Cloud Application Manager

Service Guide

Updated: October 29, 2018


Product Description — Overview

Cloud Application Manager allows organizations to do more with their clouds by driving collaboration between the spheres of influence within enterprise IT — Developers, IT Operations and Finance — into a common team workspace, where they focus on modeling workloads, manage them through their lifecycle, and optimize costs against business initiatives.

From a single platform, an automated software-defined managed service can automatically configure, deploy, scale, or update new and existing applications for public, private and hybrid IT environments, track applications and workloads, and certain public cloud services can be procured and consumed within the platform. By subscribing to CenturyLink support, users can leverage the experts at CenturyLink to monitor and manage the health and stability of workloads.

Cloud Application Manager offers 2 support tiers. All Customers receive the baseline Platform Advisory Support. Customers may select Managed Services Anywhere (“MSA”) for each Supported Provider (see section below) account. Each support tier is more fully described in Sections A and B below.

The primary capabilities of Cloud Application Manager focus on:

  • Managed Services Anywhere: Choose to have CenturyLink manage Customer’s Supported Providers. This includes managing workloads, monitoring, patching, provisioning, enterprise grade support, remediation and much more. MSA may also be utilized with Buy-Your-Own-Cloud (BYOC).
  • Platform Advisory Support: Standard advisory level guidance and best-practices advice for the services being consumed through the Supported Provider, including the native orchestration and management platform.

Product Editions

Cloud Application Manager has two commercial versions available. Cloud Application Manager is not available for any public sector (e.g. federal, state, local or education) customer who requires FISMA or any other higher level security or regulatory requirements. Please review the sector availability matrix for further details.

  • Cloud Edition — a SaaS experience that is accessed at [account.cam.ctl.io](https://account.cam.ctl.io/)
  • Datacenter Edition — a virtual appliance that runs on-premises in a Customer's datacenter or any other location including public cloud environments. The Managed Services Anywhere support tier and Cloud Optimization & Analytics feature is not available within the Datacenter Edition.

A. Managed Services Anywhere (MSA)

This automated software defined managed services platform, powered by cloud and infrastructure experts, provides a complete management experience for hybrid IT environments. MSA is designated at the cloud or infrastructure provider account layer and includes management of applications or workloads that run on top of the cloud platform. The standard features of MSA include deployment, configuration, administration, monitoring, maintenance and support for the Supported Providers and certain provider services.

By selecting MSA, Customer agrees and shall ensure that it has all appropriate permissions to enable the installation by CenturyLink of a proprietary management appliance on each platform/environment for which MSA is selected in order to enable CenturyLink to perform it obligations. CenturyLink’s management fees are not applicable to the appliance itself. In addition, a remote gateway is deployed on the appliance to establish a secure connection between customer network and CenturyLink to remotely access managed devices on the customer’s network. The connection is monitored and maintained by CenturyLink.

The table below describes the standard operational functions of MSA. CenturyLink reserves the right to require Advanced Managed Services or other upgrades (subject to additional terms and pricing) for any Customer request that is not described in the tables below or otherwise deemed out of scope.

Functions Performed by CenturyLink within MSA only

Deployment
  • Enable the modeling of applications, workloads and cloud infrastructure services. This includes system deployment verification and will confirm functionality post deployment.
  • Application deployment verification post deployment.
Configuration Management
  • Confirm the initial install and basic functionality of the OS, application components and native cloud service based on platform and provider recommended best-practices.
  • Perform configuration management on the managed device via Cloud Application Manager’s Remote Administration functionality.
  • Maintain version control of deployed VMs, application and services.
Remote Administration
  • CenturyLink will perform systems administration tasks on the Customer’s behalf. 365x24x7
  • CenturyLink will maintain administrator-level access to all instances within the managed Supported Provider; subject at all times to Customer ensuring that CenturyLink has the appropriate permissions.
  • Supported Provider charges for VM will be reflected on the Customer’s cloud provider bill (e.g. either on the bill with the Supported Provider directly or via CenturyLink for Greenfield or Brownfield).
  • Remotely access managed devices on the customer’s network via the remote gateway.
  • In order to provide effective remote administration tasks for Windows Operating Systems, CenturyLink will establish a trust between customer’s managed device and CenturyLink’s Active Directory domain hosted on the CenturyLink management appliance.
Patching and Maintenance
AWS and Azure Resale

Supports all available critical and vendor-recommended patches. CenturyLink ensures only such patches are installed. Customers have full control to define when and if CenturyLink should schedule their patching cycles. CenturyLink’s automated system tracks the change request, performs the patch management and provides reports. This includes:

  • Approving and delivering Service Packs, Cumulative Updates and Hotfixes for services running in the Supported Providers environment
  • Automated system tracking of change requests and performing the patch management
  • Providing status reports
  • Implementing specific AWS and Azure patch releases

Change Management activities through risk assessments, testing procedures, tracking metrics throughout progress, roll-back processes and post-deployment validation. This includes Customer access to operating system-level change data performed by CenturyLink. Such changes are performed on behalf of the Customer and are available for auditing purposes. Customers are responsible for requesting the implementation of patch releases.

Maintenance Windows: All times listed under Schedule Maintenance Windows are local times and subject to change.

Access Management

CenturyLink manages user policies, administration and password management enforcement of Supported Provider accounts configured within Cloud Application Manager.

Security

CenturyLink secures the OS with industry-standard anti-virus protection, including the guidelines of the Supported Providers, regular virus and malware signature updates, and additional OS-level hardening to mitigate risk on the Supported Provider environment. This also includes permissions and hardening policies (see Permissions and Hardening section).

