site VPN.
  • All shared load balancers are in a High Availability pair. If either node goes down there will be no downtime. Dedicated load balancers can be put in a HA pair by request.
  • Load balancer pools can include parent account servers. “Share parent networks” must be set before user can provide IP addresses of parent servers.
  • MIP's are not accessible from within the datacenter. If you need to reach a public IP from both inside and outside the datacenter, you need to use the shared load balancer.

Simple Backup Service


The CenturyLink Cloud Simple Backup Service (“SBS”) provides secure, file-level backup and restore of your important data. A host-based backup agent is deployed on a Customer’s CenturyLink Cloud VM, Bare Metal Server, or a customer-owned and managed host to provide enhanced backup/restore protection for customer critical data. The agent applies policies defined by the customer to store data on the CenturyLink Cloud VM, Bare Metal Server, or a customer-owned and managed host, backs it up to a customer specified storage region over the internet, and retains the data according to the policy.


Runner is a hybrid IT management tool capable of automating infrastructure and providing control of devices in data centers on on-premises. It can also scale infrastructure in any cloud environment.

Powered by Ansible

  • Leverages the power and functionality of Ansible and exposes it to integrate cloud and on-premise connectivity.
  • State-based, massively parallel and repeatable.

Simple Control Panel

  • Create, schedule and run jobs from either the dashboard or via API.
  • Monitor and report on status, and easily share.

Automated Infrastructure

  • Fast and easy automation of infrastructure in any cloud or data center.
  • Provision, configure and deploy environments with CenturyLink Cloud, third-party cloud providers, and on-premises.

Focused on Reuse

  • Public Shared jobs can be run from within our Marketplace. No Ansible knowledge required.

Network Exchange

The CenturyLink Cloud Network Exchange Service provides a secure, high-speed, redundant, private network using a layer 3 based software defined network interface to connect disparate IT environments and devices, including but not limited to CenturyLink Cloud, Managed Hosting, and colocation environments within select data centers, so long as environments are either within the same CenturyLink data center for Managed Hosting and colocation environments; or within the same metropolitan area for CenturyLink Cloud. Network Exchange utilizes the CenturyLink Cloud Control portal for setup and management, coupled with CenturyLink Cloud network automation and pre-deployed network infrastructure.


The Account section of the Control portal user interface provides overall account management functions including governance, user access billing, user interface customization and activity history.


The Information page displays overall customer information including business name, address, contact information and time zone.


The Billing tab provides billing summary information including month to date billing, and the estimate of the current month. The billing history tab shows specific credits and debits against the account. The payment method tab allows customers to update or change payment options and details. The Billing Details tab shows the global discount applied toward the account, purchase order details, monthly commit details if applicable, payment terms and contract expiration date if applicable.

Sub Accounts

Sub accounts allow separate accounts to be created but maintain a hierarchical relationship between parent and child accounts. This can be useful for control and governance features where different legal entities or lines of business within an enterprise may want their own chargeback information, billing detail and different pools of users for access. This feature is also useful for customers reselling CenturyLink Cloud or using it to deliver SaaS or System Integration activity where customer specific billing history must be maintained.

Multiple subaccounts can be created and there can be multiple subaccounts under subaccounts for businesses with complex resale, governance or access requirements. Parent networks can be shared with subaccounts as well as branding and data preferences passed from the parent to the subaccount. When the subaccount is created, a primary datacenter is also declared as part of the subaccount definition. This primary data center is the default datacenter selected when new resources are created.


The users tab allows Customers to add additional users to their account. Name, email address, and username are required. Additional optional information can also be provided (e.g., title, phone numbers, etc.). CenturyLink Cloud supports Security Assertion Markup Language 2.0 (“SAML”) based on Single Sign-On (“SSO”) to the Control portal, which provides Customers with control over the authentication of their hosted user accounts and who can access the Control portal. Using the SAML model, CenturyLink Cloud acts as the service provider and Customer acts as the identity provider controlling usernames, passwords and other information used to identify and authenticate users for the Control portal. Customers who wish to integrate CenturyLink Cloud with a single sign-on solution using a SAML based server may do so by clicking the Authentication sub tab and specifying SAML Authentication details including SSO IdP URL, Signing Certificate Key and Encryption Certificate Key.


