Cloud Application Manager

Service Guide

Updated: January 23, 2020

Product Description — Overview

Cloud Application Manager is a software-defined managed services orchestration platform that enables the configuration, deployment and management of applications within hybrid IT environments. Hybrid IT refers to enterprise computing solutions that leverage multiple IT infrastructures including, but not limited to, on-premise equipment, public clouds, and private clouds.

CenturyLink Managed Services Anywhere provides agile application configuration, deployment, patching, monitoring, troubleshooting, and optimization across a variety of hybrid IT environments. These services are provided for a growing list of fully managed technologies in a highly orchestrated manner by a team of CenturyLink Cloud Application Manager power users leveraging automation. Services are accessible through the Century Global Operations Center.

Platform Advisory Support is available for customers who want to self-manage their environments via Cloud Application Manager.

Product Editions

Cloud Application Manager currently has the following two commercial versions available. Cloud Application Manager is currently not available for public sector entities (e.g. federal, state, local or education) requiring FISMA or any other higher level security or regulatory requirements.

  • Cloud Edition — a SaaS experience that is accessed at
  • Dedicated Edition (formally known as Datacenter Edition) — a virtual appliance that runs on-premises in a Customer's datacenter or any other Customer location including a Customer’s separately contracted public cloud environments. Only the Application Lifecycle Management feature (as more fully described in the features section below) is available with Dedicated Edition. Dedicated Edition is available in the United States only.

NOTE: Not all Cloud Application Manager services and features are available in certain countries or regions. A CenturyLink representative should be contacted for a detailed list of geographic, sector, and feature availability.

A. Cloud Application Manager Features

The Cloud Application Manager base features are described in the section below. Certain restrictions and limitations may apply depending upon the product edition and provider utilized by Customer.

Customer Access

Customers can integrate with their existing Authentication systems with the following authentication protocols:

  • Google Authentication
  • GitHub Authentication
  • SAML
  • LDAP
  • User ID and Password

Cloud Application Manager users can access the entire functionality via API as well as the user interface at Users can create a permanent or a short- term authentication token that can be used to perform API calls.

Application Lifecycle Management

Application Lifecycle Management provides an orchestration environment for users to deploy and manage multiple hybrid IT environments. This feature allows for the modeling of infrastructure and applications in Cloud Application Manager once with the ability to deploy multiple times to any of the Compatible Cloud Provider environments. Users can choose to model applications in a cloud agnostic fashion or use one of the Compatible Cloud Provider’s native modeling templates like AWS Cloud Formation Template or Azure Resource Manager. Once applications are deployed using the templates, users can manage the lifecycle of the application, auto-scale the infrastructure, update/patch applications without down-time and replicate them across environments.

Application Lifecycle Management also has a Continuous Integration and Continuous Deployment (CI/CD) plugin that can be configured to invoke policies in Cloud Application Manager and update applications and infrastructure residing in the underlying Compatible Cloud Provider platforms, on every code release.

Application Lifecycle Management Compatible Cloud Providers

A current list of Compatible Cloud Providers is available in the KB article “Providers”.


The auto-discovery feature for instances running only on AWS, Azure and CenturyLink Cloud infrastructures enables visibility of resources that have been previously running. Once a provider is configured, Cloud Application Manager discovers all of the virtual machine instances in that environment and lists them for the user. At that time, a virtual machine instance can be selected and imported. Users register an existing instance so the lifecycle can be managed within the Cloud Application Manager environment.

Additional features include:

  • Allows users to use single sign-on to access public cloud provider’s management console
  • Create a hierarchy of organization, cost centers and workspaces to organize resources to represent various internal environments, teams and departments
  • Allows users to model applications using the ALM framework for configuration management and reusability and build cloud agnostic applications
  • Allows users to leverage the cloud provider orchestration templates to deploy provider native services
  • Identity and access management allows the sharing of workspaces, applications and cloud infrastructure across your organization
  • Flexibility to deploy applications on supported cloud infrastructures to meet business demands and organizational preferences
Value Added Reseller Program (AWS and Azure)

