Bamboozle is an ISO 27001-certified, environmental friendly cloud service provider. The company, which was established in 2015 and is run by its founders, offers premium cloud services with a focus on simplicity, efficiency and price/performance for all kinds of companies.

Find the documentation for our products and services below:

Prerequisites

• Virtual machines are created, as described in Creating virtual machines.

To monitor virtual machine’s CPU, storage, and network usage

Select the VM and open the Monitoring tab.

The default time interval for the charts is twelve hours. To zoom into a particular time interval, select the internal with the mouse; to reset zoom, double-click any chart.

The following performance charts are available:

CPU / RAMCPU and RAM usage by the VM.NetworkIncoming and outgoing network traffic.Storage read/writeAmount of data read and written by the VM.Read/write latencyRead and write latency. Hovering the mouse cursor over a point on the chart, you can also see the average and maximum latency for that moment, as well as the 95 and 99 percentiles.

Averaged values are calculated every five minutes.

As all Linux guests have OpenSSH Server preinstalled by default, you only need to make sure a Linux template has cloud-init installed.

The easiest way to get a Linux template with cloud-init installed is to obtain it from its official repository. You can also create a Linux template from an existing boot volume.

Managing virtual machines

Each virtual machine (VM) is an independent system with an independent set of virtual hardware. Its main features are the following:

• A virtual machine resembles and works like a regular computer. It has its own virtual hardware. Software applications can run in virtual machines without any modifications or adjustment.

• Virtual machine configuration can be changed easily, for example, by adding new virtual disks or memory.

• Although virtual machines share physical hardware resources, they are fully isolated from each other (file system, processes, sysctl variables) and the compute node.

• A virtual machine can run any supported guest operating system.

The following table lists the current virtual machine configuration limits:

You may need to create a template in these cases:

• To rescue a virtual machine

• To create a VM accessible via SSH

You can create volumes from both ISO images and templates.

To make a volume from an image

1. Go to the Images screen, and then click the required image.

Limitations

• A VM is removed along with its disks that have the Delete on termination option enabled during the VM deployment.

Prerequisites

• Virtual machines are created, as described in Creating virtual machines.

To remove one virtual machine

1. Click the ellipsis button next to a VM you want to delete, and then click Delete.

2. Click Delete in the confirmation window.

To remove multiple virtual machines

1. Select the check boxes next to VMs you want to delete.

2. Over the VM list, click Delete.

3. Click Delete in the confirmation window.

o access Flow Object Storage with Mountainduck, please follow these steps:

1. Download (https://mountainduck.io) and install Mountainduck

2. Open CyberDuck and click Open Connection.

3. Specify your the credentials which are provided in our customer portal (https://portal.bamboozle.me):

   • Server: Insert the DNS name of the S3 endpoint (Your location is mentioned in your account in our portal): Location Dubai: dxb.bbzs3.com

   • Access Key ID: Insert the displayed Access Key from our portal.

   • Secret Access Key ID: Insert the displayed Secret Key from our portal.

4. Press the connect button

The Cyber Protection console provides access to additional services or features, such as File Sync & Share or Antivirus and Antimalware protection, Patch management, Device control, and Vulnerability assessment. The type and number of these services and features vary according to your Cyber Protection license.

To check the dashboard with the most important information about your protection, go to Monitoring > Overview.

Depending on your access permissions, you can manage the protection for one or multiple customer tenants or units in a tenant. To switch the hierarchy level, use the drop-down list in the navigation menu. Only the levels to which you have access are shown. To go to the management portal, click Manage.

The Devices section is available in simple and table view. To switch between them, click the corresponding icon in the top right corner.

The simple view shows only a few workloads.

We provide following options to pay your Bills:

• Credit Cards (all major Cards are supported)

• Apple Pay (on supported Apple Devices)

Enterprise Customer can opt to pay via Bank Transfer.

Introduction

Bamboozle Object Storage is an S3-compatible object storage service that lets you store and serve large amounts of data. You can create them in a few seconds and use them immediately with no configuration. Data transfer is automatically secured with HTTPS, and the available storage capacity scales seamlessly.

Object Storage are ideal for storing static, unstructured data like audio, video, and images as well as large amounts of text. Use cases like databases, applications written in server-side languages, and mission-critical applications will work best with local storage (volumes).

How VPN pricing works

he VPN service is charged per Site-to-Site VPN connection. You can run more than one Site-to-Site VPN connection. Charges accrue hourly for as long as the VPN connection exists. Traffic is charged per usage.

A security group is a set of network access rules that control incoming and outgoing traffic to virtual machines assigned to this group. With security group rules, you can specify the type and direction of traffic that is allowed access to a virtual interface port. Traffic that does not satisfy any rule is dropped.

For each project, the default security group is automatically created in the compute cluster. This group allows all traffic on all ports for all protocols and cannot be deleted. When you attach a network interface to a VM, the interface is associated with the default security group, unless you explicitly select a custom security group.

You can assign one or more security groups to both new and existing virtual machines. When you add rules to security groups or remove them, the changes are enforced at runtime.

Limitations

• You can manage only IPv4 security group rules.

Limitations

• You cannot delete a security group if it is assigned to a VM.

To create a security group

1. On the Security groups screen, click Add security group.

2. In the Add security group window, specify a name and description for the group, and then click Add.

By default, the new security group will deny all incoming traffic and allow only outgoing traffic to assigned virtual machines.

To delete a security group

1. On the Security groups screen, click the required security group.

2. On the group right pane, click Delete.

3. Click Delete in the confirmation window.

Limitations

• A volume is removed along with all of its snapshots.

To create a volume

1. On the Volumes screen, click Create volume.
2. In the Create volume window, specify a volume name and size in gigabytes, select a storage policy, and then click Create.

To remove a volume

1. On the Volumes tab, check the status of the volume you want to remove.

2. If the status is "In use", click the volume, and then click Force detach.

3. If the status is "Available", click the volume, and then click Delete.

You can also configure static routes of a router by manually adding entries into its routing table. This can be useful, for example, if you do not need a mutual connection between two virtual networks and want only one virtual network to be accessible from the other.

Consider the following example:

• The virtual machine VM1 is connected to the virtual network private1 (192.168.128.0/24) via the network interface with IP address 192.168.128.10.

• The virtual machine VM2 is connected to the virtual network private2 (192.168.30.0/24) via the network interface with IP address 192.168.30.10.

• The router router1 connects the network private1 to the physical network via the external gateway with the IP address 10.94.129.73.

• The router router2 connects the network private2 to the physical network via the external gateway with the IP address 10.94.129.74.

To be able to access VM2 from VM1, you need to add a static route for router1, specifying the CIDR of private2, that is 192.168.30.0/24, as the destination subnet and the external gateway IP address of router2, that is 10.94.129.74, as the next hop IP address. In this case, when an IP packet for 192.168.30.10 reaches router1, it will be forwarded to router2 and then to VM2.

