Cloud Application Manager

Service Guide

Updated: June 29, 2021


The following Service Guide details Lumen's Cloud Application Manager service. Details for certain key features, such as Managed Services Anywhere and Advanced Managed Services are available in separate Service Guides. See Optional Services section below.

Service Description

Cloud Application Manager is an orchestration platform that enables the configuration, deployment and management of cloud infrastructure and workloads within hybrid IT environments. Hybrid IT refers to enterprise computing solutions that leverage multiple IT infrastructures including, but not limited to, on-premise equipment, public clouds, and private clouds.

Compatible Platforms

Cloud Application Manager can be utilized with the following platforms, which are collectively referred to as Compatible Cloud Platforms:

  • Lumen Private Cloud on VMware Cloud Foundation
  • Lumen Private Cloud for VMware Cloud
  • Lumen Public Cloud
  • Lumen Dedicated Cloud Computing
  • Lumen Dynamic Enterprise Computing III
  • Physical Server (as defined herein)
  • Amazon Web Services
  • Amazon Web Services GovCloud
  • CloudStack
  • Dimension Data
  • Google Cloud
  • Microsoft Azure
  • OpenStack Cloud
  • Rackspace Cloud
  • SoftLayer
  • vCloud Air and vCloud Director
  • VMware vCenter
  • Azure VMware Solution (AVS)

Instances of or accounts on the above identified platforms are represented as Provider Accounts in Cloud Application Manager. In some cases, an individual Provider Account can include more than one instance of the same platform. For example, a single Compute Instance Provider Account can contain multiple physical servers.

Product Features

The Cloud Application Manager base features are described in the section below.

Customer Access

Customers can integrate with their existing Authentication systems with the following protocols:

  • Authentication
  • GitHub Authentication
  • SAML
  • LDAP
  • User ID and Password

Cloud Application Manager users can access the entire functionality via API as well as the user interface at cam.ctl.io. Users can create a permanent or a short- term authentication token that can be used to perform API calls.

Application Lifecycle Management

Application Lifecycle Management (ALM) provides an orchestration environment for users to deploy and manage multiple hybrid IT environments. This feature allows for the modeling of infrastructure and applications in Cloud Application Manager once with the ability to deploy multiple times to any of the Compatible Platform environments. Users can choose to model applications in a cloud agnostic fashion or use one of the Compatible Cloud Platform’s native modeling templates (e.g. AWS Cloud Formation Template, Azure Resource Manager). Once applications are deployed, users can manage the lifecycle of the application, auto-scale the infrastructure, update/patch applications without down-time and replicate them across environments.

Application Lifecycle Management also has a Continuous Integration and Continuous Deployment (CI/CD) plugin that can be configured to invoke policies in Cloud Application Manager and update applications and infrastructure residing in the underlying Compatible Cloud Platform on every code release.

Auto-Discovery

The auto-discovery feature for instances running only on AWS, Azure, Google, and Lumen Public Cloud infrastructures enables visibility of resources that have been previously running. Once a platform is configured, Cloud Application Manager discovers all of the virtual machine instances in that environment and lists them for the user. At that time, a virtual machine instance can be selected and imported. Users register an existing instance so the lifecycle can be managed within the Cloud Application Manager environment.

Additional features include:

  • Allows users to use single sign-on to access public cloud provider’s management console
  • Create a hierarchy of organization, cost centers and workspaces to organize resources to represent various internal environments, teams and departments
  • Allows users to model applications using the ALM framework for configuration management and reusability and build cloud agnostic applications
  • Allows users to leverage the cloud provider orchestration templates to deploy provider native services
  • Identity and access management allows the sharing of workspaces, applications and cloud infrastructure across the customer’s organization
  • Flexibility to deploy applications on supported cloud infrastructures to meet business demands and organizational preferences

Value Added Reseller Program

Customers can set up new Amazon Web Services (AWS), Microsoft Azure (Azure), and Google Cloud Platform (GCP) accounts or shift existing AWS or Azure accounts to Lumen Cloud Application Manager. There are three distinct options:

  1. Buy a new AWS, Azure, or Google account directly from Lumen (“Greenfield”)
  2. Migrate existing AWS or Azure accounts to Lumen for consolidated billing and support (designating Platform Advisory Support or Managed Services Anywhere) (“Brownfield”)
  3. Buy an AWS, Azure, or Google account directly from the provider to be used with Platform Advisory Support or Managed Services Anywhere (“BYOC”)

Authorized Brownfield or Greenfield resale requires additional terms and conditions.