Customers can setup new Amazon Web Services (AWS) and Microsoft Azure (Azure) accounts or shift existing AWS and Azure accounts to CenturyLink Cloud Application Manager. There are three distinct options:

  1. Buy a new AWS or Azure account directly from CenturyLink (“Greenfield”)
  2. Migrate existing account to CenturyLink for consolidated billing and support (designating Platform Advisory Support or Managed Services Anywhere) (“Brownfield”)
  3. Buy an AWS or Azure account directly from the provider to be used with Platform Advisory Support or Managed Services Anywhere (“BYOC”)

Authorized Brownfield or Greenfield resale requires additional terms and conditions.

All AWS and Azure accounts are required to be fully hardened per the CenturyLink guidelines (see Permissions and Hardening Policy section).

Cloud Optimization & Analytics

The Cloud Optimization & Analytics feature provides for hundreds of automated best practices evaluated against AWS and Azure environments. Examples of checks include:

  • Cost Savings
  • Security Utilization
  • Potential Monthly Savings, Idle Resources and Unused Resources
  • Change Monitoring Reports that list all changes performed by Managed Cloud Provider account
  • IAM Admin User Reports

CenturyLink provides cost optimization, spend analytics, chargeback and best practice recommendations for BYOC and approved public cloud providers.

This feature is not available for Physical Servers.

Technical Account Management (“TAM”)

Both support tiers, Platform Advisory Support and Managed Services Anywhere, provide customers with a technical expert and program governance agent(s) available on a next available basis. Technical Account Managers support by way of example, inquiries regarding Application Lifecycle Management, Cloud Optimization & Analytics, AWS and Azure services. The Technical Account Management responsibilities also consist of i) providing proactive service delivery plans based on the customer strategies, ii) management of support escalations, iii) answering advisory questions related to any of the three core Cloud Application Manager capabilities, and iv) addressing billing inquiries.

TAM tasks provided under Platform Advisory Support

  • Provides support escalation, best practice and recommendations for additional hands-on services
  • Supports advisory-only level of guidance
  • Share and explain optimization reporting
  • TAM resource is not dedicated or guaranteed (pooled model)
  • AWS, Azure and VMware certifications and accreditations

TAM tasks provided under Managed Services Anywhere

  • Provides Getting-Started activities
  • Coordinate service desk and support engineering for hands-on action
  • Identify cost/performance optimization and execute recommendations
  • Coordinate monitoring policy creation and updates with service desk
  • Coordinate modifying and deploying Script, Application and cloud native templates with service desk
  • Coordinate configuring user access and permissions with service desk
  • Coordinate more extensive architectural and design services
  • Contribute to root cause analysis, problem resolution and remediation
  • Respond and provide updates to service requests
  • Facilitate patch/backup schedule and communicate upcoming changes

B. Platform Advisory Support

Platform Advisory Support is the baseline support tier that provides guidance in an advisory capacity and is automatically applied to all Cloud Application Manager subscriptions.

This advisory tier includes Global Operations Support in addition to enabling CenturyLink to lead support responsibilities for Azure and AWS (when procured in a Brownfield or Greenfield scenario). For avoidance of doubt, all technology within the environment is treated as advisory only; CenturyLink does not perform or execute any tasks on behalf of the Customer. Platform Advisory Support does not include hands-on change, incident management and proactive remediation based on alerting. If escalations are needed, CenturyLink has the ability to engage directly with AWS and Microsoft for more support guidance.

Platform Advisory Support Activities

  • A Designated (but not dedicated) Technical Account Manager will be assigned for support and advisory services.
  • The TAM is the single point of contact for escalations to AWS or Microsoft.
  • Introduction to Cloud Application Manager tools and features.
  • Delivers best practices security overview for AWS accounts.
  • Access to Global Operations Support.

C. Managed Services Anywhere

The Managed Services Anywhere support tier provides a complete management experience for hybrid IT environments. Managed Services Anywhere is enabled on provider in Cloud Application Manager.