Licensing

CenturyLink will provide support for the following license types for instances that are designated for MSA, subject to the Permissions and Hardening section below:

  • Customer-provided licenses used and modeled within Cloud Application Manager.
  • Licenses provided by the native Supported Provider environments.
Watcher Monitoring and Alerting (limited to BYOC, Greenfield or existing Brownfield accounts for AWS and Azure)

The CenturyLink developed and proprietary monitoring service (Watcher) that is automatically integrated directly with AWS and Azure monitoring technologies enables host, service, and application monitoring of Customer’s AWS or Azure cloud environments. The Watcher utilizes an intelligent agent deployed to all managed VMs. Monitoring policies are centrally configured and maintained by CenturyLink certified cloud engineers.

CenturyLink’s Watcher uses both agent based and cloud service provider integrations to collect metrics and generate alerts.

  • Comprehensive monitoring policy is applied to all managed instances.
  • Configurable monitoring policies for defining alerts and trigger based notifications via service request.
  • Change Management integration for automated suppression of alerts during maintenance activities.
  • Watcher dashboard to view policies and alerts on all managed devices, applications and services.
  • Graphing of performance data for managed devices, applications and services enables historical trending and analysis to both managed service customers and operations staff.
  • Historical performance data retention is currently a rolling 14 calendar days.
  • Graph data overlays to compose and compare disparate data sets in a single view.

Standard Cloud Application Manager Features Included with MSA

The following standard Cloud Application Manager platform features are available and are included in the standard MSA service (no additional charges). See the Feature Descriptions under B. Platform Advisory Support for more details.

  • Application Lifecycle Management
  • Cloud Optimization & Analytics
  • Technical Account Management
  • Excluding BYOC, consolidated billing for Azure and AWS (Greenfield or Brownfield

What’s Covered under MSA

Supported Providers

Managed Services Anywhere is currently available for the following cloud service provider accounts, which may be modified or changed from time to time. This support type must be selected for each individual subscription account:

  • CenturyLink Cloud (CLC) — supported for Buy-Your-Own-Cloud (BYOC). CLC must be procured separately (not able to be purchased within Cloud Application Manager
  • CenturyLink Private Cloud on VMware Cloud Foundation — supported for Buy-Your-Own-Cloud (BYOC). CLC must be procured separately (not able to be purchased within Cloud Application Manager)
  • Microsoft Azure — supported for BYOC, new Greenfield resale accounts or pre-existing Brownfield accounts that shift over to CenturyLink for billing ownership
  • Amazon Web Services (AWS) — Supported for BYOC, new Greenfield resale accounts or pre-existing Brownfield accounts that shift over to CenturyLink for billing ownership

Technologies currently supported by Supported Providers: AWS and Azure

AWS
Managed Technologies EC2
Direct Connect
S3
Trusted Advisor
ElastiCache
Auto Scale
RDS (MySQL, Oracle, SQL)
Cloud Formation
EBS
Cloud Trail
Route 53
Organizations
Management Tools
VPC
Cloud Watch
Elastic Load Balancing
Cert Manager
CloudFront
Directory Services
IAM
Advisory Technologies ECS
Batch
Beanstalk
AR & VR Tools
Glacier
Snowmobile
Analytics Tools
Neptune
API Gateway
WAF
Migration Tools
Developer Tools
Fargate
Lambda
Container Registry
Aurora
DynamoDB
RedShift
IoT Tools
Business Productivity Tools
Lightsail
Media Services Tools
App Integration Tools
Storage Gateway
Snowball
Game Development Tools
Desktop/App Streaming Tools
Serverless App Repository
All Management Tools
Microsoft Azure
Managed Technologies Virtual Machines
Load Balancer
Security Groups
Network Interfaces
Blob Storage
Azure SQL
Scale Sets
VPN Gateway
ExpressRoute
IP Addresses
File Storage
Disk Storage
Virtual Network
Application Gateway
Local Network Gateway
Archive Storage
Queue Storage
SQL Server
Advisory Technologies App Service
Data Lake
Service Fabric
Backup
Analytics Tools
MySQL
Table Storage
PostegreSQL
DNS
CDN
Batch
DDoS Protection
Cosmos DB
IoT Tools
Redis Cache
Data Factory
Management Tools
Analytics Tools
Functions
Traffic Manager
Site Recovery
SQL Data Warehouse
AI Machine Learning Tools
Integration Tools
Developer Tools
Azure Container Services

The tables below describe the activities Centurylink will perform against the technologies noted above.

Managed Activities against the Managed Technologies noted above for AWS and Azure (examples only, not a finite list)

  • Make configuration changes and updates
  • Perform remediation of any issues raised from alerts
  • Create monitoring policies and implement changes per approved customer requests (within allowed threshold)
  • Priority escalation to CenturyLink AWS and Azure certified experts
  • Guidance and best-practice for account architecture, security and resiliency
  • Provide secure network access for CTL management
  • Create and update deployment policies
  • Record AWS and Azure infrastructure change logs
  • Provide baseline deployment
  • Deploy any services in the applicable Catalog or already modeled within ALM upon request (existing Script and Application Box)
  • Troubleshoot and resolve AWS and Azure network and service issues
  • Execute changes for creating, updating or deleting, services and applications upon Customer approval
  • Notifications of upcoming service update window
  • Support customer-defined maintenance window (where supported)
  • Installation and configuration of management appliance and scripts for patching, security, monitoring, DR/backup, etc.(see patching in Functions section above)
  • Provide incident response, resolution and root cause analysis

Advisory Activities against the Advisory Technologies noted above for AWS and Azure (examples only, not a finite list)

  • Access to Global Operations Support
  • Monitoring alerts and notifications through Watcher
  • Investigate alerts for incident notification
  • General best practice and best effort troubleshooting
  • Notification of upcoming service update windows (pushed by AWS or Azure)
  • Proactively notify incidents
  • Provide customer resources via knowledge base articles and vendor resources

The table below provides examples of some of the Customer requests that would require Advanced Managed Services (subject to additional terms and pricing).