Prerequisites

• You have a virtual router created, as described in .

To create a static route for a router

1. On the Routers screen, click the router name. Open the Static routes tab, and then click Add on the right pane. If there are no routes to show, click Add static route.

2. In the Add static route window, specify the destination subnet range and mask in CIDR notation and the next hop’s IP address. The next hop’s IP address must belong to one of the networks that the router is connected to.

3. Click Add.

To edit a static route

1. Click the ellipsis icon next to the required static route, and then click Edit.

2. In the Edit static route window, change the desired parameters, and then click Save.

To remove a static route

Click the ellipsis icon next to the static route you want to remove, and then click Delete.

When you create a VM, you select security groups for the VM network interfaces. You can also change assigned security groups later.

Limitations

• You cannot configure security groups if spoofing protection is disabled or IP address management is disabled for the selected network.

Once you create a virtual machine, you can manage its CPU and RAM resources, as well as network interfaces and volumes.

Prerequisites

• Virtual machines are created, as described in .

Prerequisites

• You have a virtual router created, as described in .

Limitations

• You can clone volumes that are not attached to VMs or attached to stopped VMs.

Prerequisites

• Virtual machines are created, as described in .

To manage the power state of a virtual machine

Click the virtual machine or the ellipsis button next to it to see the full list of actions available for the current state.

• To power up a VM, click Run.

Bamboozle Kubernetes is a managed Kubernetes service lets you deploy scalable and secure Kubernetes clusters without the complexities of administrating the control plane. We manage the Kubernetes control plane and the underlying containerized infrastructure.

Clusters are compatible with standard Kubernetes toolchains and integrate natively with our Load Balancers and block storage volumes.

There are no restrictions on the API objects you can create as long as the underlying Kubernetes version supports them. We offer the latest version of Kubernetes as well as earlier patch levels of the latest minor version for special use cases. You can also install popular tools like Helm, metrics-server, and Istio.

Nodes

A volume in Bamboozle Cloud (Public and Private) is a virtual disk drive that can be attached to a virtual machine. The integrity of data in volumes is protected by the redundancy mode specified in the storage policy.

Virtual routers provide L3 services such as routing and Source Network Address Translation (SNAT) between virtual and physical networks, or different virtual networks:

• A virtual router between virtual and physical networks provides access to public networks, such as the Internet, for VMs connected to this virtual network.

• A virtual router between different virtual networks provides network communication for VMs connected to these virtual networks.

A virtual router has two types of ports:

Once you register in our portal an activation link is sent to the email provided in the system. Please follow the steps to activate your account.

• Activate account button. Click the button and set the password for your account. Ensure that your password is at least nine characters long. For more information about the password, refer to .

If your administrator has enabled two-factor authentication, you will be prompted to set it up for your account. For more information about it, refer to .

The console log of a virtual machine can be used for troubleshooting boot issues. The log contains messages only if logging is enabled inside the VM, otherwise the log is empty.

The logging can be turned on by enabling the TTY1 and TTYS0 logging levels in Linux VMs and Emergency Management Services (EMS) console redirection in Windows VMs. You may also enable driver status logging in Windows VMs, to see the list of loaded drivers. This can be useful for troubleshooting a faulty driver or long boot process.

To enable TTY1 and TTYS0 logging in Linux virtual machines

Limitations

• You can only attach and detach non-boot volumes.

Prerequisites

• A volume is created, as described in .

Before you install an agent, you must download its installation file from the service console.

To download an agent while adding a workload to protect

1. In the Cyber Protection console, navigate to Devices > All devices.

2. In the upper right, click Add device.

1. Sign up for an Instance in our Portal

2. Choose your package

3. Click the Activate button and confirm with Yes, activate. Deploying an Object Storage instance takes a few minutes.

Datacenter Certifications

DX1 (Dubai)

5 TB Outbound Traffic included. Per organization-account 5 TB of in and outbound traffic per month is included. Internal traffic is always free.

Usage over the 5TB limit is calculated per GB usage.

After you activate your account, you can access the Cyber Protection service by logging in to the Cyber Protection console or via the management portal.

To log in to the Cyber Protection console

1. Go to the Cyber Protection service login .

2. Type your login, and then click Next.

How Volumes pricing works

The price for Volumes is calculated on the basis of the smallest unit of 1 GB. When creating volumes, the smallest unit is always 10 GB. After that, you can always expand volumes with the smallest unit of 1 GB. Charges accrue hourly for as long as the Volume exists.

You can unbind a stopped VM from the node it is hosted on and release its reserved resources such as CPU and RAM. A shelved VM remains bootable and retains its configuration, including the IP addresses.

Prerequisites

• Virtual machines are created, as described in .

To shelve a virtual machine

1. Click the desired virtual machine.

This section explains how to install and uninstall the guest tools. This functionality is required for creating consistent snapshots of a running VM’s disks.

Limitations

• Guest tools rely on the QEMU guest agent that is installed alongside the tools. The agent service must be running for the tools to work.

Prerequisites

• Virtual machines are created, as described in .

You can forcefully re-initiate a VPN connection by manually restarting it. When you delete a VPN connection, you also delete the IKE and IPsec policies and endpoint groups that were created during the VPN creation.

Prerequisites

• A VPN connection is created, as described in .

To restart a VPN connection

1. On the VPN screen, click a VPN connection to restart.

How a refund works

After you or we initiate a refund, our Payment Processor submits refund requests to your customer’s bank or card issuer. You will see the refund as a credit approximately 5-10 business days later, depending upon the bank. If you do not see the refund in the mentioned time following in your account following can be the reason:

• Refunds issued shortly after the original charge appear in the form of a reversal instead of a refund. In the case of a reversal, the original charge drops off theyour statement, and a separate credit is not issued.

• Refunds can fail if the customer’s bank or card issuer has been unable to process it correctly. The bank returns the refunded amount to us and we add it back to your account balance. This process can take up to 30 days from requesting the refund.

In a case where you do not see your refund in the mentioned timeline and the above points do not apply, we can provide you the Acquirer Reference Number (ARN) corresponding to the refund. An ARN is a unique number assigned to a card transaction as it moves through the payment flow. You can then take the ARN to your bank, which will be able to provide more information about when the refund will be available. ARNs are available under the following conditions:

• They’re only supported for Visa and Mastercard transactions.

• It takes 1-3 business days after initiating the refund to receive the ARN from downstream banking partners.

• An ARN isn’t available in the case of a reversal, since the original charge isn’t processed.

If you have further question please open a support ticket with us.