The CenturyLink Cloud user security model has eight roles that map to unique personas within an organization and help customers apply a least-privilege approach to their cloud environment. The user security model cascades throughout the user interface and v2 API. A user can be part of multiple roles, and the Control portal user interface recognizes which role(s) a customer has and adjusts accordingly. Below is a brief description of each role:

  • Account Administrator can perform any provisioning and management tasks available in the cloud platform
  • Server Administrator cannot change account-level settings or some networking services, but has full permission to create and manage virtual server infrastructure
  • Server Operator has day-to-day management permissions but cannot add public IPs, create load balancer pools, or change policies
  • Security Manager can change account settings, user permissions, and firewall policies, but cannot build or manage virtual resources
  • Network Manager can configure and maintain network settings like DNS, VPNs, vLANs, and firewall policies
  • DNS Manager has permission to manage DNS zones
  • Billing Manager has access to billing history and payment information
  • Account Viewer has read-only access to all aspects of the cloud platform, and cannot initiate changes or create resources

Once a user is created, Area permissions can be applied to the specific user account including Account Admin permissions which give the user full access to all resources and settings on the account, Billing Admin, Domain Admin and Premium Server Admin permissions.

Administrators also have the option to require all users to login via SAML. If enabled, this feature will automatically forward users, who attempt to login via Control portal, to the specified SAML login page. This “forced path” offers greater compliance with enterprise policies. In addition, administrator can toggle this feature to all subaccounts.


The notification page allows the customer to specify specific users as Primary, Secondary, Billing and Billing carbon copy points of contact for CenturyLink.


When user accounts are created, they do not by default have access to the API. An API user account must be created within this page by providing an Email address. The system then generates the API key and password within the portal for API authentication. Webhooks send push notifications to a user specified HTTP endpoint. This prevents a developer from having to constantly poll the API to check status as the CenturyLink Cloud webhook will tell the customer provided URL that a specific event occurred. Webhooks are available for many events including account, server and user creation/deletion/update.

The API is available via both a SOAP (XML) and HTTP (XML/JSON) web services. Software development kits are available for both Java and .Net environments. The API is documented online via the CenturyLink Cloud Knowledge Base.


The Tickets page allows a customer to view open tickets and their status along with create new tickets. Customers can also send an Email to help@ctl.io to create a new trouble ticket.

Activity History

The activity history page allows users to pull complete activity history across the account based on date range, specified accounts and subaccounts, or keyword. Users may also download a comma delimited file from the portal to review and parse the account history.


The Settings page allows users to customize the Control user experience by adjusting branding, colors, site footers, DNS, customer support details, legal details, create custom fields, customize Email based notifications and adjust account access to specific data centers. This capability enables customers to make the user experience their own. This is useful for Enterprise customers who want brand the service with their own branding and direct end users to internal IT support teams to be the first point of contact before contacting CenturyLink Cloud support. Reseller and wholesalers can provide create their user experience and hide the CenturyLink Cloud details and branding.

Support and Service Management

Support Options

There are three support tiers to choose from: Developer, Professional and Enterprise. Each support tier provides break fix level of support via web tickets to resolve Customer platform related issues. The Professional and Enterprise Support service tiers add phone and chat based support. The response time service level objective for Professional support is one hour while the Enterprise response time is 30 minutes.

Enterprise support requires at least 160 hours of CenturyLink Cloud Service Engineering.

Customers selecting the Enterprise support tier must purchase a minimum of 160 hours or up to 640 hours per month in support of their account. The work shift for each designated resource is 36 hours per week.

Support Tier Comparison:

Feature Developer Professional Enterprise
Access to forums, white papers, and providing access to the CenturyLink Cloud knowledge base Yes Yes Yes
Break/Fixes Yes Yes Yes
Web Tickets Yes Yes Yes
Phone/Chat No Yes Yes
Response SLA < 8 hours < 1 hour < 30 minutes
Service management support N/A Available Available
Price Free Graduated Graduated

The following table describes list of operational support activities and requests offered across CenturyLink Cloud support tiers that may arise for virtual machines (VMs) provisioned on the CenturyLink Cloud platform.

