VPC API change log

For all version dates

Reservations for bare metal servers. You can now purchase a capacity reservation for a specified bare metal server profile in a specified zone. Reservations provide resources for future deployments and cost savings over the life of the term within the availability zone of your choice.

When creating or updating a reservation, specify the capacity.total and committed_use.term properties to use for this reservation. Optionally specify the committed_use.expiration_policy property to apply when the committed use term expires (default: release). Specify the profile.name and profile.resource_type properties of the profile, and the zone property to use for this reservation. After you confirm the reservation is configured the way you want it, you must activate the reservation. The reservation cannot be deleted until the committed use term expires. To provision a bare metal server using a reservation's capacity, specify the reservation using the reservation_affinity.pool property when creating the bare metal server. You can also update a bare metal server that's been provisioned to associate it with a reservation.

When retrieving a bare metal server, the new reservation_affinity property indicates the reservation affinity policy in effect for the bare metal server. The new health_state property indicates the bare metal server's overall health state, while an accompanying health_reasons property indicates the reason for any unhealthy health states, such as a failed reservation.

For more information, see Provisioning reserved capacity for VPC.

Reservation automatic attachment support. You can now automatically attach a reservation when creating an instance or creating a bare metal server. Additionally, when updating an instance or updating a bare metal server, you can change the reservation_affinity.policy to automatic for the instance or bare metal server to automatically attach to available reserved capacity.

When creating a reservation, you can now specify an affinity_policy of restricted to prevent the policy from being used for automatic attachments. Similarly, while a reservation's status is inactive, you can update a reservation to be restricted.

For more information, see Automatic attachments for reservations.

For version 2024-11-19 or later

Reservation affinity policy default. When using a version query parameter of 2024-11-19 or later, the reservation_affinity.policy defaults to automatic when creating a reservation. Similarly, when using a version query parameter of 2024-11-19 or later, the reservation_affinity.policy defaults to automatic when creating an instance or creating a bare metal server. The behavior remains unchanged when using a version query parameter of 2024-11-18 or earlier.

For all version dates

Private Path network load balancers. You can now create a Private Path network load balancer to enable and manage private connectivity for consumers of a hosted service. When creating a load balancer, you can specify the new is_private_path property value as true to create a Private Path network load balancer.

Load balancer schema enhancements for Private Path network load balancers. The Private Path network load balancer includes a new load balancer profile network-private-path, along with the following new load balancer and load balancer profile properties:

• source_ip_session_persistence_supported indicates whether a load balancer supports source IP session persistence. Source IP session persistence is not supported by Private Path network load balancers.
• availability indicates the availability of a load balancer. Load balancers with subnet availability remain available if at least one of its subnets is in a zone that's available. Load balancers with region availability remain available if at least one zone in the region is available. Private Path network load balancers have region availability. Other load balancers have subnet availability.

The value for load balancer profiles properties route_mode_supported, security_groups_supported, udp_supported, and logging_supported is set to false for Private Path load balancers. Additionally, Private Path load balancers do not support setting or updating the dns property, because Private Path network load balancers are accessed using endpoint gateways where DNS is configured.

Private Path service gateways. You can now create a Private Path service gateway to provide cross-account connectivity to the Private Path network load balancers that front your services. Consumers access your services by targeting their endpoint gateways at your Private Path service gateways. You can also update, publish, unpublish and delete Private Path service gateways. Private Path service gateways also have two child resources:

• Account policies provide per-account access policies that supersede the Private Path service gateway's default access policy. You can create, update, and delete policies to permit, deny, or manually review requests from any account. You can also revoke current and future access for an account. For more information, see About account policies.

• Endpoint gateway bindings are created for each endpoint gateway targeting the Private Path service gateway. The access policy for the endpoint gateway's account is applied to all new endpoint gateway bindings. If an account policy doesn't exist, the Private Path service gateway's default_access_policy is used. If the resulting policy is review, you must explicitly permit or deny the request, and optionally set a new policy for future requests from the account.

Learn about Creating Private Path service gateways, and explore the new API methods.

Load balancer PUT response code change. When replacing load balancer pool members, the response will now return an HTTP status code of 200 on success, instead of 202. This change applies to all API versions.

This release introduces the following updates for accounts that have been granted special approval to preview and use these features. Although usage of these features is restricted, changes to schemas (such as new properties) will be visible to all accounts.

NVIDIA Hopper HGX H100 instance profiles. When creating an instance, a new gx3d-160x1792x8h100 instance profile is available in select zones. This profile provides 8 NVIDIA H100 GPUs that are tuned for AI workloads, such as inferencing, fine tuning, and large-scale training. For details, see Accelerated profile family - Gen 3.

Cluster networks. Cluster networks provide high-bandwidth, low-latency networking for workloads such as AI training and large-scale simulations. You can now create cluster networks using a cluster network profile, which defines the cluster network performance characteristics and capabilities. The H100 cluster network profile is the first cluster network profile being introduced. It provides a specialized network that implements the RoCEv2 protocol to enable remote direct memory access for your workloads that are running on the gx3d-160x1792x8h100 instance profile.

When creating an instance using a supported cluster profile, you can specify the new cluster_network_attachments property to connect the virtual server instance to your cluster network. Alternatively, you can create cluster network attachments on an existing instance that is in a stopping or stopped state. Additionally, when creating an instance template you can specify cluster_network_attachments.

Instance profile schema changes. When retrieving and listing instance profiles, the response includes the following new properties:

• cluster_network_attachment_count specifies the number of cluster network attachments supported for that instance profile.
• supported_cluster_network_profiles indicates the cluster network profiles that are supported for that instance profile.

Learn about cluster networks, cluster network subnets, cluster network interfaces, and explore the new API methods. See also Known issues and limitations for cluster networks for information about Activity Tracker events and setting a cluster network reserved IP's auto_delete property.

For all version dates

File share replication frequency increase. When creating or updating a replication file share, you can now set the replication schedule as often as every 15 minutes by setting the replication_cron_spec property. The previous minimum threshold was 1 hour. For more information, see About file share replication.

For all version dates

Distributing traffic across tunnels of route-based VPN gateway connections. You can now distribute traffic across tunnels with a status of up in a route-based VPN gateway connection. When creating or updating a route-based VPN gateway connection, set the distribute_traffic property to true (default is false). Existing connections will have the distribute_traffic property set to false. The distribute_traffic property is now included in the VPNGatewayConnection schema used in responses, for example when retrieving a VPN gateway connection. For more information, see Distributing traffic for a route-based VPN.

For all version dates

Private Path network load balancers. Accounts that have been granted special approval to preview this feature can now create a Private Path network load balancer to enable and manage private connectivity for consumers of a hosted service. When creating a load balancer, you can specify the new is_private_path property value as true to create a Private Path network load balancer.

Load balancer schema enhancements for Private Path network load balancers. The Private Path network load balancer includes a new load balancer profile network-private-path, along with the following new load balancer and load balancer profile properties:

• source_ip_session_persistence_supported indicates whether a load balancer supports source IP session persistence. Source IP session persistence is not supported by Private Path network load balancers.
• availability indicates the availability of a load balancer. Load balancers with subnet availability remain available if at least one of its subnets is in a zone that's available. Load balancers with region availability remain available if at least one zone in the region is available. Private Path network load balancers have region availability. Other load balancers have subnet availability.

The value for load balancer profiles properties route_mode_supported, security_groups_supported, udp_supported, and logging_supported is set to false for Private Path load balancers. Additionally, Private Path load balancers do not support setting or updating the dns property, because Private Path network load balancers are accessed using endpoint gateways where DNS is configured.

Private Path service gateways. Accounts that have been granted special approval to preview this feature can now create a private path service gateway. Creating, updating, publishing, unpublishing and deleting Private Path service gateways provide cross-account connectivity to the Private Path network load balancers fronting your services. Consumers access your services by targeting their endpoint gateways at your Private Path service gateways. Private Path service gateways also have two child resources:

• Account policies provide per-account access policies that supersede the Private Path service gateway's default access policy. You can create, update, and delete policies to permit, deny, or manually review requests from any account. You can also revoke current and future access for an account. For more information, see About account policies.

• Endpoint gateway bindings are created for each endpoint gateway targeting the Private Path service gateway. The access policy for the endpoint gateway's account is applied to all new endpoint gateway bindings. If an account policy doesn't exist, the Private Path service gateway's default_access_policy is used. If the resulting policy is review, you must explicitly permit or deny the request, and optionally set a new policy for future requests from the account.

Learn about Creating Private Path service gateways, and explore the new API methods.

This feature is now generally available. See the "Private Path network load balancer" announcement on 12 November 2024.

CRNs for VPC routing tables. VPC routing tables now support the crn property as an identifier. As a result, the RoutingTable, RoutingTableReference and RoutingTableIdentity schemas now include a crn property. All operations that use these schemas have been updated. For operations where the response contains a routing table or a reference to a routing table, for example creating a routing table, retrieving a routing table or retrieving a VPC's default routing table, the crn property is now included. When replacing the routing table for a subnet, for example, you can now optionally specify the routing table by its crn property.

Now that all VPC routing tables have a CRN, you can tag routing tables to control access, as well as search for VPC routing tables using tags.

For all version dates

Sharing snapshots across accounts. You can now use cross-account authorization in Identity and Access Management (IAM) to share a snapshot CRN with a target IBM account. Sharing allows that account to create a block storage volume from the shared snapshot. When creating a volume, users who have been authorized within the target account can specify the source_snapshot.crn property with the CRN of the snapshot. When listing volumes or retrieving a volume, the response includes source_snapshot.remote.account if the snapshot is from a different account.

For more information, see Sharing a snapshot with another account and Restoring a volume from a snapshot.

Block storage defined_performance family. For accounts that have been granted special approval to preview this feature, a new defined_performance family is introduced for data and boot volumes. This family initially contains the new sdp profile, which provides similar functionality to the existing custom volume profile. The sdp profile introduces the ability to increase capacity and change IOPS to volumes, even when those volumes are not attached to a virtual server instance. To make use of these capabilities in your automation, refer to Block storage schema enhancements for adjustable capacity and IOPS.

For more information, see About Block Storage for VPC, Block Storage for VPC profiles, Creating Block Storage for VPC volumes, and Viewing available volume profiles.

Block storage schema enhancements for adjustable capacity and IOPS. When listing and retrieving a volume profile, the new adjustable_capacity_states, adjustable_iops_states, boot_capacity, capacity, and iops properties indicate the capacity and IOPS capabilities of the volume profile. While the capabilities of existing profiles are unchanged, accounts with access to the defined_performance profile family can use these properties in automation to robustly use the new capabilities. Similarly, when listing, and retrieving a volume, the new adjustable_capacity_states and adjustable_iops_states properties indicate the adjustable capacity and IOPS capabilities of the volume.