Customers must have or obtain and maintain all appropriate permissions to enable the installation by CenturyLink of a proprietary management appliance on each Managed Provider environment for which Managed Services Anywhere is selected in order to enable CenturyLink to perform it obligations. CenturyLink will also deploy a remote gateway on the appliance to establish a secure connection between the applicable Managed Provider environment and CenturyLink to remotely monitor and access the applications within the Customer’s environment that Customer designates to CenturyLink to manage. The connection is monitored and maintained by CenturyLink.

Any changes to the customer network or environment by Customer that results in degradation or disconnection of the connection will result in CenturyLink’s inability to provide Managed Services Anywhere. CenturyLink’s management fees related to Managed Services Anywhere do not apply to the appliance itself. Instead Customer will be charged for the applicable Virtual Machine (VM) instance that the appliance runs on. These charges will be reflected on the Customer’s cloud provider bill. See Remote Administration in the table below for further detail.

In addition to all of the base features of Cloud Application Manager listed above, the table below describes the standard operational functions of Managed Services Anywhere. CenturyLink reserves the right to require Advanced Managed Services or other upgrades (subject to additional terms and pricing) for any customer request that is not described in the tables below or otherwise deemed out of scope. Certain support services may be automated or provided by CenturyLink designated personnel.

Activities Performed by CenturyLink within Managed Services Anywhere

Configuration Management
  • Confirm the initial install and basic functionality of the OS, application components,or native cloud service based on Managed Provider recommended best practices where applicable.
  • Perform configuration management on the managed device via Cloud Application Manager’s remote administration functionality.
  • Maintain version control of deployed VMs, application and services.
Remote Administration
  • Perform systems administration tasks on the Customer’s behalf.
  • Maintain administrator-level access to all instances and physical servers within the Managed Services Anywhere enabled Managed Provider account; subject at all times to Customer ensuring that CenturyLink has the appropriate permissions.
  • Administrator level access permits CenturyLink to view physical servers, instances, VMs, the databases, etc.
  • Remotely access managed devices on the customer’s environment via the remote gateway.
  • In order to provide effective remote administration service for Windows Operating Systems, the CenturyLink proprietary management appliance will serve as an AD controller to which managed Windows servers will join if Customer has not configured an Active Directory. Where Customer’s Active Directory exists, a trust between the Customer’s Active Directory and the controller on the management appliance must be established for authentication of CenturyLink remote administrators.
Patching and Maintenance
AWS and Azure Resale

Support and install available critical and vendor-recommended patches. Customers have full control to define when and if CenturyLink should schedule their patching cycles. CenturyLink’s automated system tracks the change request, performs the patch management and provides reports. This includes:

  • Approving and delivering service packs, cumulative updates and hotfixes for services running in the Managed Cloud Providers’ environments
  • Automated system tracking of change requests and performing the patch management
  • Providing status reports
  • Implementing specific OS patching on MSA enabled environments

Change Management activities through risk guidance, testing procedures, tracking metrics throughout progress, roll-back processes and post-deployment validation. Such changes are performed on behalf of the Customer and are available for auditing purposes. Customers are responsible for requesting the implementation of patch releases.

Maintenance Windows: All times listed under Schedule Maintenance Windows are local times and subject to change.

Access Management

CenturyLink manages user policies, administration and password management enforcement of Managed Provider accounts configured within Cloud Application Manager.


CenturyLink offers access to industry-recognized anti-virus protection intended to secure the OS, taking into account the guidelines of the Managed Providers, regular virus and malware signature updates, and offers OS-level hardening recommendations to mitigate risk on the Managed Provider environment. (See Permissions and Hardening section.) Implementation of other recommended or client-required hardening steps is accomplished via the normal support ticketing process with Managed Services Anywhere.


CenturyLink will provide support for the following license types for the customer environments that are designated for Managed Services Anywhere, subject to the Permissions and Hardening section below:

  • Customer-provided licenses used and modeled within Cloud Application Manager.
  • Licenses provided by the native Managed Cloud Provider environments.
Watcher Monitoring and Alerting (limited to AWS and Azure)

The CenturyLink developed and proprietary monitoring service (Watcher), automatically integrated directly with AWS and Azure monitoring technologies, enables host, service, and application monitoring of Customer’s AWS or Azure cloud environments. The Watcher utilizes an intelligent agent deployed to all managed VMs or physical servers. Monitoring policies are centrally configured and maintained by CenturyLink certified cloud engineers. Watcher is deployed on physical servers, enables hardware and OS monitoring of Customer’s private environment.