Requests Requiring Advanced Managed Services Upgrades

  • Create, build and deploy new Script and Application Boxes against AWS and Azure services
  • Write custom AWS Cloud Formation and Azure Resource Manager (ARM) templates and bindings for multi-tiered services
  • Facilitate deep architectural discussions to ensure solutions are designed for deployment in the cloud
  • Application integration with native AWS and Azure services and technologies
  • Executing non-standard change requests (e.g. policy changes, app configuration, etc.)
  • Performing any of the “Managed” activities against the “Advisory” technologies

Technologies currently supported by Supported Providers: CenturyLink Private Cloud on VMware Cloud Foundation and CenturyLink Cloud

CenturyLink Private Cloud on VMware Cloud Foundation
Managed Technologies Edge Gateway
VMware vCloud Director service features
Advisory Technologies Any applications or workloads managed by vCloud Director
VMware vRealize Operations
CenturyLink Cloud (CLC)
Managed Technologies Cloud Servers
  • Microsoft Windows Server
  • Red Hat Enterprise Linux
Managed Services on CLC
  • Apache
  • Tomcat
  • IIS
  • SQLM
  • MySQL
Advisory Technologies Other Cloud Servers
Firewalls
Big Data
Object Storage
Runner Playbooks
Networking
Cloud Blueprints
Other Application Services
Marketplace Technology

The tables below describe the activities CenturyLink will perform against the technologies noted above.

Managed Activities against the Managed Technologies noted above for CenturyLink Private Cloud on VMware Cloud Foundation and CenturyLink Cloud.

  • Make configuration changes and updates against vCloud Director and supported CLC Managed Services workloads
  • erform remediation of issues raised from alerts
  • Create monitoring policies and implement changes per approved customer requests (within allowed threshold)
  • Priority escalation to CenturyLink experts
  • Guidance and best-practice for account architecture, security and resiliency
  • Provide secure network access to environment via VPN for CenturyLink management
  • Provide baseline deployment policies
  • Create and update deployment policies
  • Deploy any services in the applicable Catalog or already modeled within ALM upon request (existing Script and Application Box)
  • Troubleshoot and resolve CenturyLink Private Cloud on VMware Cloud Foundation service issues
  • Execute changes for creating, updating, or deleting upon Customer approval
  • Support customer-defined maintenance window (where supported)
  • Support OS licensing delivered by CenturyLink
  • Installation and configuration of management appliance and scripts for patching, security, monitoring, DR/backup, etc. (see patching in Functions section above)
  • Provide incident response, resolution and root cause analysis

Advisory Activities against the Advisory Technologies noted above for CenturyLink Private Cloud on VMware Cloud Foundation and CenturyLink Cloud.

  • Access to Global Operations Support
  • General best practice and best effort troubleshooting
  • Provide customer resources via knowledge base articles and vendor resources

The table below provides examples of some of the Customer requests that would require Advanced Managed Services (subject to additional terms and pricing).

Requests Requiring Advanced Managed Services Upgrades

  • Create, build and deploy new Script and Application Boxes against CenturyLink Private Cloud on VMware Cloud Foundation and CLC services
  • Write custom templates and integrated bindings
  • Provide licensing by CenturyLink for CenturyLink Private Cloud on VMware Cloud Foundation and CLC
  • Hands-on support for Bring-Your-Own-Licensing
  • Facilitate deep architectural discussions to ensure solutions are designed for deployment in the cloud
  • Application integration with native VMware services and technologies
  • Executing non-standard change requests (e.g. policy changes, app configuration)
  • Performing any of the “Managed” activities against the “Advisory” technologies

Applications and Databases currently supported for all current Supported Providers

Below is a list of applications covered under Managed Services Anywhere residing on the Supported Provider platforms as long as the application is running on any Supported Provider platform.

Managed Technologies Microsoft IIS
SQL
Tomcat
MySQL
Apache
Advisory Technologies (e.g. apps) Oracle SAP Containers
Kubernetes
JBoss
Other Open Source Technologies
Node.js
Any other tech, app, service, language

Managed Activities against the Managed Technologies above for Applications & Databases

  • Make configuration changes and updates
  • Perform remediation of any issues raised from alerts
  • Creates monitoring policies and changes per approved customer requests (within allowed threshold)
  • Priority escalation to CenturyLink experts
  • Provide secure network access for CTL management
  • Create and update deployment policies
  • Resolve application performance issues and outage
  • Supported if technologies are running in supported provider environment (Azure, AWS, CenturyLink Private Cloud on VMware Cloud Foundation, CLC)
  • Monitor for applicable updates to supported OS and software pre-installed with supported OS
  • Identify and remediate application and workload problems
  • Deploy applications in the applicable Catalog or already modeled within ALM upon request (existing Script and Application Box)
  • Execute changes for creating, updating, or deleting applications upon Customer approval
  • Notifications of upcoming service update window
  • Support customer-defined maintenance window (where supported)
  • Installation and configuration of management appliance and scripts for patching, security, monitoring, DR/backup, etc. (see patching in Functions section above)
  • Provide incident response, resolution and root cause analysis
  • Investigate application-specific alarms
  • Application testing and optimization