For all version dates

Zone universal names. Unique identifiers for IBM Cloud zones are now available in the Geography API methods. When retrieving a zone and listing zones in a region, new properties universal_name and data_center are included in the response. A zone's universal_name is a persistent identifier of the zone, irrespective of the IBM Cloud account's logical zone name mapping. The data_center property denotes the primary physical data center where the logical zone is hosted. This property lets you connect your VPC resources to your resources in IBM Classic data centers. If the data_center property is absent from the response, no physical data center has been assigned.

The response may also include a new zone status property value of unassigned, which indicates that the IBM Cloud account's zone mapping has not yet been assigned. For more information, see the overview Region and data center locations for resource deployment.

For all version dates

Bare metal server reinitialization. You can now reinitialize a bare metal server. To reinitialize a bare metal server, specify the image to provision, one or more SSH public keys, and optionally specify user_data. Upon successful reinitialization, the bare metal server starts automatically and retains the same physical node, interfaces, IP addresses, and resource IDs it had before reinitialization.

To reinitialize a bare metal server, the server status must be stopped, or have failed a previous reinitialization. For more information, see Managing Bare Metal Servers for VPC.

For all version dates

Parameterized redirect target URL for load balancers. The target.url property now supports the variables {protocol}, {port}, {host}, {path}, and {query}, and embedding RFC 6570 level 1 expressions. When creating or updating a policy for a load balancer listener, you can specify a value that contains a combination of these variables for the target.url property. This enables redirecting requests to a dynamic URL through the application load balancer. For more information, see Layer 7 load balancing.

Firmware update for bare metal servers. You can now update firmware for a stopped bare metal server. This request updates server firmware if newer firmware is available and automatically starts the bare metal server after the firmware update is successfully completed. If you don't want the bare metal server to start after the® firmware is updated, set the auto_start property value to false in the request.

When listing and retrieving a bare metal server, the response includes the new firmware property, which in turn has an update property that indicates the type of update available (none, optional, or required). For more information, see Managing Bare Metal Servers for VPC.

For all version dates

Dynamic network bandwidth control for bare metal servers. When provisioning a bare metal server, you can now optionally specify the bandwidth property according to the needs of your workload. You can subsequently update the bandwidth property of an existing bare metal server to support dynamic workload requirements. Bandwidth changes do not require a restart and are effective immediately. For more information, see Creating Bare Metal Servers on VPC.

When retrieving or listing bare metal server profiles, the bandwidth property for new profiles can now return a bandwidth.type of enum, with bandwidth.values providing the supported bandwidth values, and bandwidth.default providing the profile's default bandwidth.

Third generation of bare metal hardware profiles and Trusted Platform Module. For accounts that have been granted special approval to preview this feature, when creating a bare metal server, the default TPM mode and the supported TPM modes will be determined by the profile. All third generation profiles will default to TPM 2.0 and will no longer support disabling TPM. For more information, see Secure boot with Trusted Platform Module (TPM) for bare metal servers and Creating Bare Metal Servers on VPC.

Provisioned bare metal servers are not affected. Existing bare metal server profiles are also not affected. Therefore, TPM remains disabled by default when provisioning servers using previous generations of bare metal server profiles.

For all version dates

Accessor file shares. You can now create a share that accesses data from another share, which may be in another account. Specify the share to access data from, which may also be a replica share, with the new origin_share property.

Before specifying an origin share in another account, ensure that authorizations are established between the origin share account and accessor account. You must also have an appropriate (IAM) role with the is.share.share.allow-remote-account-access action.

When creating or updating a share, specify the new allowed_transit_encryption_modes property (possible values none, user_managed) to limit the transit encryption modes for the share and its associated accessor shares.

When retrieving and listing file shares, the origin_share property will be included in the response when the new accessor_binding_role is accessor (possible values none, accessor, origin).

Each time an accessor share is created, an accessor binding is created on its origin share, allowing all access to the origin share to be tracked and managed. The following new accessor bindings methods are introduced in this release:

• List accessor bindings for an origin share
• Retrieve an origin share accessor binding
• Delete an origin share accessor binding

Revoking an account's access to an origin share requires both removing the accessor account's authorizations and deleting its existing accessor bindings. For more information, see Removing access to a file share from other accounts.

Currently, when creating, updating or retrieving an accessor share, the accessor_bindings and lifecycle_reasons properties may be missing from the response. Additionally, when creating, updating, or retrieving an origin share, the value of the href sub-property of the accessor_bindings property may be incorrect.

For all version dates

Generic operating system images. You can now create a generic operating system image, which is an image containing a specific operating system that is not in the response from listing operating systems. To facilitate creating these images and provisioning servers from them, two new immutable operating system properties, user_data_format and allow_user_image_creation, and one new immutable image property, user_data_format, are provided. The operating system property, user_data_format (possible values cloud_init, esxi_kickstart, ipxe), populates the image property, user_data_format, which specifies how user_data is interpreted and used when creating a virtual server instance or creating a bare metal server. The operating system property, allow_user_image_creation, indicates whether that operating system may be used to create a generic operating system image.

For more information, see Importing and validating custom images into VPC.

Images that are used to create virtual server instances or to create instance templates must have a user_data_format value of cloud_init.

Network bootable bare metal servers. You can now use a specific stock image to create a bare metal server that will network boot an image using iPXE. This stock image must have user_data_format value of ipxe.

For all version dates

Provisioning instances with IBM Cloud billed catalog offering plans. You can now provision a virtual server instance with a billed catalog offering from the IBM Catalog. When creating an instance specify the catalog_offering.version.crn or catalog_offering.offering.crn property as before, and additionally specify the billing plan using the new catalog_offering.plan.crn property. You can still provision an instance without a plan, but if it's a billed plan, you must specify catalog_offering.plan.crn. The same requirements apply when provisioning an instance template for a billed offering. For more information, see Provision an instance from a private catalog image by using the API.

When retrieving an instance that was provisioned with a billed catalog offering, the new catalog_offering.plan.crn property provides the associated billing plan.

Enhancements to volumes and shapshots in support of catalog offering plans. When retrieving a volume that was originally provisioned as a boot volume from an instance with a billed catalog offering, the response now includes both catalog_offering.version.crn and catalog_offering.plan.crn properties. The response includes the same properties when retrieving a snapshot with a source_volume that had those properties.

For all version dates

Virtual network interface protocol state filtering mode. Protocol state filtering monitors each network connection flowing over a virtual network interface (VNI), and drops any packets that are invalid based on the current connection state and protocol. Certain use cases, such as having a virtual server instance function as a network gateway, require selective disabling of this filtering. To accommodate these use cases, if you have the is.virtual-network-interface.virtual-network-interface.manage-protocol-state-filtering-mode IAM action, you can now set non-default values for the protocol_state_filtering_mode property when you are creating or updating a VNI.

The new protocol_state_filtering_mode property is supported for VNI methods and all methods in which a VNI can be created.

This release introduces the following updates for accounts that have been granted special approval to preview these features:

Confidential computing capabilities. On select instance profiles, you can now enable Intel® Software Guard Extensions. When creating or updating an instance, or when creating or updating an instance template, you can specify the new confidential_compute_mode property (disabled or sgx) to use for a virtual server instance. The new confidential_compute_modes instance profile property indicates which profiles will support which modes. If you do not specify the confidential_compute_mode property when creating an instance or instance template, the default confidential compute mode from the profile will be used. For more information, see Confidential computing with Intel Software Guard Extensions (SGX) for Virtual Servers for VPC.

Secure boot capabilities. When creating or updating an instance, or when creating or updating an instance template, you can set the new enable_secure_boot property to true to enable secure boot on the virtual server instance. The new secure_boot_modes instance profile property indicates the secure boot modes supported by the profile. If you do not specify the enable_secure_boot property when creating an instance or instance template, the default secure boot mode from the profile will be used. To use secure boot, the image must support secure boot or the instance will fail to boot. For more information, see Secure boot for Virtual Servers for VPC.

To update the enable_secure_boot and confidential_compute_mode properties, the virtual server instance status must be stopping or stopped.

For version 2022-02-28 or later

Snapshots DELETE response code change. When deleting a snapshot or deleting a filtered collection of snapshots using a version query parameter of 2022-02-28 or later, the response will now return an HTTP response code of 202 upon success, instead of 204. The underlying deletion operations were already asynchronous, and remain unchanged.

To avoid regressions in client functionality, before issuing requests using a version query parameter of 2022-02-28 or later, ensure that any clients deleting snapshot resources will also regard a response code of 202 as success.

A response code of 204 will continue to be returned for API requests using a version query parameter of 2022-02-27 and earlier.

This feature was originally released on 28 February 2022, but an announcement was not included at the time.

For all version dates

Local IP address support for security group rules. You can now specify local IP addresses or address ranges in security group rules. When creating or updating a security group rule, specify the optional local property. The value can be an IP address or a range of IP addresses in CIDR format. If not specified, the default value is cidr_block: 0.0.0.0/0, which means the rule allows traffic to all local IP addresses (or from all local IP addresses, for outbound rules). This default value will be applied to all existing security group rules. For more information, see Applying security group rules to source and destination IP addresses.

For version 2024-04-30 or later

Advanced VPN gateway configuration. Using a version query parameter of 2024-04-30 or later, you can specify peer.fqdn instead of peer.address when creating or updating a VPN gateway connection. You can also now fully control the local and peer IKE identities assigned to a VPN gateway connection by using properties local.ike_identities and peer.ike_identity. If unspecified, the local IKE identities will default to the public IP addresses of the VPN gateway and member's VPN connection tunnel. The peer identity will default to either the peer's address or FQDN, depending on what was specified.

For migration guidance, see Updating to the 2024-04-30 version (VPN gateway connection). See also the known issue about updating the peer.address or peer.fqdn of a VPN connection tunnel.

Migration of VPN gateway connection CIDR paths. Using a version query parameter of 2024-04-30 or later, API paths for listing, removing, checking, or setting a local CIDR, and listing, removing, checking, or setting a peer CIDR are changed. See Updating to the 2024-04-30 version (VPN gateway connection) for guidance on migration.

VPN gateway connection schema change. As of version 2023-04-30, the VPN gateway connection peer_address, peer_cidrs, and local_cidrs properties have been replaced by new peer and local properties. These changes apply to all methods that interact with VPN gateway connections, including creating, retrieving, and updating a VPN gateway connection. See Updating to the 2024-04-30 version (VPN gateway connection) for a full list of affected methods and guidance on migration.

For all version dates

Establish mode for VPN gateway connections. When creating or updating a VPN gateway connection, you can specify the new establish_mode property to control which side of the gateway can initiate the connection by setting the value to bidirectional (default) or peer_only.

For all version dates

Reservations for Virtual Servers for VPC. You can now purchase a capacity reservation for a specified instance profile in a specified zone. Reservations provide resources for future deployments and cost savings over the life of the term within the availability zone of your choice.