CenturyLink’s Watcher uses both agent-based and cloud service provider metrics (for physical servers only an agent is used) to generate alerts on the performance of the applicable record or log flagged for monitoring. Metrics are the result of standard checks that are performed and reported back to the customer and CenturyLink’s support organization.

  • Comprehensive monitoring policy is applied to all managed instances (e.g. VMs, database instances, storage instances, etc.).
  • Configurable monitoring policies for defining alerts and trigger based notifications via service request.
  • Change Management integration for automated suppression of alerts during maintenance activities.
  • Watcher dashboard to view policies and alerts on all managed devices, applications and services.
  • Graphing of performance metrics for managed workloads, applications and services enables historical trending and analysis.
  • Historical retention of the performance logs or records is currently on a rolling 14 calendar days basis. This can be adjusted via an Advanced Managed Services Upgrade package.
  • Graph overlays to compose and compare disparate metrics sets in a single view.
Disaster Recovery (DR) Readiness

Utilizing SafeHaven, a CenturyLink-developed disaster recovery tool (see Section G, SafeHaven below for further detail), CenturyLink enables Disaster Recovery (DR) Readiness on Customer’s Managed Cloud Provider infrastructure. Customers may optionally choose to have DR Readiness enabled for VMs that are under the management scope for Managed Services Anywhere at the Managed Cloud Providers account layer. The SafeHaven technology employed for DR Readiness utilizes HTTPS over the Internet for certain functions and requires an account and cloud infrastructure consumption with one of the available Managed Cloud Providers. Additional fees will apply for both the Managed Cloud Provider Services consumption and for CenturyLink’s Managed Services Anywhere management fees. Customers are responsible for performing Testing, Failover and Failback operations. Guidance in an advisory capacity for performing these operations is available by contacting Customer’s Technical Account Manager. If Customer requires hands-on assistance with Testing, Failover and Failback operations, Customer may elect to purchase the Disaster Recovery Add On available with Advanced Managed Services for additional fees.

CenturyLink certified cloud engineers provision, configure and administer DR Readiness in the Customer’s Managed Cloud Provider accounts for the source (production) and recovery platforms.

D. Managed Providers

Managed Services Anywhere is currently available for the following account types, which may be modified or changed from time to time. The below listed providers are collectively referred to as “Managed Provider(s)”. The Managed Services Anywhere support tier must be selected for each individual subscription account:

  • CenturyLink Cloud — Supported for BYOC. CenturyLink Cloud must be procured separately (not able to be purchased within Cloud Application Manager)
  • CenturyLink Private Cloud on VMware Cloud Foundation — Supported for BYOC. CenturyLink Private Cloud on VMware Cloud Foundation must be procured separately (not able to be purchased within Cloud Application Manager)
  • Microsoft Azure — Supported for BYOC, new Greenfield resale accounts or pre-existing Brownfield accounts that shift over to CenturyLink for billing ownership
  • Amazon Web Services (AWS) — Supported for BYOC, new Greenfield resale accounts or pre-existing Brownfield accounts that shift over to CenturyLink for billing ownership
  • Physical Servers — Bare metal servers located in a customer premise, colocation environment, or a CenturyLink managed hosting facility.

A more detailed list of Managed Cloud Provider Managed Technologies can be found in Appendix B.

E. Billing

For cloud-based Managed Providers, each of the support tiers (Platform Advisory Support and Managed Services Anywhere) is billed monthly based on the spend of the Managed Provider and consumed CenturyLink services. All Cloud Application Manager services are billed two months in arrears.

For Physical Server environments, each of the support tiers is billed monthly on a fixed monthly fee.