Advisory Activities against the Advisory Technologies above for Applications & Databases

  • Access to Global Operations Support Center
  • Investigate alerts for incident notification
  • General best practice and best effort troubleshooting
  • Notification of upcoming updates and patches (pushed by vendor) upon request
  • Provide customer resources via knowledge base articles and vendor resources

The table below provides examples of some of the Customer requests that would require Advanced Managed Services (subject to additional terms and pricing)

Requests Requiring Advanced Managed Services Upgrades

  • Region-only support – restrictions and limitations apply
  • Create, build and deploy new Script and Application Boxes
  • Troubleshoot customer-specific application issues
  • Develop applications and write customer-specific code
  • Patch and monitor middleware applications
  • Patch and monitor third party and customer applications
  • Subscribe to third party APM service through CenturyLink
  • Application and infrastructure assessment and design
  • Patch development software (.NET, PHP, Pearl, Python, Ruby)
  • Application integration with native cloud providers services
  • Executing non-standard change requests (e.g. policy changes)
  • Perform any of the “Managed” activities against “Advisory” technologies
  • Facilitate deep architectural discussions to ensure solutions are designed for deployment in the cloud

See KB Articles for more details:
Microsoft IIS (#cam18)
Tomcat (#cam19)
Apache (#cam17)
Microsoft SQL (#cam165)


Operating Systems currently supported for all current Supported Providers

A list of supported Operating Systems:
Managed Technologies Red Hat Enterprise
(RHEL 6, RHEL 7)
Windows Server 2016 Datacenter
Amazon AWS-Linux
(EC2 deployment)
Windows Server 2008 R2
(Std., Enterprise, Datacenter)
Windows Server 2012 R2
(Std., Enterprise, Datacenter)
Advisory Technologies (e.g. apps) Ubuntu Centos

B. Platform Advisory Support

Guidance in an advisory capacity is the baseline support tier and is automatically applied unless Customer designates Managed Services Anywhere against each Supported Provider account. This support tier enables CenturyLink to lead all support responsibilities for Azure and AWS (when they are being procured in a Brownfield or Greenfield scenario) as well as Application Lifecycle Management.

The following features, as more fully described below, are available to be consumed (some may include additional charges). See the Feature Description section for more details.

  • Application Lifecycle Management – additional charge for usage (see Pricing)
  • Cloud Optimization & Analytics – (when they are being procured in a Brownfield or Greenfield scenario)
  • Technical Account Management
  • Consolidated billing for Azure and AWS (when they are being procured in a Brownfield or Greenfield scenario)
  • For Buy-Your-Own-Cloud (BYOC) for AWS or Azure usage and advisory support is limited to Application Lifecycle Management only

Standard Cloud Application Manager Features Included with Platform Advisory Support

The following features are available in Platform Advisory support:

  • Application Lifecycle Management — All services and functionality of the Cloud Application Manager orchestration platform are subject to support. This includes modeling applications in boxes (templates), deployment policies, scripting and integration with development processes and tools. This functionality exists in both the Cloud and Datacenter version and is covered in the Platform Advisory support tier. Within Platform Advisory Support, CenturyLink does not perform or execute any tasks on behalf of the Customer.M
  • AWS — Excluding BYOC, all native features and services are available for advisory support only and is not subject to any hands-on configuration or customization. Customers may contact the Global Operations Center for break-fix support and similar services comparable to that of AWS Enterprise Support. CloudWatch and other native AWS monitoring services may be consumed, supported and viewed via Watcher within Cloud Application Manager. However, the Platform Advisory Support does not include hands-on change, incident management and proactive remediation based on alerting. If escalations are needed, CenturyLink has the ability to engage directly with AWS for more support guidance.
  • Microsoft Azure — Excluding BYOC, all native provider features and services are available for advisory support only and is not subject to any hands-on configuration or customization. Customers may contact the Global Operations Center for break-fix support and similar services comparable to that of Microsoft Premier Support. Azure Operational Insights and other native Azure monitoring services may be consumed, supported and viewed via Watcher. However, the Platform Advisory Support does not include hands-on change, incident management and proactive remediation based on alerting. If escalations are needed, CenturyLink has the ability to engage directly with Microsoft for more support guidance.
  • Cloud Optimization & Analytics — Except BYOC, Customers can use the CenturyLink Optimization & Analytics module

C. Cloud Application Manager Standard Features

The table below describe standard features of Cloud Application Manager regardless of support tier.