Support Activities provided for Services and Systems Hosted on the CenturyLink Cloud Platform:

Support Activities Notes
24x7x365 health monitoring and incident resolution of the CenturyLink Cloud platform’s systems (i.e., physical servers, orchestration systems, virtualization management systems, data center hosting services, network architecture, and storage systems) Does not include operating systems and/or application performance issues within a Customer’s virtual machine (VM).
Data backup Backups utilizing single node/non-replicated storage and the number of days are determined by the class of storage provisioned.
Data/Server restores from backup Until this is exposed as a self-service feature it will be provided at no cost to Customers.
Network latency/interruption within the CenturyLink Cloud platform (e.g., between servers) CenturyLink will investigate any network latency and/or service interruptions within the Platform and with our ISP vendors. Any upstream troubleshooting request is a separate billable support engagement.
Troubleshooting client-based OpenVPN issues CenturyLink will investigate any network latency and/or service interruptions within the CenturyLink Cloud Platform and with our ISP vendors. Any upstream troubleshooting request is a separate billable support engagement.
Troubleshooting point-to-point VPN issues CenturyLink will investigate any network latency and/or service interruptions within the CenturyLink Cloud Platform and with our ISP vendors. Any upstream troubleshooting request is a separate billable support engagement.
DDOS investigation Commercially reasonable efforts are employed to mitigate, investigate, and resolve DDOS attacks and/or other security intrusions that affect the shared platform.
Troubleshooting SafeHaven Performance CenturyLink will investigate any performance issues for the SafeHaven software inclusive of SRN, CMS and Console.
SafeHaven Software updates Will require re-installation at the current SafeHaven Installation Service task price.

Support Pricing

The Developer support tier is provided at no cost. Professional and Enterprise support are fee-based with a graduated scale based on total platform usage, including services like SW licenses, managed operating systems and managed application services.

The scaled model for support fees is as follows:

  • The first $0-$10k of monthly usage is billed at a rate of 10%.
  • The next $10k-$80k of monthly usage is billed at a rate of 7%.
  • The next $80k-$250k of monthly usage is billed at a rate of 5%
  • Any usage over $250k is billed at a rate of 3%.

The following table provides a sample calculation for Profession or Enterprise support fees based on a monthly invoice totaling $130k. Using the tiered structure above, the support fees would be $8,400.

Usage Tier Actual Usage Rate Support Charges
$0-$10k $10k 10% $1,000
$10k-$80k $70k 7% $4,900
$80k-$250k $50k $5% $2,500
>$250k $0 3% $0

CenturyLink Cloud Service Engineering

The CenturyLink Cloud Service Engineering function provides personalized support services including:

  • Performing CenturyLink Cloud Service tasks
  • Conducting operational support of the CenturyLink Cloud platform
  • Responding to Customer initiated trouble tickets or requests
  • Assisting customers in user account management including user creation, management and maintaining resource limits
  • Network management; crisis / incident management
  • Reporting on overall ticket status; communicating platform change
  • Providing customers recommended implementation guidance for the CenturyLink Cloud platform
  • Platform environment configuration
  • Performance monitoring & analysis using platform capabilities
  • Providing consultative platform solutions design
  • Configuration and service deployment

Service Engineering is available in 20, 40, 60, 80, 160 and multiples of 160 hour blocks per month. In order for Customers to achieve the Enterprise SLA, at least 160 hours per month of Service Engineering must be purchased. Customers purchasing 160 hours of Service Engineering are required to commit to a one-year service term for the personalized support. Standard Professional or Enterprise support uplift fees also apply. Service Engineering is not available to customers who choose the Developer level of support. Service Engineering hours must be used on a monthly basis and unused time does not rollover to the following month. In the event a customer requires hours in addition to the block of hours purchased, an hourly Service Engineering fee will be applied for hours used beyond the monthly block.

Customers who purchase Service Engineering in less than 160 hour blocks can submit support requests around the clock to the shared pool of engineering resources, however consultative related requests need to be scheduled in advance. Customers who purchase 160 hours or greater blocks of time are assigned a designated person per 160 hour increment within the Service Engineering team as a primary point of contact. This primary point of contact will works a specified shift based on the Customer’s needs. Consultative requests are performed during that shift. The 160 hour block of time assumes a designated point of contact working 40 hours per week with a four week per month average and Services are performed evenly throughout the month CenturyLink will begin staffing of 160 hour block resources when Customer orders Service Engineering and may take up to two months to hire personnel.