F. Permissions and Hardening

All Managed Provider accounts that are identified for Managed Services Anywhere or procured via CenturyLink’s Value Added Reseller program (AWS and Azure — in a Greenfield or Brownfield scenario) are required to be configured with the security and permissions identified below in order to accurately process billing as a percentage of Managed Provider spend for CenturyLink support services.

Below are the required levels of access:

  • Root account access is required for all accounts within the CenturyLink Value Added Reseller program within Cloud Application Manager (includes both Brownfield and Greenfield accounts.
  • For BYOC accounts and access to billing, Customers retain their own root account access and CenturyLink is setup with an IAM admin-only policy.

All Physical Server Managed Provider accounts that are identified for Managed Services Anywhere are required to be configured with the security and permissions needed to provide management services.

Remote administration categorizes connections to two families, tenant and admin. Tenant connections are those that originate from a management appliance. Admin connections are for those intending to gain access to a tenant’s environment.

  1. Firewall - Currently three rules are enforced:
    1. Admins are allowed to send any traffic to tenants
    2. Tenants are not allowed to send any traffic to one another
    3. Tenants are only allowed to send traffic to admins if it is related to an existing connection initiated from an admin connection.
  2. Authentication
    1. Admin connections can be authenticated in various ways, from PSK, MSCHAPv2, Radius, or any other Strongswan supported authentication backend.
    2. Tenant connections are authenticated by 4096 bit RSA certificate based authentication.

Operational Access for Brownfield scenarios only

In order to complete migration of existing accounts to CenturyLink, Customer must give access to CenturyLink’s Global Operations Support personnel on their existing subscription(s) and designate CenturyLink the “owner role” so that resources can be transferred. This is a meta-data change and causes no downtime and does not affect connectivity. This meta-data change allows the Global Operations Support staff to review configurations within the account but does not permit adding, changing, or deleting resources. All support inquiries or tickets for accounts with Managed Services Anywhere must be opened via CenturyLink Global Operations Support and not directly with the underlying provider if the underlying provider is not CenturyLink. CenturyLink will take action designed to ensure permission and all policies and roles (collectively, “IAM Policies”) are enabled continuously or until the end of the applicable service term. Upon expiration or termination of the underlying agreement for services and migration to a successor account, Customer will continue to retain access to IAM Policies. Customer is responsible for ensuring that CenturyLink is removed as an administrator of the account(s) and that all root access rights have been disabled when the account is migrated.

AWS Account Security Configurations

Fully hardened, Customer AWS accounts created within or migrated into CenturyLink’s Value Added Reseller program must comply with the security best practices and operational access designated by AWS. When accounts are created or on-boarded, CenturyLink must initially be given programmatic access to accounts to enable the AWS designated security-related configuration and to permit appropriately permissioned CenturyLink employee access to the activities described in the operational access section above. All credentials provided by the Customer (if part of the Value Added Reseller program) will be encrypted by CenturyLink. The following steps will be taken during the set up or technical enablement of an account:

  • Confirm or set up events and logs storage for security event monitoring
  • Create IAM policies and roles for CenturyLink Global Operations Support
  • Create IAM policies and roles for Application Lifecycle Management, Watcher monitoring and Optimization & Analytics
  • Confirm or set up password policy
  • Confirm or enable root-account Multi-Factor Authentication access
  • Set up Account Controls
  • Enable audits of these configurations

Metrics and account information related to security events will be stored within the customer account and will be retained for the duration of the applicable service term.

For all Brownfield and Greenfield accounts, CenturyLink complies with the Managed Providers’ requirements to restrict the cost and spend information and other accounting/billing information in the Managed Provider portal account. Instead, this account and billing information is available within Cloud Application Manager and is provided at no additional cost through Cloud Application Manager’s Cloud Optimization and Analytics module.

G. SafeHaven

CenturyLink’s SafeHaven software (“SafeHaven”) is a distributed software architecture that delivers group consistency and run book automation for multi-tiered applications, automates data center disaster recovery orchestration, enables continuous recovery with group consistency and checkpoints, and provides recovery/redundancy for virtualized IT servers. SafeHaven also includes a graphical user interface and is compatible with multiple server operating systems.