Core Platform Users can integrate with their existing Authentication systems with the following authentication protocols:
  • Google Authentication
  • GitHub Authentication
  • SAML
  • LDAP
  • User ID and Password
Once logged into Cloud Application Manager, users can seamlessly navigate between Application Lifecycle Management, Cloud Optimization and Analytics, Monitoring and Ticketing portal sites using single sign-on. Cloud Application Manager users can access the entire functionality via API as well as User Interface at cam.ctl.io. Users can create a permanent or a short- term authentication token that can be used to perform API calls.
Application Lifecycle Management (ALM) ALM provides an orchestration platform for users to deploy and manage multiple environments across public and private cloud platforms. This module allows for the modeling of infrastructure and applications in Cloud Application Manager once and deploy to any of the supported environments. Users can choose to model their application in a cloud agnostic fashion or use one of the cloud provider’s native modeling templates like AWS Cloud Formation Template or Azure Resource Manager template. Once applications are deployed using the templates, users can manage the lifecycle of the application, auto-scale the infrastructure, update/patch their applications without down-time and replicate them across environments.
Application Lifecycle Management also has a Continuous Integration and Continuous Deployment (CI/CD) plugin that can be configured to invoke policies in Cloud Application Manager and update their applications and infrastructure residing in the underlying provider platforms, on every code release. Customers can choose to use this functionality even without having to run the bill through Cloud Application Manager.
Auto-Discovery
The Auto-Discovery feature for instances running on AWS, Azure and CenturyLink Cloud infrastructure provider(s) enables visibility of resources that have been previously running. Once a provider is configured, Cloud Application Manger discovers all of the virtual machine instances in that environment and lists them for the user. At that time, a virtual machine instance can be selected and imported. Users register an existing instance so that the lifecycle can be managed within the Cloud Application Manager platform.
Additional features include:
  • Allows users to use single sign-on to access public cloud provider’s management console
  • Create a hierarchy of Organization, Cost Centers and Workspaces to organize resources to represent various internal environments, teams and departments
  • Allows users to model applications using the ALM framework for configuration management and reusability and build cloud agnostic applications
  • Allows users to leverage the cloud provider orchestration templates to deploy provider native services
  • Identity and access management allows the sharing of workspaces, applications and cloud infrastructure across your organization
  • Flexibility to deploy workloads on all major cloud infrastructures to meet business demands and organizational preferences
  • Supported Providers detailed in KB Article #CAM213
Cloud Optimization & Analytics
exclusively for AWS and Azure
Cloud Optimization & Analytics provides the following features:
  • Best Practices checks include more than 350 automated checks evaluated against AWS and Azure provider accounts:
    • Cost Savings
    • Security Utilization
  • Potential Monthly Savings, Idle Resources and Unused Resources
  • Change Monitoring Reports that list all changes performed by Provider account
  • IAM Admin User Reports

For both Platform Advisory Support and Managed Services Anywhere, CenturyLink provides consolidated billing, cost optimization, spend analytics, chargeback and best practice recommendations. Certain restrictions, limitations apply
Authorized Resale of AWS and Azure Users can setup new AWS and Azure accounts or shift their existing AWS and Azure accounts to CenturyLink Cloud Application Manager. There are three distinct options:
  • Use an existing customer account
  • Migrate account to CenturyLink for consolidated billing and support (designating Platform Advisory Support or Managed Services Anywhere)
  • “Create a new account for consolidated billing and Platform Support”
Authorized resale requires additional terms and conditions as a condition precedent to the “provider” setup process continues.
All AWS and Azure accounts are required to be fully hardened per the CenturyLink guidelines (see Permissions and Hardening Policy section)
Technical Account Management Both Platform Advisory Support and Managed Services Anywhere provides customers with a designated (not dedicated) Technical Account Manager. This consists of a functional workgroup comprised of technical experts and program governance agents that are designated to a customer account. Technical Account Managers support inquiries regarding Application Lifecycle Management, Cloud Optimization & Analytics, AWS and Azure services. The Technical Account Management responsibilities consist of providing proactive service delivery plans based on the customer strategies, management of support escalations, answering advisory questions related to any of the three core Cloud Application Manager capabilities, addresses billing inquiries and coordinates more extensive architectural and design services from CenturyLink managed services experts. Certain tasks or requests related to the Technical Account Management services may require an upgrade to Advanced Managed Services (subject to additional terms and pricing).

Platform Advisory Support
  • Provides Getting-Started activities
  • Provides support escalation, best practice and recommendations for additional hands-on services
  • Supports advisory-only level of guidance with best effort
  • Share and explain optimization reporting
  • TAM named but not dedicated or guaranteed (pooled model)
  • Does not support any monitoring, alerts, remediation and creation/changes of policies
  • AWS, Azure and VMware certifications and accreditations

Managed Services Anywhere
  • Provides Getting-Started activities
  • Coordinate service desk and support engineering for hands-on action
  • Identify cost/performance optimization and execute recommendations
  • Coordinate monitoring policy creation and updates with service desk
  • Coordinate modifying and deploying Script, Application and cloud native template Boxes (already in catalog) with service desk
  • Coordinate configuring user access and permissions with service desk
  • Contribute to root cause analysis, problem resolution and remediation
  • • Respond and provide updates to service requests
  • Facilitate patch/backup schedule and communicate upcoming changes

Examples of Activities Requiring AMS Upgrades
  • Hands-on action for Advisory technologies or actions beyond “Managed” activity scope (service desk and TSE only – TAM coordinates)
  • Design and architecture of a service/application
  • Creation of new Script and Application Boxes
  • Migration and refactoring of applications
  • Designing infrastructure and network topology
  • Execute deployments not already defined, requiring architecture design

D. Global Operations Support

All MSA and Platform Advisory Support is provided by the CenturyLink Global Operations Center. Customers can engage CenturyLink 365x24x7 via phone, email or by opening a ticket as outlined in the table below.
Email incident@CenturyLink.com Response objective: less than 6 hours
Phone United States: 1-888-638-6771
Canada: 1-866-296-5335
EMEA: 00800 72884743
Asia Pacific: +65 6768 8099
Response objective: 1-5 minutes
Ticket Cloud Application Manager portal Response objective: less than 1 hour

In addition to the above, Cloud Application Manager provides easy access to the CenturyLink Global Operations Center via links provided within the platform. Once logged into Cloud Application Manager, Customers can launch the Support Center and view existing tickets or open new tickets. When opening a new ticket, the Support Center will navigate the user based on the selections.

CenturyLink Global Operations Center personnel will log into the Cloud Application Manager using CenturyLink maintained credentials to manage customer services, handle support calls and troubleshoot issues.

