Cloud Application Manager

Service Guide

Updated: April 21, 2020


The following Service Guide details CenturyLink’s Cloud Application Manager service. Details for certain key features, such as Managed Services Anywhere and Advanced Managed Services are available in separate Service Guides. See Optional Services section below.

Service Description

Cloud Application Manager is a software-defined managed services orchestration platform that enables the configuration, deployment and management of applications within hybrid IT environments. Hybrid IT refers to enterprise computing solutions that leverage multiple IT infrastructures including, but not limited to, on-premise equipment, public clouds, and private clouds.

Compatible Platforms

Cloud Application Manager can be utilized with the following platforms; all of which are compatible with both Product Editions (See Product Editions):

  • CenturyLink Private Cloud on VMware Cloud Foundation
  • CenturyLink Private Cloud for VMware Cloud on AWS
  • CenturyLink Cloud
  • CenturyLink Dedicated Cloud Computing
  • CenturyLink Dynamic Enterprise Computing III
  • Physical Server (as defined herein)
  • Amazon Web Services
  • Amazon Web Services GovCloud
  • CloudStack
  • Dimension Data
  • Google Cloud
  • Microsoft Azure
  • OpenStack Cloud
  • Rackspace Cloud
  • SoftLayer
  • vCloud Air and vCloud Director
  • VMware vCenter

Product Editions

Cloud Application Manager is available in two editions, SaaS and Dedicated, per subscribed account.

  • SaaS Edition — The SaaS Edition is hosted and managed by CenturyLink and accessed via publicly hosted services at cam.ctl.io. In this edition, a Customer must utilize CenturyLink provided login credentials to access Cloud Application Manager.
  • Dedicated Edition — The Dedicated Edition is a virtual appliance installed by CenturyLink (at a mutually agreed time) on either Customer’s instance of CenturyLink Private Cloud on VMware Cloud Foundation or on a Customer server running VMware vCenter located on Customer’s premise or a third-party data center contracted by Customer. Dedicated Edition enables a Customer to utilize certain Cloud Application Manager features directly via the appliance and does not require access to the shared web portal.

The Cloud Application Manager Dedicated Edition is designed for Customers who require a dedicated environment for a higher level of security. However, Dedicated Edition does not at this time support FISMA or other certified security controls, like FedRAMP.

Product Features

The Cloud Application Manager base features are described in the section below. All features below apply to both Product Editions unless certain restrictions and limitations are noted below or in the Limitations and Exclusions section.

Customer Access

Customers can integrate with their existing Authentication systems with the following authentication protocols:

  • Google Authentication
  • GitHub Authentication
  • SAML
  • LDAP
  • User ID and Password

Cloud Application Manager users can access the entire functionality via API as well as the user interface at cam.ctl.io. Users can create a permanent or a short- term authentication token that can be used to perform API calls.

For the Dedicated Edition, Customers must use a key provided by CenturyLink, that enables Customers to activate their copy of the Dedicated Edition in order to access features included in the subscription.

Application Lifecycle Management

Application Lifecycle Management provides an orchestration environment for users to deploy and manage multiple hybrid IT environments. This feature allows for the modeling of infrastructure and applications in Cloud Application Manager once with the ability to deploy multiple times to any of the Compatible Platform environments. Users can choose to model applications in a cloud agnostic fashion or use one of the Compatible Platform’s native modeling templates (e.g. AWS Cloud Formation Template, Azure Resource Manager). Once applications are deployed, users can manage the lifecycle of the application, auto-scale the infrastructure, update/patch applications without down-time and replicate them across environments.

Application Lifecycle Management also has a Continuous Integration and Continuous Deployment (CI/CD) plugin that can be configured to invoke policies in Cloud Application Manager and update applications and infrastructure residing in the underlying Compatible Platform on every code release.

Auto-Discovery

The auto-discovery feature for instances running only on AWS, Azure and CenturyLink Cloud infrastructures enables visibility of resources that have been previously running. Once a platform is configured, Cloud Application Manager discovers all of the virtual machine instances in that environment and lists them for the user. At that time, a virtual machine instance can be selected and imported. Users register an existing instance so the lifecycle can be managed within the Cloud Application Manager environment.