The password for a user account must be at least 9 characters long. Passwords are also checked for complexity, and fall into one of the following categories:

• Weak

• Medium

• Strong

You cannot save a weak password, even though it might contain 9 characters or more. Passwords that repeat the user name, the login, the user email, or the name of the tenant to which a user account belongs are always considered weak. Most common passwords are also considered weak.

To strengthen a password, add more characters to it. Using different types of characters, such as digits, uppercase and lowercase letters, and special characters, is not mandatory but it results in stronger passwords that are also shorter.

Limitations

• You can delete a compute network only if no VMs are connected to it.

To add a new virtual network

1. On the Networks screen, click Create virtual network.

2. On the Network configuration step, do the following:

   1. Enable or disable IP address management:

To edit parameters of a virtual network

1. On the Networks screen, click the required network.

2. On the network right pane, click the pencil icon next to the network name or IPv4 subnet.

3. Make changes and save them.

To delete a compute network

Click the ellipsis icon next to the required network, and then click Delete. To remove multiple compute networks at once, select them, and then click Delete.

You can add new network interfaces to your virtual machines, edit IP addresses and security groups for the existing interfaces, and remove network interfaces by detaching them.

Limitations

• You cannot manage network interfaces of shelved VMs.

• A VM that is connected to a dual-stack network always receives an IPv6 address, if the IPv6 subnet is in the SLAAC or DHCPv6 stateless mode.

To attach a network interface to a virtual machine

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click Edit in the Network interfaces section.

3. In the Network interfaces window, click Add to attach a network interface.

4. In the Add network interface window, select a compute network to connect to, and then specify MAC address, IPv4 and/or IPv6 addresses, and security groups. By default, MAC and primary IP addresses are assigned automatically. To specify them manually, clear the Assign automatically check boxes, and enter the desired addresses. Optionally, assign additional IP addresses to the network interface in the Secondary IP addresses section. Note that a secondary IPv6 address is not available for an IPv6 subnet that works in the SLAAC or DHCPv6 stateless mode.

   Secondary IP addresses, unlike the primary one, will not be automatically assigned to the network interface inside the virtual machine guest OS. You should assign them manually.

   • If you selected a virtual network with enabled IP address management

5. Click Done to finish editing VM network interfaces and save your changes.

To edit a network interface of a virtual machine

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click Edit in the Network interfaces section.

3. In the Network interfaces window, click the ellipsis button next to the interface you want to edit, and then click Edit.

4. In the Edit network interface window, modify the network interface parameters as follows:

To detach a network interface from a virtual machine

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click Edit in the Network interfaces section.

3. In the Network interfaces window, click the ellipsis button next to the interface you want to detach, and then click Remove.

4. Click Done to finish editing VM network interfaces and save your changes.

Introduction

Bamboozle Object Storage is an S3-compatible object storage service that lets you store and serve large amounts of data. The Bamboozle Object Storage API is inter-operable with the AWS S3 API, meaning you can use existing S3 tools and libraries with Spaces. A common use case is managing Bamboozle Object Storage programmatically with AWS’ S3 SDKs.

Install the SDK

Install the AWS SDK using the package manager for your language of choice.

Obtain Access & Secret Keys

You are able to retrieve the access & secret keys in our customer portal:.

The examples below rely on environment variables to access these keys. Export ACCESS_KEY and SECRET_KEY to your environment (e.g. export ACCESS_KEY=DSJE2334BBZ) to make them available to your code.

SDKs

After you set up and configure an SDK, you can follow the examples below to see how to perform common Bamboozle Object Storage operations in JavaScript, Go, PHP, Python and Ruby.

You can change volume size only by increasing it. Volumes can be extended for both running (online resizing) and stopped (offline resizing) virtual machines. Online volume resizing allows users to avoid downtime and enables scaling VM storage capacity on the fly without service interruption.

Limitations

• You cannot shrink volumes.

• During volume resizing, the file system inside the guest OS is not extended.

• If you revert a volume to a snapshot that was taken before the volume extension, the new volume size will be retained.

Prerequisites

• A volume is created, as described in .

To extend a volume

1. On the Volumes screen, click a volume.

2. Click the pencil icon in the Size field.

3. Enter the desired volume capacity, and then click the tick icon.

After the volume is extended, you will need to re-partition the disk inside the guest OS to allocate the added disk space.

To access Flow Object Storage with Cyberduck, please follow these steps:

1. Download (https://cyberduck.io) and install Cyberduck

2. Open CyberDuck and click Open Connection.

3. Specify your the credentials which are provided in our customer portal (https://portal.bamboozle.me):

   • Server: Insert the DNS name of the S3 endpoint (Your location is mentioned in your account in our portal): Location Dubai: dxb.bbzs3.com

   • Access Key ID: Insert the displayed Access Key from our portal.

   • Secret Access Key ID: Insert the displayed Secret Key from our portal.

4. Press the connect button

Example for DXB:

Which agent do I need?

System requirements for agents

Preparation

Linux packages

Proxy server settings

Installing protection agents

Unattended installation or uninstallation

Registering workloads manually

Autodiscovery of machines

Cyber Protect represents an all-in-one cyber protection solution that integrates backup and recovery, disaster recovery, malware prevention, security controls, remote assistance, monitoring, and reporting.

It protects your entire business and businesses of your customers through layered protection approach, an innovative combination of proactive, active, and reactive data protection technologies:

• Proactive actions, such as vulnerability assessment/patch management, predictive analysis of hard drive health based on machine learning technologies, allow you to prevent any threats to your machines.

• Active actions, such as protection against malware, self-protection, allow you to detect threats.

• Reactive actions, such as backup and recovery (on-premises and cloud), disaster recovery (on-premises and cloud), allow you to respond to any failures.

Cyber Protect provides you with one protection agent, one service console that is easy to manage, and one protection plan that covers all security and data protection aspects.

Key functionality

Cyber Protect provides the following functionality:

• Backup and recovery allows you to back up and recover physical machines, virtual machines, and applications.

• Disaster recovery allows you to protect your local environment from disasters by launching the exact copies of machines in the cloud and switching the workload to the cloud servers.

• Antimalware and web protection provides you with the top multi-layered protection based on four different antimalware technologies inside. You will also be able to manage Microsoft Security Essentials and Windows Defender Antivirus from the service console. The URL filtering functionality allows you to prevent malicious file download and block access to suspicious web resources.

Why Cyber Protection is special

Cyber Protection has the following unique features:

• Backup scanning in non-endpoint environments that ensures malware-free restores. It increases the potential of rootkits and bootkits detection and reduces loads on your machines.

• Safe recovery based on integrated antimalware scanning and malware deletion to prevent recurrence of an infection.

• Smart protection built on the basis of alarms received from Cyber Protection Operations Center (CPOC). This feature allows you to minimize business process downtime when facing issues like a malware attack, natural disaster, to reduce reaction time, and to avoid data loss.