Within Cloud Application Manager, CenturyLink’s Global Operations Center personnel will have access to the Customers’ instances in the workspaces belonging to Customer when CenturyLink is authorized by the Customer to help manage workloads, workspaces and cost centers. As part of initial setup, every Customer within Cloud Application Manager is configured to add CenturyLink support group as an administrator in order for CenturyLink to provide the support/services requested by Customer.

Log Retention. As a part of the Managed Services Anywhere and Platform Advisory Support for Cloud Application Manager, CenturyLink receives and analyzes Customer logs as needed. Logs are managed according to the policies of the CenturyLink Global Operations Center. The details of the log policy can be found here.

When CenturyLink Global Operations Center personnel look up an instance for management activities, the following information is available about the instance:

  • Name
  • Description
  • Hostname (populated from the provider and shown in the instance page)
  • Provider
  • Provider Region (available if the provider supports it)
  • Provider Data Center
  • Provider Instance ID
  • Cloud Application Manager Instance ID (displayed as "ID")
  • IP Address (displayed in the EndPoints)
  • Operating System (named as Template)

E. Billing

Each of the support tiers (Managed Services Anywhere and Platform Advisory Support) is billed monthly based on the spend of the Supported Provider and consumed CenturyLink services.

Bills are provided on the 1st of the month. When CenturyLink owns the consolidated billing relationship for AWS and Azure, there will be reconciliation from the previous month to account for provider adjustments that are posted after CenturyLink’s bill run on the 1st.

F. Permissions and Hardening

All Supported Provider accounts that are identified for Managed Services Anywhere or procured via CenturyLink’s Value Added Reseller program (AWS and Azure – in a Greenfield or Brownfield scenario) are required to be configured with the security and permissions identified below in order to accurately process billing as a percentage of Supported Provider spend for CenturyLink support services. Below are the required levels of access:

  • Root account access is required for all accounts within the CenturyLink Value Added Reseller program within Cloud Application Manager (includes both Brownfield and Greenfield accounts
  • For BYOC accounts and access to billing, Customers retain their own root account access and CenturyLink is setup with an IAM admin-only policy

Operational Access

In order to complete migration of existing accounts to CenturyLink, Customer must give access to CenturyLink’s Global Operations Support personnel on their existing subscription(s) and designate CenturyLink the Owner role so that resources can be transferred. This is a meta-data change and causes no downtime and does not affect connectivity. The Global Operations Support staff will have permission to review configurations within the account but will not have permission to add, change, or delete resources. Any support inquiries will need to be opened via CenturyLink Global Operations Support and cannot open tickets directly with the provider. The Technical Account Manager will be enabled to facilitate requests and changes on the Customer’s behalf as an administrator only as a part of Advanced Managed Services upgrade subscription. CenturyLink will maintain the ability to make changes to the account as best practices change or the configurations conflicts. CenturyLink will take all the necessary steps to ensure these roles are enabled continuously or until the end of the applicable service term. Upon expiration or termination of the underlying agreement for services, Customer will be able to remove these policies and roles. Customer will retain access to migrated accounts that existed prior to the migration.

AWS Account Security Configurations

Fully hardened, Customer AWS accounts created within or migrated into CenturyLink’s Value Added Reseller program must comply with security best practices and allow operational access as designated by AWS. When accounts are created or on-boarded, CenturyLink must initially be given programmatic access to accounts to enable security-related configuration and to permit appropriately-permissioned, CenturyLink employee access. All credentials provided by the Customer (if part of the Value Added Reseller program) will be encrypted. The following steps will be taken during onboarding:

  • Confirm or set up events and logs storage for security event monitoring
  • Create IAM policies and roles for CenturyLink Global Operations Support
  • Create IAM policies and roles for Application Lifecycle Management, Watcher monitoring and Optimization & Analytics
  • Ensure or set up password policy
  • Ensure or enable root-account MFA access
  • Set up Account Controls
  • Enable audits of these configurations

Customer-owned information about security events will be stored within the customer account and will be retained for the duration of the applicable service term.

CenturyLink maintains AWS requirements by restricting access to cost and spend data directly in the AWS portal account. This information is available within Cloud Application Manager and is provided at no additional cost through Cloud Application Manager’s Cloud Optimization and Analytics module.

The following is a service option available to Customers with Cloud Application Manager. This Service, if enabled, may be subject to additional terms and charges.

SafeHaven Disaster Recovery as a Service (DRaaS)

The following service description applies to SafeHaven version 5.0. The service description for SafeHaven version 4.0 can be found at SafeHaven Disaster Recovery as a Service 4.0.

Overview: CenturyLink’s SafeHaven software is a distributed software architecture that enables the DRaaS to: deliver group consistency and run book automation for multi-tiered applications, automate data center disaster recovery orchestration, enable continuous recovery with group consistency and checkpoints, and provide recovery/redundancy for both physical and virtual IT systems. DRaaS also includes a graphical user interface, is compatible with multiple servers, and is available with hypervisors and virtual or dedicated data centers.

As used herein, “data centers” refers to the infrastructure on which SafeHaven Replication Node (“SRN”) and CMS are deployed and configured. CenturyLink Cloud services may be utilized as the default production data center; however, Customer may designate any supported data center as the production data center, and the remaining supported data centers would thereby be the recovery data center.

In addition to the applicable Service Schedule, Customers will also be required to sign a Statement of Work and applicable contract documents for all onboarding activities prior to commencement of DRaaS Services. DRaaS is not available to Customers who click to accept the CenturyLink Cloud Master Services Agreement online.