All AWS, Azure, and Google accounts are required to be fully hardened per the Lumen guidelines (see Permissions and Hardening Policy section).

Cloud Optimization & Analytics

The Cloud Optimization & Analytics feature provides for hundreds of automated best practices evaluated against AWS and Azure environments. Examples of checks include:

  • Cost Savings
  • Security Utilization
  • Potential Monthly Savings, Idle Resources and Unused Resources
  • Change Monitoring Reports that list all changes performed by Managed Cloud Provider account
  • IAM Admin User Reports

Lumen provides cost optimization, spend analytics, chargeback and best practice recommendations for BYOC and approved public cloud providers.

Cloud Optimization & Analytics is not available with Google Cloud Platform.

Technical Account Management (“TAM”)

Technical Account Managers support, by way of example, inquiries regarding Application Lifecycle Management, Cloud Optimization & Analytics, AWS, Azure, and Google services.

The Technical Account Manager role is provided through the Lumen Advanced Managed Services program. All Cloud Application Manager subscriptions require Customer enrollment in Advanced Managed Services, pursuant to separate terms and conditions, with a minimum TAM subscription of four hours per month.

A description of the TAM role and associated activities is available in the AMS Service Description.

Lumen-led Cloud Support

Lumen-led Cloud Support is a required support service applicable to Value Added Reseller accounts utilizing the new Cloud Application Manager price plan. This service provides 24x7 multi-cloud technical support for those cloud platforms, escalations to those cloud service providers as necessary, and customer user support for the Cloud Application Manager platform. It also includes use of ALM orchestration capabilities without separate fees. Lumen-led Cloud Support does not include technical support for customer workloads orchestrated through Cloud Application Manager running on these cloud platforms.

Legacy Platform Advisory Support

Legacy Platform Advisory Support refers to the base service level required for Value Added Reseller accounts governed by prior price plans for Cloud Application Manager Provider Accounts that do not have the Managed Services Anywhere service level activated. This base service level provides tier 1 and tier 2 support for AWS and AWS clouds resold through Lumen, escalations to those cloud service providers, and Cloud Optimization & Analytics service for them. It also includes customer user support for the Cloud Application Manager platform and use of ALM orchestration capabilities without separate fees.

For clarity, all technology within the environment is treated as advisory only; Lumen does not perform or execute any tasks on behalf of the Customer. Platform Advisory Support does not include hands-on change, incident management and proactive remediation based on alerting. If escalations are needed, Lumen can engage directly with AWS and Microsoft for more support guidance.

Permissions and Hardening

All third-party public cloud accounts resold through Lumen are required to be configured with the security and permissions identified below.

All Physical Servers that are identified for Managed Services Anywhere are required to be configured with the security and permissions needed to provide management services.

Remote administration categorizes connections into two families, tenant and admin. Tenant connections are those that originate from a management appliance. Admin connections are for those intending to gain access to a tenant’s environment.

Firewall - Currently three rules are enforced:

  1. Admins are allowed to send any traffic to tenants
  2. Tenants are not allowed to send any traffic to one another
  3. Tenants are only allowed to send traffic to admins if it is related to an existing connection initiated from an admin connection.