To enable all features from the remote desktop functionality on macOS workloads, in addition to the full disk access permission, you must grant the following permissions to the Connect Agent:

• Screen Recording - enables screen recording of the macOS workload via NEAR. Until this permission is granted, all remote control connections will be denied.

• Accessibility - enables remote connections in control mode via NEAR

• Microphone - enables sound redirection from the remote macOS workload to the local workload via NEAR. To enable the sound redirection feature, a sound capture driver must be installed on the workload. For more information, see .

• Automation - enables the empty Recycle bin action

After you start the agent on the macOS workload, it will check if the agent has these rights and will ask you to grant the permissions, if needed.

To grant the Screen Recording permission

1. In the Grant required system permissions for Cyber Protect Agent dialog, click Set up system permissions.

2. In the System permissions dialog, click Request Screen Recording permission.

3. Click Open System Preferences.

4. Select Connect Agent.

If the agent does not have the permission when you try to access the workload remotely, it will show the Screen Recording permission request dialog. Only the local user may answer the dialog.

To grant the Accessibility permission

1. In the Grant required system permissions for Cyber Protect Agent dialog, click Set up system permissions.

2. In the System permissions dialog, click Request Accessibility permission.

3. Click Open System Preferences.

4. Click the lock icon in the bottom-left corner of the window so that it changes to an unlocked one. The system will ask you for an administrator password to make changes.

To grant the Microphone permission

1. In the Grant required system permissions for the Connect Agent dialog, click Set up system permissions.

2. In the System permissions dialog, click Request Microphone permission.

3. Click OK.

You must also install a sound capture driver on the macOS workload to let the agent utilize the given permission and redirect the sound of the workload. For more information, see Remote sound redirection.

To grant the Automation permission

1. In the Grant required system permissions for the Connect Agent dialog, click Set up system permissions.

2. In the System permissions dialog, click Request Automation permission.

Prerequisites

• You have a virtual router created, as described in Managing virtual routers.

• The virtual router connects the physical network with virtual networks that you want to be exposed.

• Networks that will be connected via a VPN tunnel must have non-overlapping IP ranges.

• [For Virtuozzo Hybrid Infrastructure 5.4 Update 1 and earlier versions] If a virtual machine has a floating IP address assigned to its private network interface, configure static routes of a virtual router, for the VM traffic to be routed through a VPN tunnel.

To create a VPN connection

1. On the VPN screen, click Create VPN.

2. On the Configure IKE step, specify parameters for the IKE policy that will be used to establish a VPN connection. You can choose to use an existing IKE policy or create a new one. For the new IKE policy, do the following:

   1. Specify a custom name for the IKE policy.

   2. Specify the key lifetime, in seconds, that will define the rekeying interval. The IKE key lifetime must be greater than that of the IPsec key.

When the VPN connection is created, its status will change from "Pending creation" to "Down". The connection will become active once the VPN tunnel is configured by the other VPN party and the IKE authorization is successful.

The IKE and IPsec configuration must match for both communicating parties. Otherwise, the VPN connection between them will not be established.

Virtuozzo Hybrid Infrastructure allows you to upload ISO images and templates that can be used to create VM volumes:

Please note a lot of templates are already installed and ready to be deployed right away. Check first if a OS Image is already available before creating a new one.

• An ISO image is a typical OS distribution that needs to be installed on disk. You can upload an ISO image to the compute cluster.

• A template is a ready boot volume in the QCOW2 format with an installed operating system and applications. Many OS vendors offer templates of their operating systems under the name “cloud images”. You can upload a cloud image from the OS official repository or prepare your own template in the compute cluster.

Prerequisites

• Knowledge of the supported guest operating systems listed in .

With Virtual Private Network (VPN) as a service, users can extend virtual networks across public networks, such as the Internet. To connect two or more remote endpoints, VPNs use virtual connections tunneled through physical networks. To secure VPN communication, the traffic that flows between remote endpoints is encrypted. The VPN implementation uses the Internet Key Exchange (IKE) and IP Security (IPsec) protocols to establish secure VPN connections and is based on the strongSwan IPsec solution.

VPN as a service can be used to establish a Site-to-Site VPN connection between a virtual network configured in Bamboozle Cloud and any other network with a VPN gateway that uses the IPsec and IKE protocols. With VPN as a service, you can connect the following workloads:

• On-premises workloads with workloads hosted in Bamboozle Cloud

• Workloads hosted in other clouds with workloads hosted in Bamboozle Cloud

• Workloads hosted in different Bamboozle Cloud Locations

To better understand how a VPN works, consider the following example:

• In the cluster 1, the virtual machine VM1 is connected to the virtual network privnet1 (192.168.10.0/24) via the network interface with IP address 192.168.10.10. The network privnet1 is exposed to public networks via the router router1 with the external port 10.10.10.5.

• In the cluster 2, the virtual machine VM2 is connected to the virtual network privnet2 (192.168.20.0/24) via the network interface with IP address 192.168.20.20. The network privnet2 is exposed to public networks via the router router2 with the external port 10.10.10.4.

• The VPN tunnel is created between the routers router1 and router2 that serve as VPN gateways, thus allowing mutual connectivity between the networks privnet1 and privnet2.

For key exchange between communicating parties, two IKE versions are available: IKE version 1 (IKEv1) and IKE version 2 (IKEv2). IKEv2 is the latest version of the IKE protocol and it supports connecting multiple remote subnets.

In the example above:

• VPN1 uses the IKEv1 and connects the network network1 with the network3.

• VPN2 uses the IKEv2 and connects the network network2 with the two networks network4 and network5.

Limitations

• Currently, we support only Site-to-Site VPN connections. Point-to-Site VPN connections are not supported.

After a VPN connection is created, you can change its endpoint groups and VPN settings at any time.

Limitations

• You cannot change the virtual router and security policies used to establish a VPN connection.

Prerequisites

• A VPN connection is created, as described in .

To edit a VPN connection

1. On the VPN screen, click a VPN connection to modify.

2. On the connection right pane, click Edit.

3. In the Edit VPN window, configure local and remote endpoints, if required, and then click Next.

4. On the next step, change VPN parameters such as the VPN connection name, peer IP address, and PSK key. If necessary, you can also configure additional settings by selecting Advanced settings and editing the required parameters.

After you update the connection parameters, its status will change to "Down". The connection will re-initiate once the parameters are similarly updated by the other VPN party.

The IKE and IPsec configuration must match for both communicating parties. Otherwise, the VPN connection between them will not be established.

To create multiple VMs with the same boot volume, you can create a template from an existing boot volume and deploy VMs from it.

Prerequisites

• Linux virtual machines have cloud-Init installed, as described in Preparing Linux templates.