The SafeHaven software is comprised of certain open source software. Customers must install the relevant software on all desktop or laptop computers that Customer will use for DRaaS administration. Please see the Knowledge Base article SafeHaven 5: Open Source Components for additional details.

DRaaS includes the system components listed below and follows a structural hierarchy in the following order:

  • Cluster Layer
  • Data Center Layer
  • SafeHaven Replication Node (SRN)
  • Protection Group
  • Protected VM/Disk

Cluster Layer

A SafeHaven cluster means the group of data centers Customer selects to use with its DRaaS Service. Each SafeHaven cluster can service up to 64 data centers. For CenturyLink Cloud, the data centers are virtual data centers, however a Customer may utilize any combination of virtual data centers and dedicated data centers; provided however, dedicated data centers will require the purchase of certain CenturyLink Managed Hosting services.

A Central Management Server (CMS) is an Ubuntu 16 based lightweight virtual appliance (virtual machine) in a recovery data center that connects all the data centers/appliances together and provides access to the DR environment via a SafeHaven console (GUI), which is a standalone java client (provided by CenturyLink) utilized to access the SafeHaven cluster.

The console remotely sends commands to the CMS installed at the recovery site (as more fully described below). Commands are encrypted automatically by embedded SSL in the console and the CMS. Customers use the SafeHaven console to administer the DRaaS and manage their DR environment and initiate point-and-click recovery operations upon individual virtual machines, groups of servers and data drives, or entire data centers. Recovery operations include:

  • Migration. Transfer of a Protection Group to a DRaaS recovery site.
  • Test-Failover. This operation activates a “clone” instance of a Protection Group at a selected checkpoint in the DR data center without affecting production activity in the production data center.
  • Failover. This operation activates the replica instance of a Protection Group in the DR data center at a selected checkpoint.
  • Failback. This operation restores a Protection Group to the original production data center.
  • Automatic detection and reporting of SRN failures and Protection Group errors.

Each SafeHaven cluster includes a single active Central Management Server (CMS). The CMS utilizes the SafeHaven virtual appliance installed at the recovery site and is part of the SafeHaven architecture that:

  • Receives commands from the SafeHaven console and relays them to the appropriate SRN in the appropriate data center.
  • Monitors heartbeats from the SRNs.
  • Receives state information from SRNs and relays it to the SafeHaven console.

Data Center Layer

The data center layer is the set of data centers Customer chooses to provision as the recovery site(s) within a cluster via the SafeHaven console.

SafeHaven classifies data centers based on the API used for orchestration of recovery operations and recognizes the following five data center types.

  1. CenturyLink Cloud virtual data center: Disaster Recovery (“DR”) orchestration is through the CenturyLink Cloud API for CenturyLink Virtual and Bare Metal Servers. CenturyLink Cloud can be used as the production and/or the recovery site.
  2. Amazon Web Services: A third party data center that can be used as a recovery site for production workloads. Customers may use their own AWS account or purchase AWS through CenturyLink’s Cloud Application Manager Services. Cloud Application Manager Services require separate contractual documents to be signed with CenturyLink.
  3. Microsoft Azure: A third party data center that can be used as a recovery site for production workload through Azure APIs. Customers may use their own Azure account or purchase Azure through CenturyLink’s Cloud Application Manager Services. Cloud Application Manager Services require separate contractual documents to be signed with CenturyLink.
  4. Customer’s VMware on Premise: A third party data center whereby DR orchestration is through VMware vSphere 4.0 (or later release) via API calls to VMware vCenter Server.
  5. Manual Production Site or dedicated data center: A manual site is any site, whether CenturyLink or third party, in which API’s are not currently supported by SafeHaven use, however production and recovery sites can be powered on and off manually. Manual meaning there is no console for Customers to administer remotely. There is no orchestration via API for manual production sites, but the DR site (CenturyLink Cloud, AWS or Azure) is fully automated. This data center type can also be used to provide DR protection for physical servers, standalone ESXi hosts, CenturyLink Private Cloud on VMware Cloud Foundation platform, Dedicated Cloud Compute platform, and servers virtualized with Hyper V Generation 1.

For Clauses 2-5 immediately above, where the data center type is identified as third party, the following additional conditions apply: Where Customer is using their own account, Customer is solely responsible for configuring their account(s), using the third party services in a manner that provides security and redundancy, including enhanced access controls, encryption and backup, and ensuring CenturyLink has all appropriate permissions, credentials and access in order for CenturyLink to perform installation and configuration of SafeHaven. CenturyLink is not responsible or liable for any losses or damages related to the third party services, (direct or via any indemnity) including any liability, losses or damages related to unauthorized access or content or data loss and any losses or damages arising from or related to the installation and operation of SafeHaven on third party systems.

For all 5 data center types above, Customer is fully responsible for performing operations required to control and manage the Service including failover, failback, encryption and data management requirements and other operations documented in these “Disaster Recovery” Knowledge Base articles. Any required network or internet connectivity between any of the data center types listed above is solely the responsibility of the Customer. Customer acknowledges that CenturyLink’s responsibility herein is related to enabling production and recovery environments and storage as detailed herein and such responsibility does not extend to any information, data or content that the Customer may send and/or store within such production or recovery sites. Customer is solely responsible for all data or content, in transit and at rest, whether in the DR or Production environment or in the storage space on disc as detailed in SRN layer below. CenturyLink is not liable for any losses or damages direct or via indemnity related to such data or information including any liability, losses or damages related to unauthorized access or content or data loss.