When creating or updating a reservation, specify the capacity.total and committed_use.term properties to use for this reservation. Optionally specify the committed_use.expiration_policy property to apply when the committed use term expires (default: release). Specify the profile.name and profile.resource_type properties of the profile, and the zone property to use for this reservation. After you confirm the reservation is configured the way you want it, you must activate the reservation. The reservation cannot be deleted until the committed use term expires. To provision an instance using a reservation's capacity, specify the reservation using the reservation_affinity.pool property when creating the instance. You can also update an instance that's been provisioned to associate it with a reservation.

When retrieving an instance, the new reservation_affinity property indicates the reservation affinity policy in effect for the virtual server instance. The new health_state property indicates the instance's overall health state, while an accompanying health_reasons property indicates the reason for any unhealthy health states, such as a failed reservation.

For more information, see Provisioning reserved capacity for VPC.

Local IP addresses in security group rules. Accounts that have been granted special approval to preview this feature can now specify local IP addresses or address ranges in security group rules. When creating or updating a security group rule, specify the optional local property. The value can be an IP address or a range of IP addresses in CIDR format, where 0.0.0.0/0 means the rule allows traffic to all local IP addresses (or from all local IP addresses, for an outbound rule). The default value is cidr_block: 0.0.0.0/0, which is also used for all existing rules.

For all version dates

Sharing DNS resolution for endpoint gateways across VPCs. When multiple VPCs are connected together using Transit Gateway, Direct Link, or other connectivity options, a VPC in the connected topology can now be enabled as a DNS hub to centralize the DNS resolution for endpoint gateways. When creating or updating a VPC, the dns property includes new configuration options for DNS. Specify the dns.enable_hub property as true to enable the VPC as a DNS hub (default is false). Specify a DNS hub VPC when creating a DNS resolution binding on another VPC to share its DNS resolution with that DNS hub VPC. The dns.resolution_binding_count response property specifies how many other VPCs a VPC is bound to for DNS resolution sharing. For more information, see About DNS sharing for VPE gateways.

Configuring DNS resolvers for a VPC. You can now use the dns.resolver property to configure the DNS resolvers for a VPC. Use a dns.resolver.type of manual to specify the DNS resolvers by IP address. Use a dns.resolver.type of delegated to specify another VPC (typically a DNS hub VPC) whose DNS resolvers will be used. Use a dns.resolver.type of system to restore the system default DNS resolvers. When dns.resolver.type is manual, updating specifying the VPC's dns.resolver.manual_servers requires the If-Match header also be provided with the VPC's current ETag value.

For all version dates

Virtual network interfaces. Accounts that have not requested a feature deferral through IBM Support can use a new feature that expands the support for virtual network interfaces.

Your account is affected by these changes if you have API clients (such as custom automations, auditing scripts, or dashboards) that interact with instances, bare metal servers, network interfaces, or file shares. For more information about what changed, along with guidance on avoiding possible failures due to these changes, see Mitigating behavior changes to virtual network interfaces, instances, bare metal servers, and file shares.

• You can now create instances and bare metal servers with virtual network interfaces attached to new child resources called network attachments. You can specify a primary_network_attachment (instead of a primary_network_interface) and provide either the identity of an already created virtual network interface, or a subnet to create a new virtual network interface for the instance or bare metal server.
• Virtual network interfaces now have lifecycles that are independent of the resources they are attached to. You can update the auto_delete property to false to allow a virtual network interface to persist beyond the lifecycle of its original bare metal server or instance, and be re-attached to another bare metal server or instance.
• Virtual network interfaces now support secondary IP addresses. You can now add and remove reserved IPs to and from a virtual network interface.
• For compatibility with existing clients, instances and bare metal servers with virtual network interfaces now include a read-only representation of their network attachments and virtual network interfaces as old-style network interface child resources. Learn about support for old API clients.
• For instances and bare metal servers with virtual network interfaces, the IAM permissions for options to allow IP spoofing or disable infrastructure NAT are now managed on their attached virtual network interfaces. When creating or updating a virtual network interface, you can set non-default values for the allow_ip_spoofing and enable_infrastructure_nat properties only if you have the is.virtual-network-interface.virtual-network-interface.manage-ip-spoofing and is.virtual-network-interface.virtual-network-interface.manage-infrastructure-nat IAM permissions respectively.
• You can now use flow log collectors to target instance network attachments and virtual network interfaces. There is no support for flow logs for bare metal servers and share mount targets.

Resource suspension for instance groups. The list all instance groups and retrieve an instance group methods now include lifecycle_reasons and lifecycle_state properties. An instance group that violates the IBM Cloud Acceptable Use Policy will have its lifecycle_state property set to suspended. A suspended instance group will not auto scale or self heal, and you cannot enable, update, or delete it.

For all version dates

Reservations for Virtual Servers for VPC. Accounts that have been granted special approval to preview this feature can now purchase a capacity reservation for a specified instance profile in a specified zone. Reservations provide resources for future deployments and cost savings over the life of the term within the availability zone of your choice.

When creating or updating a reservation, specify the capacity.total and committed_use.term properties to use for this reservation. Optionally specify the committed_use.expiration_policy property to apply when the committed use term expires (default: release). Specify the profile.name and profile.resource_type properties of the profile, and the zone property to use for this reservation. After you confirm the reservation is configured the way you want it, you must activate the reservation. The reservation cannot be deleted until the committed use term expires. To provision an instance using a reservation's capacity, specify the reservation using the reservation_affinity.pool property when creating the instance. You can also update an instance that's been provisioned to associate it with a reservation.

When retrieving an instance, the new reservation_affinity property indicates the reservation affinity policy in effect for the virtual server instance. The new health_state property indicates the instance's overall health state, while an accompanying health_reasons property indicates the reason for any unhealthy health states, such as a failed reservation.

For more information, see Provisioning reserved capacity for VPC.

This feature is now generally available. See the 26 March 2024 announcement.

For all version dates

VPC route advertisement to Direct Link and Transit Gateway. When creating or updating a route in a routing table, you can set the new advertise property to true (default is false). For the route to be advertised, the route's routing table must be configured for the source or sources to advertise it to:

• When creating or updating a VPC routing table, you can set the new advertise_routes_to array property to include the value direct_link. Including this value requires that the routing table's route_direct_link_ingress property be set to true. Routes in this routing table with the advertise property set to true will be advertised to Direct Link sources.
• When creating or updating a VPC routing table, you can set the new advertise_routes_to array property to include the value transit_gateway. Including this value requires that the routing table's route_transit_gateway_ingress property be set to true. Routes in this routing table with the advertise property set to true will be advertised to Transit Gateway sources.

When creating a routing table, the default value for the advertise_routes_to property is an empty array. When the advertise_routes_to property is an empty array, the advertise property for routes in the table has no effect.

Virtual network interface expanded support. Accounts that have been granted special approval can preview a new feature that expands the support for virtual network interfaces:

• Instances and bare metal servers can now be created with virtual network interfaces attached to new child resources called network attachments. You can specify a primary_network_attachment (instead of a primary_network_interface) and provide either the identity of an existing virtual network interface, or a subnet to create a new virtual network interface for the instance or bare metal server.
• Virtual network interfaces can now have lifecycles that are independent of the resources they are attached to. When creating a virtual network interface, the auto_delete property is set to false. When automatically creating a new virtual network interface in the context of creating another resource, the auto_delete property for the automatically created virtual network interface defaults to true. You can override it, or you can later update the auto_delete property to false. A virtual network interface with auto_delete set to false persists beyond the lifecycle of its current target resource. After the target resource is deleted, you can re-attach the virtual network interface to another resource, such as to a bare metal server, an instance, or a share mount target.
• Virtual network interfaces now support secondary IP addresses. To add a secondary IP, bind a reserved IP to a virtual network interface. To remove a secondary IP, unbind a reserved IP from from a virtual network interface.
• For compatibility with existing clients, instances and bare metal servers with virtual network interfaces now include a read-only representation of their network attachments and virtual network interfaces as legacy network interface child resources. Learn about support for old API clients.
• For instances and bare metal servers with virtual network interfaces, the IAM permissions for options to allow IP spoofing or disable infrastructure NAT are managed on their attached virtual network interfaces. When creating or updating a virtual network interface, you can set non-default values for the allow_ip_spoofing and enable_infrastructure_nat properties only if you have the is.virtual-network-interface.virtual-network-interface.manage-ip-spoofing and is.virtual-network-interface.virtual-network-interface.manage-infrastructure-nat IAM permissions respectively.
• Flow log collectors can now target instance network attachments and virtual network interfaces. There is currently no support for flow logs for bare metal servers and share mount targets.

For all version dates

Cross-region replication of file shares. When creating a file share, you can now specify a zone in an associated partner region to create a replica file share. For more information about cross-region pairings, see About file share replication. A service-to-service authorization for cross-region replication between the regional file services must be created before creating a replica.

An important difference between setting up in-region and cross-region replication is configuring the encryption for the replica share.

• When the replica is created in another zone of the same region, the encryption type and the encryption key are inherited from the source share and can't be changed.
• When the replica is created in another region, only the encryption type is inherited. Therefore, if the source share has user_managed encryption, you must specify the root key by using the encryption_key property when creating the replica share.

When retrieving a file share, the source_share property now includes a remote sub-property that, if present in the response, indicates that the resource that is associated with this reference is remote and might not be directly retrievable.

Last replication sync information. When retrieving a file share, the response now includes the properties completed_at, started_at, and data_transferred. These properties provide information about the replication process that can be used to monitor the health of the replication. For more information, see Replication sync information.

For all version dates

Multi-volume snapshots and backups. This release introduces a new way to create snapshots. You can now create a snapshot consistency group and specify one or more snapshots that are attached to the same virtual server instance. When you create a consistency group, you are implicitly creating one or more snapshots. Snapshots taken simultaneously are data-consistent with one another, which helps to ensure consistent backups of a group of Block Storage for VPC volumes attached to the same instance. Deleting a snapshot consistency group will delete the snapshots in the group by default. However, you can keep the snapshots and delete the consistency group by specifying the delete_snapshots_on_delete property.

You can also automate the creation of snapshots in consistency groups. When creating a backup policy you can now specify instance as a match_resource_type value that this backup policy will apply to. Resources that have both a matching type and a matching user tag will be subject to the backup policy. You can exclude boot volumes from backup policies by specifying the included_content property. The default behavior includes boot volumes and data volumes.

For more information, see Backup service concepts, Snapshot consistency groups, and explore the backup policy and snapshot consistency group methods.

For version 2023-12-05 or later

When making API requests using a version query parameter of 2023-12-05 or later, the backup policy match_resource_types property has been changed to match_resource_type. This change applies when creating, updating, listing, retrieving, and deleting a backup policy. See Updating to the 2023-12-05 version (backup policies) for guidance on migrating from match_resource_types to match_resource_type.