• Windows virtual machines have Cloudbase-Init and OpenSSH Server installed, as described in .

• Logging is enabled inside a virtual machine, as instructed in .

To create a template from a boot volume

1. Power off the VM that the original volume is attached to.

2. Switch to the Volumes screen, click volume’s ellipsis button and select Create image.

3. In the Create image window, enter an image name, and then click Create

The new image will appear on the Images screen.

You can add new volumes to your virtual machines, attach existing volumes, and detach unneeded volumes from virtual machines.

Limitations

• You cannot change, detach, or delete the boot volume.

• You can only attach and detach non-boot volumes.

You can modify security groups by adding and removing rules. Editing rules is not available. If you need to change the existing rule, remove it and recreate with the required parameters.

Prerequisites

• You have a security group created, as described in .

On the Select components screen, define the account under which the services will run by specifying Logon account for the agent service. You can select one of the following:

• Use Service User Accounts (default for the agent service)

  Service User Accounts are Windows system accounts that are used to run services. The advantage of this setting is that the domain security policies do not affect these accounts' user rights. By default, the agent runs under the Local System account.

• Create a new account

  The account name will be Agent User for the agent.

Prerequisites

• You have a network that will interconnect the Kubernetes master and worker nodes. It can be either a shared physical network or a virtual network linked to a physical one via a virtual router. The virtual network needs to have a gateway and a DNS server specified.

To upload an image

1. On the Images screen, click Add image.

2. In the Add image window, do the following:

1. Create a compute volume from the vz-guest-tools-win or vz-guest-tools-lin image, depending on the VM operating system:

   1. On the Images screen, click the vz-guest-tools-win or vz-guest-tools-lin image.

   2. On the image right pane, click Create volume.

You can save the current state of a VM file system or user data by creating a snapshot of a volume. A snapshot of a boot volume may be useful, for example, before updating VM software. If anything goes wrong, you will be able to revert the VM to a working state at any time. A snapshot of a data volume can be used for backing up user data and testing purposes.

Prerequisites

• To create a consistent snapshot of a running VM’s volume, the guest tools must be installed in the VM, as described in . The QEMU guest agent included in the guest tools image automatically quiesces the filesystem during snapshotting.

If you find out that the guest tools are incompatible with some software inside a virtual machine, you can uninstall them by doing the following:

• Inside a Windows VM:

  1. Remove the QEMU device drivers from the device manager.

     Do not remove the VirtIO/SCSI hard disk driver and NetKVM network driver. Without the former, the VM will not boot; without the latter, the VM will lose network connectivity.

If a virtual machine fails to deploy

Review the error message on the VM right pane. One of the possible root causes is that compute nodes lack free RAM or CPU resources to host the VM.

If a virtual machine is in the error state

Examine the VM history in the History tab on the VM right pane. The event log will contain all of the VM management operations performed by users in the user or command-line interface. You can expand each log entry to view operation details by clicking the arrow icon next to it. The details include the operation name, date and time, status, initiator, and request ID.

If a virtual machine is stuck in a failed or transitional state

Reset the VM to its last stable state: active, shut down or shelved:

How Load Balancers pricing works

The Load Balancer service is charged per load balancing service unit. You can run more than one Load Balancer. Charges accrue hourly for as long as the Load Balancer exists.

Included

IP Address. Each Load Balancer comes with a free public IPv4 address.

You can change amount of CPU and RAM resources used by a virtual machine by applying another flavor to it. To be able to resize a running VM, you need to enable CPU and RAM hot plug for it first. You can change the hot plug settings for both new and existing VMs.

A running virtual machine has a resize limit, which defines the maximum number of vCPUs and the maximum amount of RAM you can allocate to the VM. The resize limit on vCPUs is static and equal to 64 for all VMs. The resize limit on RAM, on the contrary, is dynamic and depends on the amount of RAM a running VM is currently using. This limit is updated on a VM startup, and its values are listed in the table below.

For example, you can resize a running VM with a flavor that has 16 GiB to a flavor with 256 GiB in two iterations:

1. Resize the VM to a flavor with 64 GiB.

2. Restart the VM to update the RAM size limit.

3. Resize the VM to a flavor with 256 GiB.

Limitations

• You cannot change the flavor for shelved VMs. To resize such a VM, unshelve it first.

• You cannot decrease the number of CPUs and the amount of RAM for running VMs.

• [For all Linux guests] If a VM has no guest tools installed, new cores may be offline after CPU hot plugging

Prerequisites

• Before changing a flavor, ensure that the node hosting the VM has at least as much free CPU and RAM resources as the new VM size. For example, to resize a VM to the large flavor, the host must have at least 4 vCPUs and 8 GiB of RAM free.

• CPU and RAM hot plug is enabled by the system administrator.

• Before resizing a running VM, ensure that the guest operating system supports CPU and RAM hot plug (refer to ). Note that otherwise the guest operating system may become unstable after a resize. To increase CPU or RAM resources for such a guest operating system, you need to stop the virtual machine first.

To enable or disable CPU and RAM hot plug for a virtual machine

1. On the Virtual machines screen, ensure that the required virtual machine in the "Shut down" state, and then click it.

2. On the Overview tab, click the pencil icon in the CPU and RAM hot plug field.

   If you do not see this field, CPU and RAM hot plug is disabled in your project. To enable it, contact your system administrator.

3. Select or clear the Enable hot plug check box, and then click the tick icon to save the changes.

With CPU and RAM hot plug enabled, you can change the flavor of a running VM.

To change the virtual machine flavor

1. On the Virtual machines screen, click the required virtual machine.

2. On the Overview tab, click the pencil icon in the Flavor field.

3. In the Flavor window, select a new flavor, and then click Done.

Prerequisites

Download the agent that you need on the workload that you plan to protect. See Downloading protection agents.

To install Agent for Windows

1. Ensure that the machine is connected to the Internet.

2. Log on as an administrator and start the installer.

3. [Optional] Click Customize installation settings and make the appropriate changes if you want:

   • To change the components to install (for example, to disable the installation of Cyber Protection Monitor or the Command-Line Tool, or to install the Agent for Antimalware protection and URL filtering).

For Windows workloads protected by agent version 15.0.26986 (released in May 2021) or later, the following components are installed dynamically – that is, only when required by a protection plan:

• Agent for Antimalware protection and URL filtering – required for the operation of the antimalware protection and URL filtering features.

• Agent for Data Loss Prevention – required for the operation of the device control features.

• Acronis Cyber Protection Service - required for the operation of the antimalware protection.

By default, these components are not installed. The respective component is automatically installed if a workload becomes protected by a plan in which any of the following modules is enabled:

• Antivirus & Antimalware protection

• URL filtering

• Device control

Similarly, if no protection plan requires antimalware protection, URL filtering, or device control features anymore, the respective component is automatically uninstalled.