Additional features include:

  • Allows users to use single sign-on to access public cloud provider’s management console
  • Create a hierarchy of organization, cost centers and workspaces to organize resources to represent various internal environments, teams and departments
  • Allows users to model applications using the ALM framework for configuration management and reusability and build cloud agnostic applications
  • Allows users to leverage the cloud provider orchestration templates to deploy provider native services
  • Identity and access management allows the sharing of workspaces, applications and cloud infrastructure across your organization
  • Flexibility to deploy applications on supported cloud infrastructures to meet business demands and organizational preferences
Value Added Reseller Program

Customers can set up new Amazon Web Services (AWS) and Microsoft Azure (Azure) accounts or shift existing AWS and Azure accounts to CenturyLink Cloud Application Manager. There are three distinct options:

  1. Buy a new AWS or Azure account directly from CenturyLink (“Greenfield”)
  2. Migrate existing account to CenturyLink for consolidated billing and support (designating Platform Advisory Support or Managed Services Anywhere) (“Brownfield”)
  3. Buy an AWS or Azure account directly from the provider to be used with Platform Advisory Support or Managed Services Anywhere (“BYOC”)

Authorized Brownfield or Greenfield resale requires additional terms and conditions.

BYOC is the only available option for CAM Dedicated Edition.

All AWS and Azure accounts are required to be fully hardened per the CenturyLink guidelines (see Permissions and Hardening Policy section).

Cloud Optimization & Analytics

The Cloud Optimization & Analytics feature provides for hundreds of automated best practices evaluated against AWS and Azure environments. Examples of checks include:

  • Cost Savings
  • Security Utilization
  • Potential Monthly Savings, Idle Resources and Unused Resources
  • Change Monitoring Reports that list all changes performed by Managed Cloud Provider account
  • IAM Admin User Reports

CenturyLink provides cost optimization, spend analytics, chargeback and best practice recommendations for BYOC and approved public cloud providers.

Cloud Optimization & Analytics is not available with Cloud Application Manager Dedicated Edition.

Technical Account Management (“TAM”)

Technical Account Managers support by way of example, inquiries regarding Application Lifecycle Management, Cloud Optimization & Analytics, AWS and Azure services. The Technical Account Management responsibilities also consist of, i) providing proactive service delivery plans based on the customer strategies, ii) management of support escalations, iii) answering advisory questions related to any of the three core Cloud Application Manager capabilities, and iv) addressing billing inquiries.

TAM tasks

  • Provides support escalation, best practice and recommendations for additional hands-on services
  • Supports advisory-only level of guidance
  • Share and explain optimization reporting
  • TAM resource is not dedicated or guaranteed (pooled model)
  • AWS, Azure and VMware certifications and accreditations

Permissions and Hardening

All CenturyLink’s Value Added Reseller program providers (AWS and Azure) are required to be configured with the security and permissions identified below for both Greenfield or Brownfield scenarios.

  • Root account access is required for all accounts within the CenturyLink Value Added Reseller program within Cloud Application Manager (includes both Brownfield and Greenfield accounts.
  • For BYOC accounts and access to billing, Customers retain their own root account access and CenturyLink is setup with an IAM admin-only policy.

Operational Access for Brownfield scenarios only

In order to complete migration of existing accounts to CenturyLink, Customer must give access to CenturyLink’s Global Operations Support personnel on their existing subscription(s) and designate CenturyLink the “owner role” so that resources can be transferred. This is a meta-data change and causes no downtime and does not affect connectivity. This meta-data change allows the Global Operations Support staff to review configurations within the account but does not permit adding, changing, or deleting resources. All support inquiries or tickets for accounts with Managed Services Anywhere must be opened via CenturyLink Global Operations Support and not directly with the underlying provider if the underlying provider is not CenturyLink. CenturyLink will take action designed to ensure permission and all policies and roles (collectively, “IAM Policies”) are enabled continuously or until the end of the applicable service term. Upon expiration or termination of the underlying agreement for services and migration to a successor account, Customer will continue to retain access to IAM Policies. Customer is responsible for ensuring that CenturyLink is removed as an administrator of the account(s) and that all root access rights have been disabled when the account is migrated.

AWS Account Security Configurations

Fully hardened, Customer AWS accounts created within or migrated into CenturyLink’s Value Added Reseller program must comply with the security best practices and operational access designated by AWS. When accounts are created or on-boarded, CenturyLink must initially be given programmatic access to accounts to enable the AWS designated security-related configuration and to permit appropriately permissioned CenturyLink employee access to the activities described in the operational access section above. All credentials provided by the Customer (if part of the Value Added Reseller program) will be encrypted by CenturyLink. The following steps will be taken during the set up or technical enablement of an account:

  • Confirm or set up events and logs storage for security event monitoring
  • Create IAM policies and roles for CenturyLink Global Operations Support
  • Create IAM policies and roles for Application Lifecycle Management, Watcher monitoring and Optimization & Analytics
  • Confirm or set up password policy
  • Confirm or enable root-account Multi-Factor Authentication access
  • Set up Account Controls
  • Enable audits of these configurations

Metrics and account information related to security events will be stored within the customer account and will be retained for the duration of the applicable service term.