Authentication

  1. Admin connections can be authenticated in various ways, from PSK, MSCHAPv2, Radius, or any other Strongswan supported authentication backend.
  2. Tenant connections are authenticated by 4096 bit RSA certificate based authentication.
    • Root account access is required for all accounts within the Lumen Value Added Reseller program within Cloud Application Manager (includes both Brownfield and Greenfield accounts.
    • For BYOC accounts and access to billing, Customers retain their own root account access and Lumen is setup with an IAM admin-only policy.

Operational Access for AWS and Azure Brownfield Scenarios

In order to complete migration of existing accounts to Lumen, Customer must give access to Lumen’s Global Operations Support personnel on their existing subscription(s) and designate Lumen the “owner role” so that resources can be transferred. This is a meta-data change and causes no downtime and does not affect connectivity. This meta-data change allows the Global Operations Support staff to review configurations within the account but does not permit adding, changing, or deleting resources. All support inquiries or tickets for accounts with Managed Services Anywhere must be opened via Lumen Global Operations Support and not directly with the underlying provider if the underlying provider is not Lumen. Lumen will take action designed to ensure permission and all policies and roles (collectively, “IAM Policies”) are enabled continuously or until the end of the applicable service term. Upon expiration or termination of the underlying agreement for services and migration to a successor account, Customer will continue to retain access to IAM Policies. Customer is responsible for ensuring that Lumen is removed as an administrator of the account(s) and that all root access rights have been disabled when the account is migrated.

AWS Account Security Configurations

Fully hardened, Customer AWS accounts created within or migrated into Lumen’s Value Added Reseller program must comply with the security best practices and operational access designated by AWS. When accounts are created or on-boarded, Lumen must initially be given programmatic access to accounts to enable the AWS designated security-related configuration and to permit appropriately permissioned Lumen employee access to the activities described in the operational access section above. All credentials provided by the Customer (if part of the Value Added Reseller program) will be encrypted by Lumen. The following steps will be taken during the set up or technical enablement of an account:

  • Confirm or set up events and logs storage for security event monitoring
  • Create IAM policies and roles for Lumen Global Operations Support
  • Create IAM policies and roles for Application Lifecycle Management, Watcher monitoring and Optimization & Analytics
  • Confirm or set up password policy
  • Confirm or enable root-account Multi-Factor Authentication access
  • Set up Account Controls
  • Enable audits of these configurations

Metrics and account information related to security events will be stored within the customer account and will be retained for the duration of the applicable service term.

For all Brownfield and Greenfield accounts, Lumen complies with the provider’s requirements to restrict the cost and spend information and other accounting/billing information in the applicable portal account. Instead, this account and billing information is available within Cloud Application Manager and is provided at no additional cost through Cloud Application Manager’s Cloud Optimization and Analytics module.

Optional Services

Managed Services Anywhere

Lumen Managed Services Anywhere is a key support feature of Cloud Application Manager, available for purchase for Customers who want additional support or assistance with agile application configuration, deployment, patching, monitoring, troubleshooting, and optimization across a variety of hybrid IT environments.

See the Managed Service Anywhere Service Guide for more information.

Limitations and Exclusions

Cloud Application Manager is currently not available for public sector entities (e.g. federal, state, local or education) requiring FISMA or any other higher-level security or regulatory requirements.

Not all Cloud Application Manager services and features are available in certain countries or regions. A Lumen representative should be contacted for a detailed list of geographic, sector, and feature availability.

Definitions

Brownfield: Migrating a customer’s existing 3rd party cloud provider account to Lumen for consolidated billing and support (and designating Platform Advisory Support or Managed Services Anywhere) is known as a “Brownfield” account.

Buy-Your-Own-Cloud or BYOC: Buy an AWS, Azure, or Google account directly from the provider or another 3rd party (not Lumen) to be used with Platform Advisory Support and Managed Services Anywhere is known as “Buy-Your-Own-Cloud” or “BYOC”.

Greenfield: The creation of new third-party cloud provider account via Lumen for consolidated billing is known as a “Greenfield” account.

Physical Servers: Bare metal servers running a single operating system located in a customer premise, colocation environment, or a Lumen managed hosting facility.