For all version dates

Network load balancer security group integration. For enhanced security, you can now associate security groups with network load balancers. When creating a load balancer, you can now specify the security_groups property, which associates those security groups with the load balancer. If you do not specify security_groups, the network load balancer will be associated with the VPC's default security group. Before using the default security group, review your default security group rules and, if necessary, edit the rules to accommodate your expected network load balancer traffic.

All existing network load balancers in your account will continue to allow all inbound and outbound traffic. This is indicated by the security_groups property being set to an empty array (no security groups configured).

When creating a network load balancer, you must now have an appropriate Identity and Access Management (IAM) role with the is.security-group.security-group.operate action.

You can update security groups for a network load balancer by adding a network load balancer to or removing a network load balancer from a security group's targets.

You will not be able to remove the only remaining security group from a network load balancer. As a result, if you add a security group to a network load balancer that had no security groups, you will not be able to revert that network load balancer to have no security groups.

Finally, the security group targets property can now refer to a network load balancer, as can the responses for the get security group target and list security group targets methods.

For all version dates

Non-uniform memory access (NUMA) awareness on instances and dedicated hosts. When retrieving and listing an instance, the new numa_count property indicates the number of NUMA nodes on which a virtual server instance is provisioned. This property will be absent from the response if the instance's status is not running. When retrieving and listing a dedicated host, the new numa.count and numa.nodes properties describe the processor topology.

When retrieving and listing an instance profile, the numa_count property indicates the total number of NUMA nodes for an instance with this profile. When the type is dependent, the total number of NUMA nodes for an instance with this profile depends on its configuration and the capacity constraints within the zone. Not all instance profiles have a strict NUMA definition within them.

For more information, see Next generation instance profiles.

Status on instance profiles and dedicated host profiles. When retrieving and listing an instance profile or retrieving and listing a dedicated host profile, a new status property indicates the status of the instance profile or dedicated host profile. A status value of previous indicates an older profile generation that remains provisionable and usable. A status value of current indicates the latest generation of a given profile. For more information, see Next generation instance profiles and Dedicated host profiles.

Viewing DNS resolver information for VPCs. When retrieving a VPC, the new dns.resolver property contains information about the DNS resolvers provided by the system for DHCP clients in the VPC.

This release introduces the following updates for accounts that have been granted special approval to preview these features:

• Sharing DNS resolution for endpoint gateways across VPCs. When multiple VPCs are connected together using Transit Gateway, Direct Link, or other connectivity options, a VPC in the connected topology can now be enabled as a DNS hub to centralize the DNS resolution for endpoint gateways. When creating or updating a VPC, a new dns property includes configuration options for DNS. Specify the dns.enable_hub property as true to enable the VPC as a DNS hub (default is false). Specify a DNS hub VPC when creating a DNS resolution binding on another VPC to share its DNS resolution with that DNS hub VPC. The new dns.resolution_binding_count response property specifies how many other VPCs a VPC is bound to for DNS resolution sharing. For more information, see About DNS sharing for VPE gateways.

• Configuring DNS resolvers for a VPC. You can use the new dns.resolver property to configure the DNS resolvers for a VPC. Use a dns.resolver.type of manual to specify the DNS resolvers by IP address. Use a dns.resolver.type of delegated to specify another VPC (typically a DNS hub VPC) whose DNS resolvers will be used. Use a dns.resolver.type of system to restore the system default DNS resolvers. When dns.resolver.type is manual, updating specifying the VPC's dns.resolver.manual_servers requires the If-Match header also be provided with the VPC's current ETag value.

For all version dates

Diagnosing VPN gateway and VPN server issues. You can now diagnose and resolve issues with your deployed VPN gateways and VPN servers:

• The list all VPN gateways and retrieve a VPN gateway methods now include health_reasons, health_state, members[].health_reasons, and members[].health_state properties. An unhealthy VPN gateway or VPN gateway member now has its health_state property set to degraded or faulted. The health_reasons property includes the reasons for the current VPN gateway or VPN gateway member health state. For more information, see Diagnosing VPN gateway health.

• The list all VPN gateway connections and retrieve a VPN gateway connection methods now include status_reasons and tunnels[].status_reasons properties for a static-route-mode VPN gateway. A VPN gateway connection or tunnel in a down state now includes the reasons for the current VPN gateway connection or tunnel through the status_reasons property. For more information, see Diagnosing VPN gateway connection health.

• The list all VPN servers and retrieve a VPN server methods now include a health_reasons property. An unhealthy VPN server now has its health_state property set to degraded or faulted. The health_reasons property includes the reasons for the current VPN server health state. For more information, see Diagnosing VPN server health.

• The list all VPN server routes and retrieve a VPN server route methods now include health_reasons and health_state properties. An unhealthy VPN server route now has its health_state property set to degraded or faulted. The health_reasons property includes the reasons for the current VPN server route health state. For more information, see Diagnosing VPN server route health.

Resource suspension for VPNs for VPC.

• VPN gateway. The list all VPN gateways and retrieve a VPN gateway methods now include lifecycle_reasons and lifecycle_state properties. The same properties are also included for VPN gateway member child resources. A VPN gateway that violates the IBM Cloud Acceptable Use Policy will have its lifecycle_state property set to suspended, along with the lifecycle_state of its members. A suspended VPN gateway is automatically disabled, causing all connections to be brought down, and you cannot enable, update, or delete it or its connections.

• VPN server. The list all VPN servers and retrieve a VPN server methods now include lifecycle_reasons and lifecycle_state properties. The same properties are also included for the VPN server route child resource. A VPN server that violates the IBM Cloud Acceptable Use Policy will have its lifecycle_state property set to suspended, along with the lifecycle_state of its server routes. A suspended VPN server is automatically disabled, and you cannot enable, update, or delete it or its routes.

For more information, see Resource suspension.

For version 2023-10-10 or later

When listing all VPN gateways and retrieving a VPN gateway using a version query parameter of 2023-10-10 or later, the response will no longer include status and members[].status properties. These properties remain supported for API requests using a version query parameter of 2023-10-09 or earlier. To avoid regressions in client functionality, follow the guidance in Updating to the 2023-10-10 version (VPN) before specifying version 2023-10-10 or later in VPN gateway requests.

For all version dates

Enterprise Backup as a Service. As an enterprise account administrator, you can now create backup policies and plans that apply to resources of all accounts within your enterprise. Specify the enterprise CRN in the scope property when you create a backup policy, and the policy will apply to all resources that have tags that match with the policy across all accounts within your enterprise. For more information, see Scope of the backup policy. As a prerequisite, ensure that authorizations are in place between services and between the enterprise account and the child accounts. For more information, see Establishing service to service authorizations.

For all version dates

File storage for VPC. You can now create NFS-based file shares in a zone in your region. Share file storage over multiple virtual server instances within the same zone across multiple VPCs. Learn about file shares and mount targets, and explore the new API methods.

For all version dates

Image lifecycle management. You can now deprecate or obsolete custom images directly. Alternatively, you can schedule transition at a later date by specifying the deprecation_at or obsolescence_at properties when creating or updating an image. If you need to revert a status change, you can transition deprecated or obsolete images back to available. For more information, see Managing custom images.

deprecated custom images remain usable, while obsolete images cannot be used to provision instances or bare metal servers.

For all version dates

Copying snapshots and backups across regions. You can now specify an existing snapshot in one region to create a copy of the snapshot in another region. When you list all snapshots, you can see the direct snapshot copies in the other regions and you can use them to restore volumes in the other regions. You can create copies in multiple regions, but only one copy of the snapshot can exist in each region. The cross-region snapshot copy contains the same data as the source snapshot, but the cross-region snapshot copy has its own, independent lifecycle and is billed independently. For more information, see Cross-regional snapshots and Cross-regional copy array issue.

You can now create a backup policy that creates backup copies in other regions, in addition to creating a backup snapshot in the current region. Listing all plans for a backup policy or retrieving a backup policy plan shows the copies of the snapshot in other regions. For more information, see Cross-regional backup copies.

Extended SSH key encryption. When creating an SSH key, you can now specify a type property value of ed25519 for the crypto-system used by the key. If type is not specified during key creation, the default value rsa continues to be used. When listing all keys and retrieving a key, the response provides the key type used. For more information, see Getting started with SSH keys. See also Extended SSH key encryption in the VPC Instance Metadata API change log.

For all version dates

Instance group integration with Network Load Balancer for VPC. Network load balancer is now integrated with instance groups to improve pool member scaling. When creating or updating an instance group for auto scaling, you can now also specify a network load balancer pool for the load_balancer_pool property. As before, if load_balancer_pool is set, load_balancer and application_port must also be set. As with application load balancers, the pool must not be used by another instance group in the VPC. When you configure a listener with a range of ports, the instance group's application port is used only for checking the health status of targets. For more information see Creating an instance group for auto scaling.

In the future, load balancer profiles may be introduced that do not support instance groups. To ensure your clients will work reliably in the future, check that the new instance_groups_supported property on the load balancer is true before specifying that load balancer or one of its pools.

For all version dates

VPC routing table authorizations. You can use the new VPC routing table authorizations to allow users to administer VPC routing tables but not allow them to administer the broader VPC. The VPC API methods that operate on routing tables have been updated to check for these new authorizations, instead of the broader VPC authorizations. The VPC Administrator, Editor, Operator, and Viewer IAM access roles have been updated so that users with those roles will function as before. However, custom roles that require access to routing tables must be updated. For more information, see Granting user permissions for VPC resource.

For all version dates

Removal of weak VPN for VPC ciphers. Effective 18 May 2023, the following VPN IKE and IPsec ciphers are removed:

• Authentication algorithms md5 and sha1
• Encryption algorithm triple_des
• Diffie–Hellman groups 2 and 5

As a result, you will no longer be able to create an IKE/IPsec policy or VPN connection that includes a weak cipher on an existing policy or connection.

For all version dates

Exporting custom images. You can now export custom images to an authorized IBM Cloud Object Storage bucket. Specify the target storage_bucket to export the image to. The image will be exported as qcow2 unless you specify another value using the format property. For more information, see Exporting a custom image to IBM Cloud Object Storage, or start using the new export jobs methods.

For all version dates

Resource suspension for bare metal servers. The list all bare metal servers and retrieve a bare metal server methods now provide lifecycle_reasons and lifecycle_state properties. A bare metal server that violates IBM Cloud’s Acceptable Use Policy will now have its lifecycle_state property set to suspended. A suspended bare metal server is automatically powered off and you cannot update, delete, or power it on. For more information, see Viewing bare metal status and lifecycle_state in the API and Resource suspension.

For all version dates

Console type configuration for bare metal server profiles. When you retrieve a bare metal server profile or list all bare metal server profiles, the response now provides a console_types property that denotes the console type configuration for a bare metal server with this profile.