For all Brownfield and Greenfield accounts, CenturyLink complies with the provider’s requirements to restrict the cost and spend information and other accounting/billing information in the applicable portal account. Instead, this account and billing information is available within Cloud Application Manager and is provided at no additional cost through Cloud Application Manager’s Cloud Optimization and Analytics module.

Platform Advisory Support

Platform Advisory Support is the baseline support tier that provides guidance in an advisory capacity and is automatically applied to all Cloud Application Manager subscriptions.

This advisory tier includes Global Operations Support in addition to enabling CenturyLink to lead support responsibilities for Azure and AWS (when procured in a Brownfield or Greenfield scenario). For avoidance of doubt, all technology within the environment is treated as advisory only; CenturyLink does not perform or execute any tasks on behalf of the Customer. Platform Advisory Support does not include hands-on change, incident management and proactive remediation based on alerting. If escalations are needed, CenturyLink has the ability to engage directly with AWS and Microsoft for more support guidance.

Platform Advisory Support Activities

  • A Designated (but not dedicated) Technical Account Manager will be assigned for support and advisory services
  • The TAM is the single point of contact for escalations to AWS or Microsoft
  • Introduction to Cloud Application Manager tools and features
  • Delivers best practices security overview for AWS accounts
  • Access to Global Operations Support
  • For Physical Servers, advice on hardware service levels and lifecycle management

Billing

Platform Advisory Support is billed monthly based on the spend of the customer’s Application Lifecycle Management usage, and AWS, Azure, CenturyLink Private Cloud, and CenturyLink Cloud spend. Platform Advisory Support for Physical Server is a percentage of a fixed monthly recurring fee per Physical Server. All Cloud Application Manager services are billed two months in arrears.

Cloud Application Manager Dedicated Edition will be billed a onetime non-recurring fee and a recurring monthly subscription fee in addition to usage fees for Cloud Application Manager features and optional services (excluding Advanced Managed Services).

Optional Services

Managed Services Anywhere

CenturyLink Managed Services Anywhere is a key support feature of Cloud Application Manager, available for purchase for Customers who want additional support or assistance with agile application configuration, deployment, patching, monitoring, troubleshooting, and optimization across a variety of hybrid IT environments.

These services are provided for a growing list of fully managed technologies in a highly orchestrated manner by a team of CenturyLink Cloud Application Manager power users leveraging automation. See the Managed Service Anywhere Service Guide for more information.

Advanced Managed Services

Advanced Managed Services provides additional advanced management service activities beyond those standard activities included with the CenturyLink cloud and hybrid IT. The service provides an extensive set of available activities available to Customers through teams of professional roles that apply learnings from broad IT exposure. For more information, access the Advanced Managed Services Service Description.

Limitations and Exclusions

Cloud Application Manager is currently not available for public sector entities (e.g. federal, state, local or education) requiring FISMA or any other higher-level security or regulatory requirements.

The following features are not available with Cloud Application Manager Dedicated Edition:

  • AWS Resale – Brownfield and Greenfield
  • Azure Resale – Brownfield and Greenfield
  • Cloud Optimization and Analytics
  • Platform Advisory Support is not available for AWS or Azure Marketplace services

Not all Cloud Application Manager Editions and services and features are available in certain countries or regions. A CenturyLink representative should be contacted for a detailed list of geographic, sector, and feature availability.

Customer Responsibilities

For CAM Dedicated Edition the Customer is responsible for the following:

  • A secure internet connection for billing purposes.
  • When the Customer selects Fail Over feature, the Customer is responsible for maintaining and managing connectivity between the standby and active instance of Cloud Application Manager.
  • When the Customer enables Managed Services Anywhere:
    • Integration between Customer’s Service Now instance and Cloud Application Manager must be established.
    • Customer provides CenturyLink Operations with login credentials for and access to the Customer’s Service Now instance.
    • Customer provides CenturyLink Operations with remote access to and credentials for Cloud Application Manager Dedicated instance.
    • Customer allows CenturyLink to maintain administrator-level access to all instances and physical servers where Managed Services Anywhere is enabled.
    • Customer establishes a connection for CenturyLink Operations to remotely access managed workloads.

Definitions

Brownfield: Migrating a customer’s existing 3rd party cloud provider account to CenturyLink for consolidated billing and support (and designating Platform Advisory Support or Managed Services Anywhere) is known as a “Brownfield” account.

Buy-Your-Own-Cloud or BYOC: Buy an AWS or Azure account directly from the provider or another 3rd party (not CenturyLink) to be used with Platform Advisory Support and Managed Services Anywhere is known as “Buy-Your-Own-Cloud” or “BYOC”.

Greenfield: TThe creation of new third-party cloud provider account via CenturyLink for consolidated billing is known as a “Greenfield” account.

Physical Servers: Bare metal servers running a single operating system located in a customer premise, colocation environment, or a CenturyLink managed hosting facility.