Dynamic installation or uninstallation of components takes up to 10 minutes after you change the protection plan. However, if any of the following operations are running, dynamic installation or uninstallation will start after this operation finishes:

• Backup

• Recovery

• Backup replication

• Virtual machine replication

Prerequisites

Download the agent that you need on the workload that you plan to protect. See Downloading protection agents.

To install Agent for Mac (x64 or ARM64)

1. Ensure that the machine is connected to the Internet.

2. Double-click the installation file (.dmg).

3. Wait while the operating system mounts the installation disk image.

4. Double-click Install.

5. If a proxy server is enabled in your network, click Protection Agent in the menu bar, click Proxy server settings, and then specify the proxy server host name/IP address, port, and credentials.

6. If prompted, provide administrator credentials.

7. Click Continue.

8. Wait until the registration screen appears.

9. Do one of the following:

   • If you log in under a company administrator account, register workloads for your company:

     1. Click Register workload.

10. [If the agent is registered under an account whose tenant is in the Enhanced security mode] Set the encryption password.

11. If your macOS version is Mojave 10.14.x or later, grant full disk access to the protection agent to enable backup operations.

    For instructions, see Grant the 'Full Disk Access' permission to the Cyber Protection agent (64657).

12. To use the remote desktop functionality, grant the required system permissions to the Connect Agent. For more information, see Granting the required system permissions to the Connect Agent.

Two-factor authentication provides extra protection from unauthorized access to your account. When two-factor authentication is set up, you are required to enter your password (the first factor) and a one-time code (the second factor) to log in to the service console. The one-time code is generated by a special application that must be installed on your mobile phone or another device that belongs to you. Even if someone finds out your login and password, they still will not be able to login without access to your second-factor device.

The one-time code to configure two-factor authentication for your account is generated based on the device's current time and the secret provided by the Cyber Protection service as the QR code or alphanumeric code. During the first login, you need to enter this secret to the authentication application.

To set up two-factor authentication for your account

You can and must configure two-factor authentication for your account when two-factor authentication has been enabled by an administrator for your organization. If two-factor authentication has been enabled while you are logged in to the Cyber Protection service console, you will have to configure it when your current session expires.

Prerequisites:

• Two-factor authentication is enabled for your organization.

• You are logged out of the Cyber Protection service console.

1. Choose a second-factor device.

   Most commonly it is a mobile phone, but you can also use a tablet, laptop, or desktop.

2. Ensure that the device time settings are correct and reflect the actual current time, and that the device locks itself after a period of inactivity.

3. Install the authentication application on the device. The recommended applications are Google Authenticator or Microsoft Authenticator.

When logging in the next time, you can select the checkbox Trust this browser.... If you do this, the one-time code will not be required when you log in by using this browser on this machine.

What if...

...I lost the second-factor device?

If you have a trusted browser, you will be able to log in by using this browser. Nevertheless, when you have a new device, repeat steps 1-3 and 6-7 of the above procedure by using the new device and the saved QR code or alphanumeric code.

If you have not saved the code, ask the administrator or service provider to reset the two-factor authentication for your account, and then repeat steps 1-3 and 6-7 of the above procedure by using the new device.

...I want to change the second-factor device?

When logging in, click the Reset two-factor authentication settings link, confirm the operation by entering the one-time code, and then repeat the above procedure by using the new device.

Infrastructure security is the foundation of maintaining secure cloud and server infrastructure. This includes the physical data center security, networking components, and virtualization infrastructure. Bamboozle's infrastructure is continually maintained following internationally recognized security controls. Our infrastructure is monitored 24/7/365 and undergo third-party audits as well targeted testing annually. For physical security, each of our data center colocation providers maintain industry-recognized certifications and our networks are MANRS certified.

Networking

Bamboozle networks are collections of servers connected by wires provided by multiple Internet Service Providers (ISP). We develop, document, and maintain a current baseline for all machines and network device hardware. The following list is an example of controls we maintain for network security:

• Update the baseline configuration for network devices at least annually or when a significant change occurs.

• Use the least privilege method when provisioning infrastructure components. Any unnecessary ports or protocols are disabled. Network scanning is performed to validate that any ports or protocols are in use as defined.

• Use industry standard transport protocols such as TLS between devices and Bamboozle data centers, and within data centers themselves.

• Employ a defense in-depth strategy for boundary protection, including secure segmentation of network environments through several methods including VLAN segmentation, ACL restrictions, and encrypted communications for remote connectivity.

• Define, implement and evaluate processes, procedures, and defense-in-depth techniques for protection, detection, and timely response to network-based attacks.

Servers

Bamboozle servers are hardware connected by a network housed in a data center. Every Bamboozle data center implements controls that ensure physical access to the facilities, backup data, and other system components such as virtual systems and servers is restricted. The following list is an example of controls Bamboozle and its data centers maintain for server security:

• Biometric, proximity card, and/or personal identification number (PIN) reader systems (varies by data center facility) used to restrict data center access to only those individuals provisioned with access; the systems are also used to monitor, log, and notify personnel of physical security alarms.

• Maintain monitoring mechanisms over infrastructure to check server performance, data, traffic, and load capacity.

• Detect and route issues experienced by hosts in real time and employ orchestration tooling that has the ability to regenerate hosts.

Storage

Bamboozle storage is the physical disk on the server that runs your Droplet. These devices are encrypted at rest based on industry standards. Our storage devices have the same physical security protections as our servers. The following list is an example of additional controls Bamboozle maintains for storage security:

• Bamboozle's asset inventory includes serial number tracking for servers, disks, and other assets necessary to provide infrastructure for customers.

• Where full disk encryption is used, logical access is managed by FileVault for MacOS and BitLocker for Windows operating systems; Linux encryption occurs during the operating system build, alternatively the home directory is encrypted.

• In-scope systems are configured to require at least one of the following authentication requirements:

Virtualization

Cloud hosting environments are broken down into two main parts: the virtual servers that apps and websites can be hosted on, and the physical hosts that manage the virtual servers.

Virtualization makes cloud hosting possible: the relationship between host and virtual server provides flexibility and scaling that are not available through other hosting methods. Virtualization allows multiple Bamboozle customers to host their products on the same disk with inherent logical separation. The following list is an example of security measures we maintain for securing your virtualized instance:

• Initial permission definitions, and changes to permissions, associated with logical access roles of production-impacting systems are approved by authorized personnel.

• We maintain device configuration policies on security requirements for the configuration and management of devices connecting to corporate services. The policies also apply to infrastructure and virtual instances.