Network interface configuration for bare metal server profiles. When you retrieve a bare metal server profile or list all bare metal server profiles, the response now provides a network_interface_count property. When the type is range, the new property provides max and min sub-properties that denote the maximum and minimum number of network interfaces that are supported for a bare metal server with the specified profile. The values for max and min include both the primary network interface and secondary network interfaces. When the type is dependent, the network interface count depends on another value that is specified when the server is created. For more information about network interfaces, see Overview of bare metal server network interfaces, and Managing network interfaces for bare metal servers on VPC.

For all version dates

VCPU manufacturer support for instances and dedicated hosts. When provisioning an instance or dedicated host, you can now use the new vcpu_manufacturer property in the instance or dedicated host profile to choose between profiles from different processor manufacturers. You can also view the virtual server instance VCPU configuration through the vcpu sub-property manufacturer. For more information and limitations, see x86-64 instance profiles and Dedicated host profiles.

Network interface configuration for instance profiles. When you retrieve an instance profile or list all instance profiles, the response now provides a network_interface_count property. When the type is range, the new property provides max and min sub-properties that denote the maximum and minimum number of network interfaces that are supported for a virtual server instance with the specified profile. The values for max and min include both the primary network interface and secondary network interfaces. When the type is dependent, the network interface count depends on another value that is specified when the instance is created. For more information about instance profiles and network interface count, see Bandwidth allocation with multiple network interfaces.

Private DNS integration for load balancers. When you create or update a load balancer, you can now bind the IP addresses of your VPC load balancers to your private DNS zone by specifying the new dns.instance and dns.zone properties. When you specify these properties, load balancer IPs will no longer be registered to the publicly resolvable lb.appdomain.cloud domain name. For more information, see IBM Cloud Network Load Balancer for VPC and IBM Cloud Application Load Balancer for VPC.

For all version dates

Instance provision by volume. You can now reuse an existing boot volume to provision a virtual server instance by specifying the existing volume using the id or crn sub-properties of the boot_volume_attachment property. The specified volume must be unattached and must have an operating system with the same architecture as the instance profile. You can use the new volume attachment_state property and expanded operating_system property to determine its eligibility. You can also use the new list volumes filters to list volumes that have specific attachment_state, operating_system, and encryption_type values.

By default, a boot volume created as part of provisioning a virtual server instance will be deleted when the instance is deleted. You can control this by specifying the delete_volume_on_instance_delete property when creating the instance or updating the boot volume attachment. For more information, see Creating virtual server instances.

VPC route priority. You can now control the priority of VPC routes. When you create or update a VPC route, use the new priority property to specify a value between 0 and 4 (default: 2). Smaller values have higher priority. For more information, see Determining route preference.

Modifiable next hop for VPC routes. You can now update the next_hop property of a VPC route. For more information about next hop, see Creating a route.

For all version dates

Idle connection timeout control for application load balancers. You can now control the maximum time a client can be inactive when connected to the server by specifying the idle_connection_timeout property when creating a load balancer, creating a load balancer listener, and updating a load balancer listener. The idle_connection_timeout value defaults to the minimum of 50 seconds, and has a maximum of 2 hours, specified in seconds. For more information, see Creating an application load balancer.

For all version dates

VPC instance metadata new endpoint URL. You can now use the fully qualified domain name (FQDN) api.metadata.cloud.ibm.com for the metadata service endpoint. The FQDN resolves to the link-local IP address 169.254.169.254 without requiring the application of special configurations. For more information, see Endpoint URLs in the VPC Instance Metadata API.

VPC instance metadata communication protocol and hop limit. You can now control the communication protocol and hop limit for IP response packets used by the VPC Instance Metadata service. When you create or update an instance, use the new metadata_service.protocol property to specify either http (default) or https (secure access) communication. In addition, use the new metadata_service.response_hop_limit property to specify a value between 1 (default) and 64. Both of these properties apply only when the metadata service is enabled by setting metadata_service.enabled to true. The default is false. For more information, see Configure metadata settings on an existing instance with the API.

For all version dates

Snapshot clones for fast restore. You can now quickly restore a volume from a snapshot by using a fast restore snapshot clone. You can create a fast restore clone when you create a new snapshot or update an existing snapshot by adding one or more zonal clones for a snapshot in the same region as the snapshot. Later, you can restore a volume, and all of its data, from that fast restore snapshot clone. When you no longer need a zonal snapshot clone, you can delete it. Although the delete operation cannot be reversed, you can create an new, equivalent zonal clone from the snapshot.

When creating or updating a backup policy plan, you can now specify the clone_policy.zones in which backup service will create snapshot clones.

For more information, see Restoring a volume using fast restore or dive into the new API methods.

For all version dates

Bare metal server secure boot. When you create or update a bare metal server, you can now enable secure boot. The default is false (disabled). If enabled, the image must support secure boot or the server will fail to boot. To toggle secure boot, the server must be stopped. For more information, see Bare metal server images.

Bare metal server trusted platform module (TPM) support. When you create or update a bare metal server, you can now set a TPM mode. Specify a mode value (disabled or tpm_2) in the trusted_platform_module property. The default is disabled. To change the TPM mode, the server must be stopped. To determine the supported TPM modes, use the supported_trusted_platform_modes property included in the bare metal server profile. For more information, see Secure boot with Trusted Platform Module (TPM).

For all version dates

Bare metal server DELETE response code change. Bare metal DELETE methods now return an HTTP response code of 202 upon success:

• Delete a network interface
• Disassociate a floating IP from a network interface
• Delete a bare metal server

Unlike previous response code changes, the transition from 204 to 202 applies to all API versions. Therefore, a response code of 204 will not be returned for any API requests for these methods, regardless of the version query parameter value. Future transitions from 204 to 202 will be tied to a dated API version, as described in Upcoming changes.

For all version dates

Backup policy jobs. You can now list all jobs for a backup policy or retrieve a backup policy job. A backup policy job is triggered when a scheduled backup snapshot is being created or deleted. If the create or delete action is successful, the job contains information about the backup snapshot that was created or deleted. If the job ran unsuccessfully, the job contains the reason for the failure. For more information, see Viewing backup jobs.

For all version dates

Health states for block storage volumes. When you list all volumes or retrieve volume details, the responses now include health_state and health_reasons properties. For more information, see Block storage volume health states.

For all version dates

Access management tag support. As described in Authorization in the VPC API reference, you can now use IBM Cloud Identity and Access Management to control access to VPC resources by using access management tags. For details, see Managing IAM access for VPC Infrastructure Services.

Some VPC APIs currently require additional authorizations beyond those defined in the API specification. For more information, see Known issues.

For all version dates

VPC route naming restriction. You can no longer create VPC routes that begin with the prefix ibm- or rename an existing route to have the prefix ibm-. Existing routes that begin with ibm- will not be affected. If you have automation that creates routes using the prefix ibm-, you will need to remove or change the prefix used by your automation for it to succeed.

For all version dates

Public internet ingress routing. You can now route public internet ingress traffic destined to a floating IP to a next-hop IP. When you create a new VPC routing table or update an existing VPC routing table, the new route_internet_ingress property lets you route traffic that originates from the public internet. For more information, see Creating a routing table by using the API and limitations and guidelines for Ingress routes.

For all version dates

Enhanced network interface support for flow logs. Flow logs are now collected for all network interfaces attached to a subnet, even if those network interfaces are in another account. As a result, flow logs for network interfaces associated with IBM Cloud Kubernetes Service (IKS)/Red Hat OpenShift Kubernetes Service (ROKS) worker nodes, load balancers, and VPN gateways are now collected. For example, if you have an existing flow log collector that targets a VPC or subnet that also has attached IKS worker nodes, it will now collect flow logs for traffic flowing through those IKS worker nodes in those VPCs and subnets. For more information, see Flow log limitations.

For all version dates

Sharing images across accounts within an enterprise. You can now use a catalog to share custom images with users in other accounts within the same enterprise. When you create an image, a new catalog_offering property includes a managed sub-property that is set to false by default. When the custom image is imported to a catalog the managed sub-property is set to true, indicating that the image is added to a catalog offering version and is managed from a catalog. Any user who has been authorized to the catalog offering version can provision a virtual server instance with that image by specifying the offering version's CRN as catalog_offering.version.crn. Alternatively, users can specify the offering's CRN as catalog_offering.offering.crn to provision a virtual server instance with the latest image associated with the catalog offering. For more information, see Custom images in a private catalog, the tutorial Onboarding a virtual server image for VPC, and the Import offering method in the Catalog Management API.

The image may not be deleted or used in a different catalog product offering version while it is managed from a catalog. If the catalog is deleted, a 7 day reclamation period will apply that prevents any images managed by the catalog from being deleted or re-used during the reclamation period. For more information, see Deleting a custom image in a private catalog and Using resource reclamations.

Image references may refer to custom images in other accounts. Before using this feature, verify that your clients handle image reference lookup failures gracefully and do not assume inaccessible images have been deleted, even when running with full access to your images. To avoid possible retrieval or use of the wrong image by name, specify the image id, crn, or href instead. For more information, see Using cross-account image references in a private catalog in the API.

Increased network interface limits for virtual server instances. You can now have up to 14 secondary network interfaces on a virtual server instance. The previous limit for secondary network interfaces was 4. The number of interfaces that a virtual server instance supports is dependent on the VCPU count that is included in the instance profile. For more information about the number of interfaces that a virtual server supports, see Bandwidth allocation with multiple network interfaces. To utilize the increased limit for network interfaces, you can create secondary network interfaces by specifying network_interfaces when you create an instance. You also can add secondary network interfaces to an existing instance by creating a network interface on an instance.

For an existing, running instance with 17 or more vCPUs to take advantage of the new network interface limits, it must be stopped and then started again. A reboot action on the running virtual server does not activate the increased network interface limit.

IBM® LinuxONE Bare Metal Servers. Accounts with access to the profiles for s390x bare metal servers can now create LinuxONE Bare Metal Servers. These profiles have a cpu_architecture of s390x and must be used with Red Hat Enterprise Linux for s390x and SUSE Linux Enterprise Server (SLES) for s390x. For more information, see Creating bare metal servers on VPC.

In support of s390x bare metal servers, the following enumerations have been expanded:

• Because s390x local disks are attached through Fiber Channel protocol, a value of fcp has been added to the interface_type enumeration that is returned when you retrieve or list the disks for a bare metal server.

• Because s390x provides TCP/IP connectivity by using HiperSockets, a value of hipersocket has been added to the interface_type enumeration returned when you retrieve or list the network interfaces on an s390x bare metal server. Similarly, when you create an s390x bare metal server, or add a network interface to an existing s390x bare metal server, you must specify an interface_type of hipersocket. For more information, see the IBM HiperSockets Implementation Guide.

s390x bare metal servers have different network bandwidth and maximum network interface limits from x86 bare metal servers.