SRN Layer

The SRN is an Ubuntu 16 based lightweight virtual appliance (virtual machine) which transfers and retains production data. This layer includes all SRNs provisioned within the SafeHaven cluster. Each SRN is associated with a data center as shown in the SafeHaven hierarchy. A given data center may include an arbitrary number of SRNs. The SRN virtual appliance which is a component of the SafeHaven software is set up to automatically:

  • Provision and delete Protection Groups (as more fully described below).
  • Generate and maintain a replica image of each Protection Group in a remote data center.
  • Generate and maintain a scrolling log of up to 2048 checkpoints for each Protection Group.
  • Relay SafeHaven commands from the CMS to the cloud management layer and/or IT infrastructure.
  • Transmit a heartbeat to other SRNs and the CMS.
  • Relay state information to the CMS.

SRNs replicate at the LUN level transmitting updated blocks for each Protection Group to a peered SRN in a remote data center. Although each active Protection Group has a replica in only one other site, an SRN may support a set of Protection Groups that each have replica instances in distinct remote data centers.

Customer is responsible for purchasing and providing the following additional storage requirements or CenturyLink may not be able to provide the Service:

  • Customer must provide the required amount of disk space (i.e. “storage pool”) so the SRNs can perform their operations. The SRN will utilize the disk space made available by the Customer. Customer’s failure to maintain adequate disk space will cause the SRN operations to fail and will affect CenturyLink’s ability to provide the Service.
  • The production SRN must be provided with a storage pool of sufficient size to mirror the protected VMs.
  • The recovery SRN must be provided with a storage pool of sufficient size to host the protected VM disks inside the recovery site.
  • SRNs must also have enough storage for Protection Group checkpoints. The amount of storage allocated determines how many checkpoints will be retained in the checkpoint history.

Protection Groups

A Protection Group is a set of servers and hard disks grouped by SafeHaven that failover and failback together to the same instant in time and are shutdown and brought-up according to a prescribed recovery plan. Each Protection Group corresponds to a distinct set of servers and hard disks replicated to a remote site by SRNs. When protecting a multi-tiered application, administrators should provision a Protection Group that includes the set of all servers and hard disks that participate in the multi-tiered application. SafeHaven is set up to allow the applicable systems to recover via a remote data center with mutually consistent data images as they were at specific instances in time. Each data center within a cluster can include both active Protection Groups and replica instances of remote Protection Groups.

Protection Groups are logical mappings between the production and recovery servers. Protection Groups are created from within the SafeHaven console and users have the choice to either include one or multiple servers inside a single protection group. All the recovery operations are initiated from a Protection Group level.

Protected VM/Disk

Write traffic for each protected VM and hard disk is locally and synchronously mirrored within the production data center so that it is written both to the primary data store and also to a local SRN. For Windows Server Operating Systems 2008R2 and later, the SafeHaven local replication agent is employed and in Linux Operating Systems, Rsync is employed.

Checkpoints

SafeHaven checkpoints correspond to LUN-level Copy on Write snapshots and are block-consistent representations of a Protection Group at an instant in time.

Open Source Software

DRaaS uses SafeHaven software to employ the relevant open source software. Details of the various components can be found in the Knowledge Base article SafeHaven: Open Source Components. All users of the Service are subject to the terms and conditions of any applicable open source license agreements.

Termination

Due to the self-service nature of the Service, upon termination of the DRaaS Services, Customer is responsible for deleting all SafeHaven software, any related cloud infrastructure and components employed to provide the Service and any and all data or content Customer chose to replicate and/or store to an applicable data center while using the Services.

Appendix A – Definitions

Break/Fix: Break/fix refers to the fee-for-service method of providing information technology repairs to businesses, in which a customer calls up a service provider to do an upgrade of a computer program, software product, computer, or a repair of something computer-related like a printer or drive array that is broken, the IT provider offers a solution or repair.

Cumulative Update: A grouping of Hotfixes or quick fix engineering updates that have not been fully regression tested by Microsoft but are designed to resolve specific issues with Microsoft SQL Server.

Domain Name System (DNS) Proxy: is a network system of servers that translates numeric IP addresses into readable, hierarchical Internet addresses, and vice versa.

Hardened OS: Hardened OS means that all non-essential services and testing patched bundled in a standard operating system are disabled and functionality has been confirmed.

Hotfix: A hotfix or quick fix engineering update is a single cumulative package that includes information that is used to address a problem in a software product.

Hypertext Transfer Protocol (HTTP) Proxy: Provides port access to the Internet.

Major Release: Major Releases (X.y.z) are vehicles for delivering major and minor feature development and enhancements to existing features. They incorporate all applicable error corrections made in prior Major Releases, Minor Releases, and Patch Releases. Software Provider typically has one Major Release per year.

Minor Release: Minor Releases (x.Y.z) are vehicles for delivering minor feature developments, enhancements to existing features, and defect corrections. They incorporate all applicable error corrections made in prior Minor Releases, and Patch Releases.

Network Time Protocol (NTP) Service: Synchronize all server times to a common system time.

Patch Release: Patch Releases (x.y.Z) are vehicles for delivering security fixes, feature developments, enhancements to existing features, and defect corrections. They incorporate all applicable error corrections made in prior Patch Releases.

Custom Patch Requirements: Customer selection of specific patches versus accepting all recommended patches, custom reporting to meet regulatory requirements versus standard reporting, variable patch schedule versus defined Maintenance Windows (see Definitions) and support for maintaining multiple patch levels versus having all patches applied (i.e. patches applied differ based on Production or Non-Production Environment).

Data Center: The facility in which the Systems are located.

Systems: The computer equipment and software that is approved by CenturyLink and utilized by the Customer in connection with the provision of Service by CenturyLink.