As used herein, “data centers” refers to the infrastructure on which SafeHaven Replication Node (“SRN”) and Central Management Server (“CMS”) are deployed and configured. Customer may designate any supported data center as the production data center, and the remaining supported data centers would thereby be the recovery data center.

The SafeHaven software is comprised of certain open source software. Customers must install the relevant software on all desktop or laptop computers that Customer will use for SafeHaven administration. Please see the Knowledge Base article SafeHaven 5: Open Source Components for additional details.

SafeHaven includes the system components listed below and follows a structural hierarchy in the following order:

  • Cluster
  • Data Center
  • SafeHaven Replication Node (SRN)
  • Protection Group
  • Protected VM/Disk


A SafeHaven Cluster means the group of data centers and each SafeHaven cluster can service up to 64 virtualized data centers. A Customer may utilize any combination of virtual data centers and dedicated data centers.

A Central Management Server is an Ubuntu 16 based lightweight virtual appliance (virtual machine) in a recovery data center that connects all the data centers/appliances together and provides access to the DR environment via a SafeHaven console (GUI), which is a standalone java client (provided by CenturyLink) utilized to access the SafeHaven cluster.

Each SafeHaven cluster includes a single active Central Management Server (CMS). The CMS utilizes the SafeHaven virtual appliance installed at the recovery site and is part of the SafeHaven architecture that:

  • Receives commands from the SafeHaven console and relays them to the appropriate SRN in the appropriate data center.
  • Monitors heartbeats from the SRNs.
  • Receives state information from SRNs and relays it to the SafeHaven console.

Data Center

The data center layer is the set of data centers Customer chooses to provision as the recovery site(s) within a cluster via the SafeHaven console.

SafeHaven classifies data centers based on the API used for orchestration of recovery operations and recognizes the Managed Providers as DR target infrastructure. In the case of CenturyLink Private Cloud on VMware Cloud Foundation, virtual machine power on and power off operations are manual, meaning these operations are not automated through SafeHaven.

In cases where the data center is a third party Managed Provider, Customer may be responsible for configuring their account(s), using the third party services in a manner that provides security and redundancy, including enhanced access controls, encryption and backup, and ensuring CenturyLink has all appropriate permissions, credentials and access in order for CenturyLink to perform installation and configuration of SafeHaven. CenturyLink is not responsible or liable for any losses or damages related to the third party services, (direct or via any indemnity) including any liability, losses or damages related to unauthorized access or content or data loss and any losses or damages arising from or related to the installation and operation of SafeHaven on third party systems.

Any required network or internet connectivity between any of the data center types listed above is solely the responsibility of the Customer. Customer acknowledges that CenturyLink’s responsibility herein is related to enabling production and recovery environments and storage as detailed herein and such responsibility does not extend to any information, data or content that the Customer may send and/or store within such production or recovery sites. Customer is solely responsible for all data or content, in transit and at rest, whether in the DR or Production environment or in the storage space on disc as detailed in the SRN section below. CenturyLink is not liable for any losses or damages direct or via indemnity related to such data or information including any liability, losses or damages related to unauthorized access or content or data loss.


The SRN is an Ubuntu 16 based lightweight virtual appliance (virtual machine) which transfers and retains production data. This includes all SRNs provisioned within the SafeHaven cluster. Each SRN is associated with a data center as shown in the SafeHaven hierarchy. A given data center may include multiple SRNs. SRNs replicate at the LUN level transmitting updated blocks for each Protection Group to a peered SRN in a remote data center. Although each active Protection Group has a replica in only one other site, an SRN may support a set of Protection Groups that each have replica instances in distinct remote data centers.

Customer is responsible for purchasing and providing the following additional storage requirements or CenturyLink may not be able to provide the Service:

  • Customer must provide the required amount of disk space (i.e. “storage pool”) so the SRNs can perform their operations. The SRN will utilize the disk space made available by the Customer. Customer’s failure to maintain adequate disk space will cause the SRN operations to fail and will affect CenturyLink’s ability to provide the Service.
  • The production SRN must be provided with a storage pool of sufficient size to mirror the protected VMs.
  • The recovery SRN must be provided with a storage pool of sufficient size to host the protected VM disks inside the recovery site.
  • SRNs must also have enough storage for Protection Group checkpoints. The amount of storage allocated determines how many checkpoints will be retained in the checkpoint history.