For all version dates

Deprecated VPN for VPC ciphers. The following VPN IKE and IPsec ciphers are now deprecated:

• Authentication algorithms md5 and sha1
• Encryption algorithm triple_des
• Diffie–Hellman groups 2 and 5

You have until 13 December 2022 to upgrade to more secure ciphers. After this date, VPN connections using deprecated ciphers will have a status of down (and no longer transfer data) until you upgrade from the weak cipher.

Additional VPN for VPC ciphers. VPN gateways now provide new algorithms to help meet your security and compliance requirements.

IKE policy methods now support the sha384 value for the authentication_algorithm property, aes192 value for the encryption_algorithm property, and groups 15-18, 20-24, and 31 for the dh_group property.

IPsec policy methods now support sha384 and disabled values for the authentication_algorithm property, aes192, aes128gcm16, aes192gcm16, and aes256gcm16 values for the encryption_algorithm property, and groups 15-18, 20-24, and 31 for the dh_group property.

Specifying IKE and IPsec policies when configuring a VPN connection is optional. If a policy is not specified, one is chosen through auto-negotiation. For more information, see About policy negotiation.

For all version dates

Updating subnets for application load balancers. You can now update the subnets attached to an application load balancer by specifying subnets when updating a load balancer. The specified subnets must be in the same VPC as the load balancer's current subnets. If the update requires moving your load balancer to a different zone, its provisioning_status will change to migrate_pending until the move is complete. For more information, see Updating subnets for Application Load Balancers for VPC.

Verify that any clients retrieving the provisioning_status property will gracefully handle unknown values. For example, a client might bypass the load balancer, log a message, or halt processing and surface an error.

Because the subnets property is an array, the specified value will replace the load balancer's existing array of subnets. To guard against concurrent updates, you must provide the resource's current ETag using the If-Match header. For guidance on the use of ETags, see Concurrent update protection.

For version 2022-09-13 or later

Load balancer DELETE response code change. For requests using a version query parameter of 2022-09-13 or later, all load balancer DELETE methods will return an HTTP response code of 202 upon success:

• Delete a load balancer
• Delete a load balancer listener
• Delete a load balancer listener policy
• Delete a load balancer listener policy rule
• Delete a load balancer pool
• Delete a load balancer pool member

The underlying deletion operations were already asynchronous, and remain unchanged.

To avoid regressions, before issuing requests using a version query parameter of 2022-09-13 or later, ensure that any clients deleting load balancer resources will also regard a response code of 202 as success.

A response code of 204 will continue to be returned for API requests using a version query parameter of 2022-09-12 and earlier.

For all version dates

Improved reserved IP support for bare metal servers. The following methods have been added for convenience and parity with the virtual server instance reserved IP methods:

• List all reserved IPs bound to a network interface for a bare metal server
• Retrieve bound reserved IP for a bare metal server

For all version dates

Additional user tag support for boot and data volumes. You can now add user tags to boot and data volumes when provisioning a virtual server instance or adding a volume attachment. You can specify the user_tags property when you create an instance, create an instance template, and create a volume attachment. For more information, see Create and attach a block storage volume when you create a new instance and Working with tags.

For all version dates

Improved VLAN support for bare metal servers. The restriction limiting a VLAN ID in the allowed_vlans property to a single PCI network interface on a bare metal server has been removed. As a result, you can now move VLAN interfaces between PCI interfaces on the same bare metal server.

For all version dates

Resource suspension for virtual server instances. The list all instances and retrieve an instance methods now provide lifecycle_reasons and lifecycle_state properties. A virtual server instance that violates IBM Cloud’s Acceptable Use Policy will now have its lifecycle_state property set to suspended. A suspended instance is automatically powered off and you cannot update, delete, or power it on. For more information, see Viewing instance status and lifecycle_state in the API and Resource suspension.

For all version dates

Client VPN for VPC. Client-to-site connectivity is now available. This feature allows remote devices to securely connect to a VPC using an OpenVPN (or other compatible) software client. For more information about VPN client-to-site connectivity and how it complements the existing VPN site-to-site connectivity, see About client-to-site VPN servers.

• A VPN server allows VPN clients from the internet to connect to a VPC. When creating a VPN server, you can specify a security group to protect the VPN server, and subnets in your VPC in which the VPN server will allocate its reserved IP addresses. For more information, see Creating a VPN server and the new VPN server methods.
• A VPN client represents a client connecting from the internet. You can retrieve the OpenVPN client configuration to use to configure a VPN client for a VPN server. For more information, see Setting up a client VPN environment and connecting to a VPN server and the new VPN client methods.
• A VPN route controls which subnets the VPN client can access and how the traffic from the VPN client reaches these subnets. For more information, see Managing VPN routes and the new VPN server route methods.

Configuring route propagation for VPN gateways and VPN servers. When you create a VPC routing table, you can now control if the routing table accepts routes from a VPN gateway or server by specifying the accept_routes_from property. When you view a route in a VPC routing table, the new origin property shows who created the route (either user or service), and the service routes include a new creator property that references the resource that created the route. Routes with the creator property present cannot be deleted directly. For more information, see Configuring route propagation for VPN gateways and VPN servers.

Concurrent update protection. ETags returned on GET, POST, and PATCH requests represent the modifiable state of the resource. When updating the accept_routes_from property on a routing table, or updating the client_authentication, client_dns_servers, or subnets properties on a VPN server, you must provide the resource's ETag using the If-Match header. For general guidance on the use of ETags, see Concurrent update protection.

For all version dates

Block storage. You can now create a volume from a snapshot without having to also create and attach it to a virtual server instance. When you create a volume, a new source_snapshot property lets you specify a snapshot which will be used as source data for the new volume. The volume's data is fully restored later, when you attach it to an instance. Volume performance is initially degraded until the volume data is fully restored. For more information, see Restoring an unattached data volume from a snapshot with the API.

Cross-zone member support for network load balancers. You can now create a load balancer pool with members across any zone in the region. You can also use the create pool member and replace pool member methods to update an existing pool with members across any zone in the region. The zone of the network load balancer is still identified by the subnet that you specify when you create a load balancer.

Network load balancers with route_mode enabled do not support cross zone members.

For all version dates

Backup for VPC. You can now create backup policies to schedule automatic backups of your block storage volumes. Backups are made when a user tag in a block storage volume matches a user tag defined in a backup policy. Backups are created by a schedule defined in a backup plan. Each plan also has a deletion policy for managing backups created by the plan, which you can customize by specifying the deletion_trigger sub-property. At the scheduled interval, a backup snapshot is created of that volume. You can have up to four backup plans per policy. See Backup for VPC.

The backup policy jobs API remains in beta.

For version 2022-03-29 or later

Reserved IPs for compute. Using a version query parameter of 2022-03-29 or later, you can now fully control the IP addresses assigned to your network interfaces by specifying a new or existing reserved IP when you create an instance or create a bare metal server.

Migration of network interface IP addresses. In support of reserved IPs, for requests using a version query parameter of 2022-03-29 or later, the network interface primary_ipv4_address string property has been migrated to the primary_ip object property. See Migrating use of IP addresses for guidance on how to migrate to primary_ip.

Removal of security group network interfaces. The methods for associating security groups with network interfaces that were deprecated in API version 2021-02-23 have been removed as of version 2022-03-29. See Migrating use of security group associations for guidance on how to migrate to use security group targets, which allow security groups to be associated with VPC resources beyond network interfaces, such as endpoint gateways and load balancers.

For all version dates

Reserved IP management. You can explicitly Reserve an IP in a subnet ahead of time, and List all reserved IPs on a subnet to see all your VPC resources that are using IP addresses on that subnet, including load balancers and VPN gateways. For more information, see Managing IP addresses.

UDP support for network load balancers. When creating a network load balancer (NLB), you can now set User Datagram Protocol (UDP) as the communications protocol for NLB listeners and pools by specifying udp for the protocol sub-property of the listener and pool properties respectively. (Health checks do not support UDP for monitoring the health of pool members.) For more information, see Configuring UDP for network load balancers.

You must set the same protocol for the load balancer pool and listeners using that pool.

Not all network load balancer offerings will support UDP. Before creating a UDP network load balancer (or updating an existing NLB listener to use UDP), check that the udp_supported property of the load balancer profile is true.

For all version dates

Concurrent update protection. To prevent multiple clients from unknowingly overwriting each other's updates, select API methods support entity-tags and conditional requests. For details, see Concurrent update protection in the Virtual Private Cloud API.

For all API version dates

Instance availability policies for compute host failures. A new availability_policy property has been added to the create and update instance methods to control the behavior when the instance's underlying compute host experiences a failure. The host_failure sub-property can be used to set the host failure availability_policy of the virtual server instance. The default policy is restart, which relocates the instance to a healthy host and restarts the instance. The policy may be set to stop to have the instance remain stopped if the compute host experiences a failure.

For more information, see Host failure recovery policies.

For all version dates

Resizable boot volumes. You can now increase the capacity of a boot volume, up to 250 gigabytes (GB). When creating an instance from an image or an instance template, you can specify a larger capacity than the image's minimum_provisioned_size default. Specify capacity in the volume sub-property of the boot_volume_attachment property. You can also increase the size of an existing boot volume by specifying the capacity property when updating the volume.

For all version dates

Port ranges for public network load balancers. When creating a public network load balancer you can now specify a range of listener ports. When you configure a load balancer with a port range, the port property of the load balancer's pool members will not be used for port translation on incoming traffic. Instead, traffic will arrive at the member on the same port it arrived on at the listener.

Before using this feature on a load balancer, update client applications that integrate with it to check the port_min and port_max properties on the load balancer listener. If those properties do not have the same value, the client must consider the inclusive range between port_min and port_max as the possible ports on which traffic can arrive at the member. However, if port_min and port_max have the same value, the behavior will be unchanged and traffic will arrive on the port specified by the port property of the load balancer pool member.

For all version dates

Bare metal servers for VPC. You can now create bare metal servers to host VMware® clusters in IBM Cloud VPC. You can set up VMware management applications and create VMware virtual machines on the bare metal servers. The new bare metal server APIs use a similar structure and employ the same concepts as the existing instance APIs. There is also a parallel but separate set of bare metal server profile APIs with similar conventions to the existing instance profile APIs. After you've learned one concept, it will apply to the other.

For more information, see About Bare Metal Servers for VPC and Bare metal server profiles, or dive into the new API methods.

For all version dates

Security groups for endpoint gateways. For enhanced security, you can now associate security groups with endpoint gateways. When you create an endpoint gateway, you can now specify the security_groups property, which associates those security groups with the endpoint gateway. If you do not specify security_groups, the endpoint gateway will be associated with the VPC's default security group. Before using the default security group, review your default security group rules and, if necessary, edit the rules to accommodate your endpoint gateway traffic.

Responses that return an endpoint gateway now include the security_groups property. On endpoint gateways created before 25 January 2022, the security_groups property in the response is an empty array ([]), and no security groups are set.