CenturyLink Cloud Service Engineers are CenturyLink Cloud platform oriented and are knowledgeable on cloud solution architectures but are not operating system or application layer experts. Customers who desire expertise for operating systems or applications are encouraged to purchase Service Management Technical Service Engineers where expertise is available for Windows, RedHat, Database and Applications.

Service Management

CenturyLink can also provide integrated fee-based Service Management for Customers considering Professional or Enterprise Support tiers.

The Service Management Service offers personalized support relationships for Customers of CenturyLink Cloud and other CenturyLink Services. Service Management Client Service Partners assist customers with business lifecycle management and customer experience. Technical Service Engineers provide operating system and application layer expertise across CenturyLink Cloud and traditional managed hosting solutions.

Feature Designated TSE and CSP
Named contact Yes
Contract terms Annual
TSE hours allocated 20, 40, 60, 80 or 160 hours per month
CSP hours allocated Minimum 8 hours per month
Travel costs Additional
Quarterly reviews Included (expect travel expenses)

There are several Service Management tiers to choose from based on designated resources for specific hours per month. Designated resources include a Technical Service Engineer (TSE) and a Client Service Partner (CSP). For pricing, please contact your CenturyLink account executive.

Account Management
The designated Service Management (TSE and CSP) and CenturyLink Cloud Service Engineering team will work closely with Customer’s staff to proactively assist on deployment, development, and IT issues with CenturyLink Cloud technologies and works to address issues in an effective way.

  • Orientation and Planning Session—A meeting between the Service Management resources and designated Customer contacts to outline all service elements and establish expectations
  • Status Meetings—Regularly scheduled calls or customer meetings providing an overall update on all aspects of the contract
  • Resource Facilitation—Coordination of the appropriate resources to help solve/drive Customer’s service requests
  • Escalation Management—the CSP and/or TSE will promptly escalate issues, if any, and involve the appropriate resources to resolve issues

Service Tasks

CenturyLink Cloud offers individual Service tasks to assist with ad hoc requests for technical services like VM Imports, Data Import/Export, Usage Reporting, Disaster Recovery Testing, and more. Service tasks can be purchased on an hourly basis. A complete list of available Service tasks and pricing can be found at CenturyLink Cloud Pricing. Service task estimation and duties are performed during business hours, 9am-5pm Pacific Time.

Technical Account Manager

A Technical Account Manager ("TAM") is a customer advocate and lifecycle business partner for CenturyLink Partners and Customers utilizing CenturyLink Cloud.

Key activities for each TAM include:

  • Support advocacy
  • Problem prevention and resolution
  • Promote optimization
  • Collaboration and communication
  • Navigation of the CenturyLink Cloud environment and process
  • Quality assurance and CenturyLink Cloud feedback

Designated TAM engagements are available to Professional and Enterprise support level customers on a case-by-case basis. Customers may also utilize TAM services for a fee on an as-needed basis.

Professional Services

In the event Customer initiates a service request not described in the Support Activities table in the support section the request will be considered as a professional services request and CenturyLink reserves the right to charge the customer for such requested Services at then current rates or as identified in Customer’s applicable support contract.


Internal VIP: A VIP on a dedicated load balancer. This will always be an internal IP.

IP: The IP used for the Virtual Server. A VIP includes both an IP and a port. Separate VIP's are required for multiple ports used with the same IP.

LUN Copy on Write: Logical Unit Number (LUN) is a unique identifier used to designate individual or collections of hard disk devices for address by a protocol associated with an iSCSI interface. A snapshot of a storage volume is created using the pre-designated space for the snapshot. When the snapshot is first created, only the meta-data about where original data is stored is copied. No physical copy of the data is done at the time the snapshot is created. Therefore, the creation of the snapshot is almost instantaneous. The snapshot copy then tracks the changing blocks on the original volume as writes to the original volume are performed. The original data that is being written to is copied into the designated storage pool that is set aside for the snapshot before original data is overwritten, hence the name "copy-on-write".

back to top