Protection Groups

A Protection Group is a set of servers and hard disks grouped by SafeHaven that failover and failback together to the same instant in time and are shutdown and brought-up according to a prescribed recovery plan. Each Protection Group corresponds to a distinct set of servers and hard disks replicated to a remote site by SRNs. SafeHaven is set up to allow the applicable systems to recover via a remote data center with mutually consistent data images as they were at specific instances in time.

Each data center within a cluster can include both active Protection Groups and replica instances of remote Protection Groups. Protection Groups are logical mappings between the production and recovery servers. Protection Groups are created from within the SafeHaven console and users have the choice to either include one or multiple servers inside a single protection group. All the recovery operations are initiated from a Protection Group level.

Protected VM/Disk

Write traffic for each protected VM and hard disk is locally and synchronously mirrored within the production data center so that it is written both to the primary data store and also to a local SRN. For Windows Server Operating Systems 2008R2 and later, the SafeHaven local replication agent is employed and in Linux Operating Systems, Rsync is employed.


SafeHaven checkpoints correspond to LUN-level Copy on Write snapshots and are block-consistent representations of a Protection Group at an instant in time.


  • VMware virtualization.
  • Network interface card: VMXNET3 (only).
  • Virtual 64-bit Operating Systems: Windows 2008R1, R2, 2012, 2016, 2019
  • Minimum number of CPU per protected Windows VM is two.
  • Total storage per Windows/Linux guest is limited to 9TB.
  • Total capacity per disk/Protection Group is 9TB.
  • VSS is only available for Windows protection group with a single server.
  • Global Unique Identifier Partition Table (GPT) boot disk is not supported.
  • Databases are not supported.
  • Domain Controllers are not supported.
  • Desktop Operating Systems are not supported.
  • Manual power operations required for CenturyLink Private Cloud on VMware Foundation.

Open Source Software

SafeHaven uses software to employ the relevant open source software. Details of the various components can be found in the Knowledge Base article SafeHaven: Open Source Components. All users of the Service are subject to the terms and conditions of any applicable open source license agreements.

Software Deletion

Due to the self-service nature of the Service, upon termination of a Service where Customer is using SafeHaven, Customer is responsible for deleting all SafeHaven software, any related cloud infrastructure and components employed to provide the Service and any and all data or content Customer chose to replicate and/or store to an applicable data center while using the Services.

Appendix A – Definitions

Break/Fix: Break/fix refers to the fee-for-service method of providing information technology repairs to businesses, in which a customer calls up a service provider to do an upgrade of a computer program, software product, computer, or a repair of something computer-related like a printer or drive array that is broken, the IT provider offers a solution or repair.

Brownfield: Migrating a customer’s existing 3rd party cloud provider account to CenturyLink for consolidated billing and support (and designating Platform Advisory Support or Managed Services Anywhere) is known as a “Brownfield” account.

Buy-Your-Own-Cloud or BYOC: Buy an AWS or Azure account directly from the provider or another 3rd party (not CenturyLink) to be used with Platform Advisory Support and Managed Services Anywhere is known as “Buy-Your-Own-Cloud” or “BYOC”.

Compatible Cloud Providers: A current list of Compatible Cloud Providers supporting Application Lifecycle Management is available in this Knowledge Base article.

Cumulative Update: A grouping of Hotfixes or quick fix engineering updates that have not been fully regression tested by Microsoft but are designed to resolve specific issues with Microsoft SQL Server.

Domain Name System (DNS) Proxy: is a network system of servers that translates numeric IP addresses into readable, hierarchical Internet addresses, and vice versa.

Greenfield: The creation of new third party cloud provider account via CenturyLink for consolidated billing is known as a “Greenfield” account.

Hardened OS: Hardened OS means that all non-essential services and testing patched bundled in a standard operating system are disabled and functionality has been confirmed.