You can update security groups for an endpoint gateway by adding an endpoint gateway to or removing an endpoint gateway from a security group's targets.

You will not be able to remove the only remaining security group from an endpoint gateway. As a result, if you add a security group to an endpoint gateway which had no security groups, you will not be able to revert the endpoint gateway to have no security groups.

Finally, the security group targets property can now refer to an endpoint gateway, as can the responses for the get security group target and list security group target methods.

Snapshots for VPC. A captured_at property has been added to each snapshot, indicating the date and time when the snapshot was captured from the volume. The captured_at timestamp value is a close approximation to the actual snapshot time, typically within a few seconds. The actual snapshot capture is between the created_at and captured_at timestamps. (The created_at property indicates when the snapshot creation process was initiated.)

If captured_at is absent from the response, the snapshot's data has not yet been captured. Additionally, the property may be absent for snapshots created before 1 January 2022.

For all version dates

Snapshots for VPC. Restrictions have been removed for deleting snapshots. You can now delete any snapshot in the chain of snapshots. If the snapshot is actively being used to restore a volume, the snapshot will remain in deleting until the restore completes. The deletable property, which indicated whether a snapshot could be deleted, has been deprecated.

For all version dates

GPU instances. Updated instance and instance profile methods now include details about GPUs attached to the instance. New profiles provide support for GPUs. These GPUs provide accelerated computing to help you run workloads with more powerful compute capabilities.

The list all instances method returns a new gpu property with additional sub-properties: count, manufacturer, model, and memory. The retrieve an instance profile method returns new properties: gpu_count, gpu_manufacturer, gpu_model, and gpu_memory. For more information, see Managing GPUs.

For all version dates

Route mode for VNF support for network load balancers. Network load balancers now support a new "route mode" enabling virtual network functions (VNFs) as back-end targets. A route_mode property has been added to the load balancer resource to indicate if the load balancer is in route mode. A route_mode_supported property has been added to the load balancer profile resource to indicate if the profile supports route mode. Presently, only network load balancer profiles support route mode.

The Create load balancer and Create load balancer listener methods now accept properties port_min and port_max. You can request a load balancer listener for a single port by setting either the port property, or by setting the port_min and port_max properties to the same value. All load balancer listener responses now include port_min and port_max properties, with port_min matching the value of the existing port property.

When creating load balancers with route mode enabled, you must specify the listener's port_min value as 1, the port_max value as 65535, and omit the port property. Other port range values are not currently supported, as noted in Known issues.

For more information, see Creating a route mode Network Load Balancer for VPC.

For all version dates

Instance bandwidth. New properties have been added to the create and update instance methods to allow adjustment to the amount of total bandwidth (in megabits per second) allocated exclusively to attached volumes. The range of acceptable volume bandwidth values depends on the selected instance profile. A new total_volume_bandwidth property, added to each instance profile, provides the range of possible values, and the default value used when creating an instance. An increase in total_volume_bandwidth will result in a corresponding decrease to total_network_bandwidth.

The volume bandwidth allocated to your existing instances will be unaffected unless:

• The instance's total_volume_bandwidth is lowered
• The total bandwidth requested by the instance's attached volumes exceeds the amount already requested by its attached volumes

For more information about this feature, see Bandwidth allocation for instance profiles.

For all version dates

Block storage volumes:

• Adjustable IOPS. To manage the performance the your data volumes attached to running virtual server instances, use the update volume method to specify a different tiered profile value, or a different iops value within the custom IOPS tier. For more information, see Adjusting IOPS for block storage volumes.

• Expandable volumes. You can now expand a secondary volume attached to a running virtual server instance. Use the capacity property in the update volume method to request a new volume capacity, up to 16 TB (depending on the volume's profile). While the volume's capacity is being updated, the volume will remain available for use, but will have a status value of updating. For more information, see Expanding block storage volume capacity.

  If you expand an existing data volume, be aware that existing applications will be exposed to the new updating value. To avoid disruption, first check that your applications are written to gracefully handle unexpected status values.

For all version dates

Application load balancers. Use the HTTPS redirect feature to redirect traffic from an HTTP load balancer listener to an HTTPS listener.

An HTTPS redirect can be configured on either load balancer listeners or load balancer policies, or both. An HTTPS redirect is configured on the listener using the new https_redirect property, and will be used if none of the listener policy's rules match (or if it has no rules). An HTTPS redirect is configured on a load balancer policy using the new policy action value of https_redirect, and will be used only when all of the policy's rules match.

If you configure an HTTPS redirect on a listener policy, be aware that existing applications will be exposed to the new https_redirect value. To avoid disruption, check that your applications are written to gracefully handle unexpected action values first.

Additional API restrictions are enforced after an HTTPS redirect is configured:

• You will not be able to update the protocol and accept_proxy_protocol properties of the HTTP and HTTPS listeners. Instead, delete the listener and create a new listener with the new property values.
• You will not be able to delete an HTTPS listener until the HTTP listener referring to it is deleted.

For all version dates

Larger size boot volumes for custom images. You can import custom images with a boot disk size from 10 GB to 250 GB, which will become the image's minimum_provisioned_size after import. When you specify the image as part of creating an instance, the boot volume capacity is set to the image's minimum_provisioned_size. For details, see Planning custom images.

Placement groups. Placement groups for IBM Cloud® Virtual Private Cloud are logical groupings of virtual server instances that can be configured to reduce the risk of correlated failures inherent in your physical environment, such as networking issues, power loss, or hardware failure. Define a placement group strategy for high-availability workloads, such as for host or power spread. For more information, see About placement groups or dive into the new API methods.

For all version dates

LinuxONE (s390x processor architecture). You can now create virtual server instances on LinuxONE in IBM Cloud® using new virtual server instance profiles. Instances provisioned with these profiles will have a VCPU architecture of s390x and interoperate with other VPC storage and networking features such as block storage volumes, floating IPs, and security groups. For more information, see x86 instance profiles, and Service limitations.

For all version dates

Keys. Pagination has been added to the List all keys method. Pagination will not occur until your account includes more than 50 keys in a region, but we recommend that you update your existing client applications in preparation. Contact IBM support if you need assistance.

For all version dates

Load balancer pools. New cookie-based values have been added to the session_persistence enumeration returned by the load balancers pool methods. If you create or update pools with these new values to enforce session persistence, client applications will expose cookie values in all requests. For details, see Cookie-based session persistence.

For version 2021-06-08 or later

Load balancers. For requests using a version query parameter of 2021-06-08 or later, you can now use pagination when listing all load balancers in the region. Requests using a version query parameter of 2021-06-07 or earlier remain unpaginated, but may time out if you have many load balancers.

If you expect to use many load balancers at once, migrate your applications to the paginated API to improve responsiveness and reliability. Contact IBM support if you need help migrating your existing client applications.

For all version dates

Image from volume. On a POST /images request, you can now specify source_volume with an instance boot volume identity. Specifying the encryption_key property in that request encrypts the image with a root key of your choosing. For details, see Creating an image from a volume.

For all version dates

Snapshots for VPC. Use the new regional snapshot service to create point-in-time copies of your block storage boot or data volumes. Select a snapshot during instance provisioning and restore a new, fully-provisioned boot volume to start the instance. You can also create and attach a data volume from a snapshot within a running virtual server instance. Learn about creating and using snapshots and explore the new API methods.

For all version dates

Scheduled scaling. Use scheduled scaling for VPC to schedule actions that automatically add or remove instance group capacity, based on daily, intermittent, or seasonal demand. You can create multiple scheduled actions that scale capacity monthly, weekly, daily, hourly, or even every set number of minutes. Explore the instance group managers methods and the new manager actions methods.

For all version dates

Instance storage. New instance profiles can now optionally include a set of solid state disks. These instance storage disks provide temporary storage to improve the performance of cloud-native workloads that need scratch space, large data caches, or data replicated across availability zones.

The following API methods have been added:

• List all disks on an instance (GET /instances/{instance_id}/disks)
• Retrieve an instance disk (GET /instances/{instance_id}/disks/{id})
• Update an instance disk (PATCH /instances/{instance_id}/disks/{id})
• List all disks on a dedicated host (GET /dedicated_hosts/{dedicated_host_id}/disks)
• Retrieve a dedicated host disk (GET /dedicated_hosts/{dedicated_host_id}/disks/{id})
• Update a dedicated host disk (PATCH /dedicated_hosts/{dedicated_host_id}/disks/{id})

API methods that return instance and dedicated host profiles now include a disks property with information about the storage capability (where present) of resources provisioned with those profiles.

API methods that return instances and dedicated hosts now include a disks property with information about the disks configured for those resources.

For more information, see About instance storage.

Virtual server instance console. You can now access your instances by connecting to a VNC or serial console. Learn about Accessing virtual server instances by using VNC or serial consoles, and explore the new instance console API methods:

• Create a console access token for an instance (POST /instances/{instance_id}/console_access_token)
• Retrieve the console WebSocket for an instance (GET /instances/{instance_id}/console)

Instance resize. You can now resize an instance by providing the profile property in the API method PATCH /instances/{id} (Update an instance). For more information, see Resizing a virtual server instance.

For all version dates

New parameter-based rule types for an application load balancer. When creating a load balancer listener policy rule, the field property may now be set to query or body to perform additional forms of layer 7 load balancing:

• query - Write layer 7 rules that use the query string to route traffic to a specific target. For a query type rule, field and value must be percent-encoded, same as the query string in the URL.
• body - If the body of the POST request uses form encoding (UTF-8), then you can create layer 7 rules to route traffic based on the parameter name and value in the body. The Content-Type in the request is ignored.

If you use these new rule types, be aware that existing client applications will be exposed to those new values in the existing properties. To avoid disruption, check that client applications are written to gracefully handle unexpected values for these properties before using these new rule types for an application load balancer.

For all version dates

Bring your own license. You can now bring your own license (BYOL) for custom images that you create and import to IBM Cloud VPC. When you import a custom image, you can choose from new byol Red Hat Enterprise Linux (RHEL) and Windows operating systems.

A new dedicated_host_only property has been added to operating system resources. Any instance with a boot volume created from an image with operating_system.dedicated_host_only set to true must be placed on a dedicated host (or into a dedicated host group). Because Windows BYOL images have dedicated_host_only set to true, they must be placed on a dedicated host (or into a dedicated host group). There are no restrictions on placing instances using RHEL BYOL images.

Every operation that returns an OperatingSystem resource now includes a dedicated_host_only property.

For all version dates

Additional VPN for VPC IKEv2 encryption/hash/Diffie Hellman (DH) group support. For enhanced security, VPN for VPC now supports SHA2-512 (a Secure Hash Algorithm) and DH group 19 (a 256-bit elliptic curve algorithm) to generate a symmetric key.

If you use these new algorithms, be aware that existing client applications will be exposed to those new values in the existing authentication_algorithm and dh_group properties. To avoid disruption, check that client applications are written to gracefully handle unexpected values for these properties before using these new algorithms.