• Customer environments are isolated using numerous mechanisms, technologies, policies, processes, and architectural elements. Customer tenants and Virtual Machine deployments are kept logically separated. Customer data may be encrypted in-transit and at-rest through configurable and standards-based providers using a variety of protocols.

Prerequisites

• You have a guest OS source prepared, as described in .

• One or more compute networks are created by using the instructions in

Prerequisites

• Virtual machines are created, as described in .

• To be able to connect via SSH, the virtual machine must have cloud-init and OpenSSH installed.

If a VM experiences boot problems, you can send it to the rescue mode to access its boot volume. When a VM in the “Active” state is sent to the rescue mode, it is shut down softly first. Once the VM is in the rescue mode, you can connect to it via SSH or via the console. Its previous boot disk is now attached as a secondary one. You can mount the disk and repair it.

Limitations

• The rescue mode can use ISO images for booting both Linux and Windows virtual machines and QCOW2 images (templates) for booting Linux VMs.

• You can send a VM to the rescue mode only if its current status is “Active” or “Shut down”.

Windows guests have neither Cloudbase-Init nor OpenSSH Server preinstalled by default. You need to install and configure them manually.

To install Cloudbase-Init and OpenSSH Server inside a Windows virtual machine

1. Log in to a Windows VM.

2. Create a new administrator account that will be used for SSH connections and log in with it.

3. To install and configure OpenSSH Server:

   1. Run Windows PowerShell with administrator privileges and set the execution policy to unrestricted to be able to run scripts:

   2. Download OpenSSH Server (for example, from the ), extract the archive into the C:\Program Files directory, and then install it by running:

4. Download Cloudbase-Init from , and then install it by following the procedure from the Installation section at .

   1. The password for the user specified during the Cloudbase-Init installation will be reset on the next VM startup. If this user does not exist, a new user account will be created. You will be able to log in with this account by using the key authentication method or you can set a new password with a customization script. If there are multiple Windows users at the image preparation time, the passwords for other users will not be changed.

   2. When the Cloudbase-Init installation is complete, do not select the option to run Sysprep before clicking Finish. Otherwise, you will not be able to modify cloudbase-init.conf.

5. Run Windows PowerShell with administrator privileges and open the file C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf:

   Add metadata_services and plugins on two lines:

   Make sure to remove all backslashes in the lines above.

   Save the changes.

Prerequisites

• Download the agent that you need on the machine that you plan to protect. See Downloading protection agents.

• To install Agent for Linux, you need at least 2 GB of free disk space.

To install Agent for Linux

1. Ensure that the machine is connected to the Internet.

2. As the root user, navigate to directory with the installation file, make the file executable, and then run it.

   If a proxy server is enabled in your network, when running the installation file, specify the server host name/IP address and port in the following format: --http-proxy-host=ADDRESS --http-proxy-port=PORT --http-proxy-login=LOGIN --http-proxy-password=PASSWORD.

   If you want to change the default method of registering the machine in the Cyber Protection service, run the installation file with one of the following parameters:

3. Select the check boxes for the agents that you want to install. The following agents are available:

   • Agent for Linux

   • Agent for Virtuozzo

   • Agent for Oracle
4. If you kept the default registration method in step 2, proceed to the next step. Otherwise, enter the user name and password for the Cyber Protection service, or wait until the machine will be registered by using the token.

5. Do one of the following:

   • If you log in under a company administrator account, register workloads for your company:

     1. Click Register workload.

6. [If the agent is registered under an account whose tenant is in the Enhanced security mode] Set the encryption password.

7. If the UEFI Secure Boot is enabled on the machine, you are informed that you need to restart the system after the installation. Be sure to remember what password (the one of the root user or "acronis") should be used.

   The installation generates a new key that is used for signing the kernel modules. You must enroll this new key to the Machine Owner Key (MOK) list by restarting the machine. Without enrolling the new key, your agent will not be operational. If you enable the UEFI Secure Boot after the agent is installed, you need to reinstall the agent.

8. After the installation completes, do one of the following:

   • Click Restart, if you were prompted to restart the system in the previous step.

     During the system restart, opt for MOK (Machine Owner Key) management, choose Enroll MOK, and then enroll the key by using the password recommended in the previous step.

   • Otherwise, click Exit.

Troubleshooting information is provided in the file: /usr/lib/Acronis/BackupAndRecovery/HOWTO.INSTALL

Step 1

Choose an agent, depending on what you are going to back up. For more information on the possible choices, refer to Which agent do I need?

Step 2

Ensure that there is enough free space on your hard drive to install an agent. For detailed information about the required space, refer to .

Step 3

Download the setup program. To find the download links, click All devices > Add.

The Add devices page provides web installers for each agent that is installed in Windows. A web installer is a small executable file that downloads the main setup program from the Internet and saves it as a temporary file. This file is deleted immediately after the installation.

If you want to store the setup programs locally, download a package containing all agents for installation in Windows by using the link at the bottom of the Add devices page. Both 32-bit and 64-bit packages are available. These packages enable you to customize the list of components to install. These packages also enable unattended installation, for example, via Group Policy. This advanced scenario is described in Deploying agents through Group Policy.

To download the setup program for Agent for Microsoft 365, click the account icon in the top-right corner, and then click Downloads > Agent for Microsoft 365.

Installation in Linux and macOS is performed from ordinary setup programs.

All setup programs require an Internet connection to register the machine in the Cyber Protection service. If there is no Internet connection, the installation will fail.

Step 4

Cyber Protect features require Microsoft Visual C++ 2017 Redistributable. Please ensure that it is already installed on your machine or install it before installing the agent. After the installation of Microsoft Visual C++, a restart may be required. You can find the Microsoft Visual C++ Redistributable package here .

Step 5

Verify that your firewalls and other components of your network security system (such as a proxy sever) allow outbound connections through the following TCP ports.

• Ports 443 and 8443

  These ports are used for accessing the service console, registering the agents, downloading the certificates, user authorization, and downloading files from the cloud storage.

• Ports in the range 7770 – 7800

  The agents use these ports to communicate with the management server.

• Ports 44445 and 55556

If a proxy server is enabled in your network, refer to Proxy server settings to understand whether you need to configure these settings on each machine that runs a protection agent.

The minimum Internet connection speed required for managing an agent from the cloud is 1 Mbit/s (not to be confused with the data transfer rate acceptable for backing up to the cloud). Consider this if you use a low-bandwidth connection technology such as ADSL.

TCP ports required for backup and replication of VMware virtual machines

• Port 443

  Agent for VMware (both Windows and Virtual Appliance) connects to this port on the ESXi host/vCenter server to perform VM management operations, such as create, update, and delete VMs on vSphere during backup, recovery, and VM replication operations.

• Port 902

  Agent for VMware (both Windows and Virtual Appliance) connects to this port on the ESXi host to establish NFC connections to read/write data on VM disks during backup, recovery, and VM replication operations.