Hotfix: A hotfix or quick fix engineering update is a single cumulative package that includes information that is used to address a problem in a software product.

Hypertext Transfer Protocol (HTTP) Proxy: Provides port access to the Internet.

Major Release: Major Releases (X.y.z) are vehicles for delivering major and minor feature development and enhancements to existing features. They incorporate all applicable error corrections made in prior Major Releases, Minor Releases, and Patch Releases. Software Provider typically has one Major Release per year.

Managed Providers: In support of Managed Services Anywhere, Managed Providers are currently CenturyLink Cloud, CenturyLink Private Cloud on VMware Cloud Foundation, Microsoft Azure, Amazon Web Services, and Physical Servers.

Minor Release: Minor Releases (x.Y.z) are vehicles for delivering minor feature developments, enhancements to existing features, and defect corrections. They incorporate all applicable error corrections made in prior Minor Releases, and Patch Releases.

Network Time Protocol (NTP) Service: Synchronize all server times to a common system time.

Patch Release: Patch Releases (x.y.Z) are vehicles for delivering security fixes, feature developments, enhancements to existing features, and defect corrections. They incorporate all applicable error corrections made in prior Patch Releases.

Physical Servers: Bare metal servers located in a customer premise, colocation environment, or a CenturyLink managed hosting facility.

Custom Patch Requirements: Customer selection of specific patches versus accepting all recommended patches, custom reporting to meet regulatory requirements versus standard reporting, variable patch schedule versus defined Maintenance Windows (see Definitions) and support for maintaining multiple patch levels versus having all patches applied (i.e. patches applied differ based on Production or Non-Production Environment).

Systems: The computer equipment and software that is approved by CenturyLink and utilized by the Customer in connection with the provision of Service by CenturyLink.

Appendix B – Managed Provider Technologies

The various technologies listed below are accurate as of the version date of this Service Guide and are subject to change without notice based on vendor modifications to their technologies and/or offerings. Updates to this list of technologies will be posted as the technologies change.

1. AWS

Managed Technologies EC2
Direct Connect
Trusted Advisor
Auto Scale
RDS (MySQL, Oracle, SQL)
Cloud Formation
Cloud Trail
Route 53
Management Tools
Cloud Watch
Elastic Load Balancing
Cert Manager
Directory Services
Advisory Technologies All native AWS services excluding AWS Marketplace

2. Microsoft Azure

Managed Technologies Virtual Machines
Load Balancer
Security Groups
Network Interfaces
Blob Storage
Azure SQL
Scale Sets
VPN Gateway
IP Addresses
File Storage
Disk Storage
Virtual Network
Application Gateway
Local Network Gateway
Archive Storage
Queue Storage
SQL Server
Advisory Technologies All native Microsoft Azure services excluding Microsoft Azure Marketplace

3. CenturyLink Private Cloud on VMware Cloud Foundation

Managed Technologies Edge Gateway
VMware vCloud Director service features
Advisory Technologies All native CenturyLink Private Cloud on VMware Cloud Foundation services.

4. CenturyLink Cloud (CLC)

Managed Application and OS Technologies Microsoft Windows Server
Red Hat Enterprise Linux
Amazon AWS-Linux (EC2 deployment)
Microsoft SQL
Advisory Technologies All native CenturyLink Cloud services excluding CenturyLink Cloud Marketplace.

5. Physical Server

Managed Technologies All technologies noted in Section 6, where applicable.
Advisory Technologies Hardware service level and lifecycle management advice.

6. Applications and Databases currently supported for all current Compatible Cloud Providers

The below list of applications is covered under Managed Services Anywhere residing on the Compatible Cloud Provider platforms as long as the application is running on any Compatible Cloud Provider platform.

Managed Technologies Apache
Microsoft Windows Server
Microsoft SQL
Red Hat Enterprise Linux
Ubuntu Linux
Amazon AWS-Linux (EC2 Deployment)
Active Directory*
Advisory Technologies Oracle
SAP Containers
Other Open Source Technologies
Any other tech, app, service, language

* Available only on CenturyLink Private Cloud on VMware Cloud Foundation platform.