The following VPN for VPC methods have been updated:

• In IKE policies, the authentication_algorithm property now includes a sha512 value, and the dh_group property includes a 19 value.
• In IPsec policies, the authentication_algorithm property now includes a sha512 value, and the pfs property includes a group_19 value.

New VPN gateway property. Each element of the existing VPN gateway members array now includes a private_ip property, which provides the IP address assigned to that VPN gateway member.

For all version dates

Application load balancer security group integration. For enhanced security, application load balancers can now be associated with security groups. You can specify one or more security groups when you create the application load balancer, and associate security groups with your existing application load balancers. If you omit security groups during load balancer creation, the default security group for the VPC is used.

If you plan to use default security groups for new application load balancers, review your default security group rules. If necessary, edit the rules to accommodate your expected application load balancer traffic.

The following load balancer methods have been updated:

• Create a load balancer (POST /load_balancers) can now accept a list of security groups
• Get load balancer details (GET /load_balancers/{id}) now returns references to the security groups to which a load balancer is attached

New security group methods have been added for managing security group targets:

• Attach a security group to a target network interface or load balancer (PUT /security_groups/{security_group_id}/targets/{id})
• List targets attached to a security group (GET /security_groups/{security_group_id}/targets)
• Retrieve a target in a security group (GET /security_groups/{security_group_id}/targets/{id})
• Delete targets from a security group (DELETE /security_groups/{security_group_id}/targets/{id})

Use the security group target methods to manage security group attachments to both load balancers and network interfaces. The original methods specific to network interfaces are now deprecated:

• GET /security_groups/{security_group_id}/network_interfaces
• DELETE /security_groups/{security_group_id}/network_interfaces/{id}
• GET /security_groups/{security_group_id}/network_interfaces/{id}
• PUT /security_groups/{security_group_id}/network_interfaces/{id}

For more information, see Integrating an IBM Cloud Application Load Balancer for VPC with security groups.

Bring Your Own IP (BYOIP) support for VPC. VPC address prefixes are no longer restricted to RFC-1918 addresses. You must now configure VPCs that use both non-RFC-1918 addresses and have public connectivity (floating IPs or public gateways) using a custom route that contains the new delegate_vpc property. You must specify this property for destination CIDRs that are non-RFC-1918 compliant and outside of the VPC, such as for destinations that are reachable through IBM Cloud® Direct Link, IBM Cloud Transit Gateway, or VPC classic access.

The delegate_vpc property is not required if a VPC uses only RFC-1918 addresses or has no public connectivity.

The following API methods have been updated:

• View the delegate_vpc property in the requests and responses for /vpcs/{vpc_id}/routing_tables/{routing_table_id}/routes.
• View reserved IP ranges in POST /vpcs/{vpc_id}/address_prefixes, which creates an address pool prefix.

For all version dates

Checksum (SHA256) for imported images. When you import a custom image to IBM Cloud VPC, you can now view the checksum that was generated for the image during the import operation. By generating a checksum for the image locally, and checking that the checksums match, you can verify the integrity of the imported image. For more information, see Importing and validating custom images into VPC.

The sha256 checksum is available in the file details in API method GET /images/{id}. See Retrieve an image.

For all version dates

The quantity of memory for virtual server instance profiles is now provisioned in gibibytes (GiB), instead of gigabytes (GB). For example, creating a new bx2-4x16 virtual server instance provisions the instance with 16 GiB (17,179,869,184 bytes), instead of 16 GB (16,000,000,000 bytes). Virtual server instances that have already been provisioned are not affected.

For version 2021-01-19 or later

For requests using a version query parameter of 2021-01-19 or later, memory for virtual server instances is now expressed in gibibytes (GiB), instead of gigabytes (GB). For example, the memory property returned from GET /instances/{id} now reports in GiB (truncated to a whole number).

For all version dates

Customer-managed encryption for block storage volumes and encrypted custom images. When you disable or delete a customer root key (CRK) that is encrypting your block storage or custom image resources, the API displays a status of unusable for these resources, along with the reason codes encryption_key_deleted or encryption_key_disabled.

The unusable status appears in the following API methods:

• List all volumes (GET /volumes)
• Retrieve a specific volume (GET /volumes/{id})
• List all images (GET /images)
• Retrieve the specified image (GET /images/{id})

For more information about key states and resource statuses, see User actions that impact root key states and resource status.

Dedicated hosts are now supported in the VPC API. Learn more about using dedicated hosts and explore the new API methods.

For all version dates

Datapath log forwarding with IBM Log Analysis is now available for IBM Cloud Application Load Balancer for VPC. Data and health check logs are valuable for debugging, analysis, and maintenance purposes. With the datapath logging feature enabled, your load balancer forwards these logs to your account's IBM Log Analysis dashboard.

View the logging property in the following API methods:

• List all load balancers (GET /load_balancers)
• Retrieve a load balancer (GET /load_balancers/{id})

For more information, see Datapath log forwarding with IBM Log Analysis.

For all version dates

Support for ingress routing is included as part of routing tables, which were released on 30 October 2020. Use ingress routing to control the policy for packets that are coming in to your VPC or one of its zones. The policy can vary, depending on the type of source and the destination IP address range.

Routing tables for the VPC API are the same for both egress and ingress routing, with the following additional properties that you can specify for ingress routing:

• route_direct_link_ingress
• route_transit_gateway_ingress
• route_transit_gateway_ingress

For more information, see About routing tables and routes.

For version 2020-11-13 or later

Static-route-based VPN gateways are now available for requests using a version query parameter of 2020-11-13 or later. For a static-route-based VPN gateway, virtual tunnel interfaces are created. Any traffic that is routed to these interfaces with user-defined routes is encrypted. For more information, see About VPN gateways.

For all version dates

• Custom routing tables are now supported in the VPC API. This feature controls where network traffic is directed on a per-subnet basis. Explore new API methods for routing tables and routes. This feature subsumes the VPC routing API, which remains supported but is deprecated and might be removed in a future API release.

• Virtual private endpoint gateways. Use virtual private endpoint gateways to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choice, which is allocated from a subnet within your VPC. For more information, see About virtual private endpoint gateways.

• VPC network interfaces. IP anti-spoofing checks had already been provided for enhanced security. However, certain use cases, such as having a virtual server instance act as a network gateway, require selective disabling of these checks. To accommodate these use cases, if you have the is.instance.instance.ip-spoofing IAM action, you can now enable the allow_ip_spoofing property when you create a network interface. Alternatively, toggle the property when you update an existing network interface. See also About IP spoofing checks.

• Proxy protocol for application load balancers for VPC. When you configure a load balancer pool to use proxy protocol, the pool will pass information about the client to a back-end pool member when a connection is opened.

  You can also configure a load balancer listener to accept proxy protocol information. This feature is useful when the client is, itself, a proxy (which, in turn, was connected to by the actual client) that supports the proxy protocol. This allows client information to be obtained and passed on to any pools that, themselves, have the proxy protocol enabled.

  For more information, see Enabling proxy protocol.

For all version dates

Encrypted images. Use the VPC API to create your own image, encrypt it with your own key, and import it, encrypted, into IBM Cloud. After you import the image, use it like any other image. If you use the image to provision an instance, its boot volume is encrypted using the image's root encryption key or another root encryption key of your choosing.

Dive into the APIs to import an encrypted image and provision an instance from that encrypted image. See also Creating an encrypted custom image.

For all version dates

Network load balancers. You can now use the load balancers API to distribute traffic among multiple server instances within the same region of your VPC. To learn how to create and manage a network load balancer, see About IBM Cloud Network Load Balancer for VPC.

The network load balancers API is shared between IBM Cloud application load balancers and network load balancers.

For all version dates

This API release supports the following changes:

• Create an instance group of a fixed size and use it as a stand-alone feature
• Use the instance group manager to manage the instance group, which can associate an auto scale policy with that group

For more information, see Creating an instance group for auto scaling.

The following new methods are available for instance groups:

• GET and POST for /instance_groups
• DELETE, GET, and PATCH for /instance_groups/{id}
• DELETE for /instance_groups/{instance_group_id}/load_balancer
• GET and POST for /instance_groups/{instance_group_id}/managers
• DELETE, GET, and PATCH for /instance_groups/{instance_group_id}/managers/{id}
• GET and POST for /instance_groups/{instance_group_id}/managers/{instance_group_manager_id}/policies
• DELETE, GET, and PATCH for /instance_groups/{instance_group_id}/managers/{instance_group_manager_id}/policies/{id}
• GET for /instance_groups/{instance_group_id}/memberships
• DELETE, GET, and PATCH for instance_groups/{instance_group_id}/memberships/{id}

You can also use the new instance template feature independently of auto scale. For example, create a template, and then create instances from that template, without creating an instance group.

The following new endpoints are now available for instances:

• GET and POST for /instance/templates
• GET, PATCH, and DELETE for /instance/templates/{id}

POST /instances now supports a source_template.

For all version dates

The flow log collectors API is now generally available.

For all version dates

This API release supports the following enhancements for customer-managed encryption for block storage boot and data volumes:

• POST /instances -- Create an instance and new volume, encrypted, using your customer root key (CRK). CRKs are imported to IBM Cloud or created in a key management service.
• POST /volumes -- Create an unattached data volume, encrypted, using your CRK.

For all version dates

Configure load balancer pool resources and their health monitors to use the HTTPS protocol. This enhancement enables end-to-end SSL encryption with HTTPS listeners, along with HTTPS health checks for increased availability. See the load balancers API.

For all version dates

This API release supports the following changes:

• Flow log collectors API is available as beta
• GET /security_groups now supports vpc.crn and vpc.name filters

For all version dates

IBM Cloud interprets volume capacity units in gibibytes, but the API documentation used gigabytes. This issue is now resolved in the documentation.

For all version dates

Usage recommendations are provided for the following load balancer properties:

• protocol property for load balancer pools
• type property for load balancer pool health monitors

The guidance notes that new values for these properties might be added in the future, and unexpected values are handled gracefully. See the load balancers API.

For all version dates

Support is temporarily suspended for creating instances from an existing boot volume. This feature was available through the API only, with no CLI or UI support. In the interim, you must specify the image property when you call POST /instances.

You can still create instances that reference existing data volumes.

For all version dates

Device IDs are now shown when you retrieve an instance's volume attachments.

For all version dates

This API release supports the following changes:

• Network access control list (ACL) methods
• Instance filtering by VPC

For all version dates

A VPC’s cloud service endpoint source IPs now appear in output. Learn about cloud service endpoint source addresses and how DNS resolves shared cloud service endpoints.

For all version dates

This API release supports the following changes:

• Load balancers API is available as beta
• VPN gateways are available as beta
• Pagination is now supported for instances
• Classic access to VPCs (also known as classic peering) is supported