Ports required by the Downloader component

The Downloader component is responsible for delivering updates to a computer and distributing them to other Downloader instances. It can run in agent mode which turns its computer into Downloader agent. The Downloader agent downloads updates from the internet and serves as the source of updates distribution to other computers. The Downloader requires the following ports to operate.

• Port 6888

  Used by the BitTorrent protocol for torrent peer-to-peer updates.

• Port 6771

  Used as the local peer discovery port. Also takes part in peer-to-peer updates.

• Port 18018

  Used for communication between updaters working in different modes: Updater and UpdaterAgent.

Step 6

On the machine where you plan to install the protection agent, verify that the following local ports are not in use by other processes.

• 127.0.0.1:9999

• 127.0.0.1:43234

• 127.0.0.1:9850

The Active Protection service is listening at TCP port 6110. Verify that it is not in use by another process.

Changing the ports used by the protection agent

Some of the ports required by the protection agent might be in use by other applications in your environment. To avoid conflicts, you can change the default ports used by the protection agent by modifying the following files.

• In Linux: /opt/Acronis/etc/aakore.yaml

• In Windows: \ProgramData\Acronis\Agent\etc\aakore.yaml

What is Bamboozle's commitment to my data?

We want to make the Internet a safer place for everyone to live, work, and prosper. We believe in holding ourselves accountable to maintaining the trust of our customers and only collecting the data necessary to serve our customers.

What data do you collect about me?

We collect self-reported data, which is data you voluntarily provide so we can provide our service. Self-reported data includes account data such as email address, provided name, and billing information. This also includes customer-provided user preferences and the information in support tickets.

We also receive data from third parties about you and collect data when you interact with our service. Depending on how you use our products and services, interaction data may include things like internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, clickstream data, landing page, and referring URL.

More information about data we collect can be found in our .

How does DO protect my payment card information?

If you use a credit or debit card as your payment method, we process your payments through a third party payment processor, which stores and maintains your complete payment information on our behalf. We do not store your complete payment card number ourselves.

How do you use the data you collect?

Different data has different uses. We believe our covers a lot of the details for specific data types but to summarize, we use the data we collect to provide you with the best experience possible. We use data to improve our product and market new products we think you will enjoy. We believe that all data use should provide you with value and we are committed everyday to balancing our data collection practices with your privacy in mind.

What access does Bamboozle have to the data I store?

Employees do not have access to the content of your Virtual or Dedicated Servers unless you give us permission for support, we are required to access them as part of an active abuse or fraud investigation or where access is necessary to comply with a valid legal process.

How can I show Bamboozle’s commitment to trust to my customers?

Please share the link to our Security Information with your customers. We are working on building out more assets in this space to actually prove our commitment to protecting your trust. We believe that being transparent about how we secure Bamboozle and your data is more valuable than third-party compliance certifications. However, we understand that at times auditors and third parties are interested in these certifications.

We have a dedicated Certifications Report page for these types of requests. If you have any specific questions that are not answered, please contact your account manager.

What specific privacy regulations does Bamboozle comply with?

We believe in the right to privacy for all of our customers. However, we do provide specific disclosures regarding how we comply with . For any specific questions, please reach out to .

How does Bamboozle help me secure my infrastructure network?

We love a free and open internet at Bamboozle, and we also accept that means the internet can be a bit of a mixed bag. Hanging a server onto the internet with a public-facing IP means within seconds, bots, brute-forcers, and stressors may happen.

We suggest these resources to help protect your server:

• Add SSH keys when you create new Virtual Server or Dedicated Server or add SSH keys to existing VMs or Servers..

• Add a firewall

• Have multiple VMs that only need to talk to each other? Use our Virtual Private Networks.

How does Bamboozle share the responsibility of securing my data?

For our Infrastructure as a Service products, we secure the system and the network your service runs on, inclusive of the management control plane.

If you are someone who uses our PaaS products, we extend our responsibility for security of those platforms further up-stack. Secure configurations, access, and patching are all part of the as-a-Service model for these products.

We’ll regularly communicate with you on major security mitigations throughout our fleet, such as those for processor class vulnerabilities.

What is my responsibility when it comes to securing my infrastructure on Bamboozle?

The data you store is always yours to own and secure. We provide guidance and a handful of technologies on our platform for you to secure your instances. As we release new security functionality, we’ll update you in the Trust & Security section of our blog.

How does Bamboozle secure the management “backend” network and virtualization environment?

Tight role-based access, two-factor authentication, secure network zones and secrets management underpin our approach to securing our management layer. Vulnerability and patch management as well as security observability tools help us keep on top of the ever-shifting risk in our infrastructure. We’re also currently on the path toward a broader “zero-trust” model for access to resources within our environment.

Will Bamboozle take down my infrastructure without warning?

Although there are many reasons that we may need to alter or disable portions of our infrastructure, such as to maintain the integrity of our systems in an emergency, we do not typically take down customers’ infrastructure without warning under normal circumstances. However, our customers are sometimes targeted by malicious actors in ways outside of our control. For all our well-intended customers and community members whose VMs or Servers might have been compromised and started doing illegal or harmful things on the internet, you may have your network interface shut down until you’re ready to recover and address the issue. In these cases, we’ll send you an email immediately upon shutting off the network interface and walk you through recovery. We always recommend employing best practices to secure your services, and more resources on this topic can be found in the Trust & Security section of our blog.

The dark side of the internet does exist, and there are those looking to harm others or defraud companies like us. It is a tricky balance to maintain and everyday we strive to keep the Internet a safer place for everyone.

How do I responsibly share a vulnerability?

We strive to create a safe, resilient environment where our customers and community can innovate with confidence. While we do a lot of things to make sure our environment is safe, we can make mistakes. When we do, we want you to let us know!

If you have discovered a vulnerability, please report it! We partner with HackerOne to run a public vulnerability disclosure program. We will not take legal action against nor ask law enforcement to investigate researchers who reach out and work with us in good faith, including:

• Sharing the full details of the issue with us

• Making a good faith effort to avoid violating our customers’ (or our) privacy, destroying data, and interrupting or degrading our services

How does Bamboozle secure the data centers?

Bamboozle is committed to working with third-party data center providers that maintain industry-leading access control, including video surveillance, security, access lists, and exit procedures. We regularly audit our data centers to meet our regulatory requirements and validate proper implementation of our security requirements.

Only the x64 architecture is supported.

Windows

Besides basic Amazon S3 operations like GET, PUT, COPY, DELETE, the Bamboozle Object Storage implementation of the Amazon S3 protocol supports the following features:

• Multipart upload

• Access control lists (ACLs)

• Versioning

How Compute pricing works

Compute pricing is based on the underlying required and optional Compute-related resources.