VPC API change log
Read the VPC API change log to learn about updates and improvements to the IBM Cloud® Virtual Private Cloud (VPC) API. The change log lists changes that are ordered by the date they were released. Changes to existing API versions are designed to be compatible with existing client applications.
By design, new features with backward-incompatible changes apply only to version dates on and after the feature's release. Changes that apply to older versions of the API are designed to maintain compatibility with existing applications and code. If backward-incompatible changes require non-trivial client code changes to use an API version, the API change log might provide links to instructions, tips, or best practices for updating client code.
Some changes, such as new response properties or new optional request parameters, are considered backward compatible. Other changes, such as new required request parameters, are not considered backward compatible. To avoid disruption from changes to the API, use the following best practices when you call the API:
- Catch and log any
4xx
or5xx
HTTP status code, along with the includedtrace
property - Follow HTTP redirect rules for any
3xx
HTTP status code - Consume only the resources and properties your application needs to function
- Avoid depending on behavior that is not explicitly documented
SDK changes are based on API changes. For more information about the latest changes to the VPC SDKs, see the change logs in the SDK repositories:
Upcoming changes
Deprecated classic_access
for VPCs. When creating a VPC, the classic_access
property is now deprecated. Instead, use a Transit Gateway to connect VPCs to Classic Infrastructure.
In an upcoming release, unless your account has been granted approval, you will no longer be able to create a new VPC with classic_access
set to true
. To prepare for this change, update your workflows to use Transit
Gateways instead of the classic_access
property.
InstanceTemplate
response schema change. In an upcoming release, future methods of creating instances, and therefore creating instance templates, may not require a primary network interface. To accommodate this,
the primary_network_interface
property is now optional in the instance template response model.
At this time, all instances, and therefore all instance templates, continue to require that a primary network interface be specified. Therefore, existing instance templates are unaffected. Additionally, new instance templates will continue to
include a primary network interface until further notice. However, to ensure your clients will not be affected in the future, verify that they are tolerant of the primary_network_interface
property not being included when consuming
InstanceTemplate
responses.
Instance
response schema change. In an upcoming release, volume attachments returned in the boot_volume_attachment
and volume_attachments[]
properties of an instance will not include the
volume
sub-property if the volume has not yet been provisioned. Such volumes are currently represented with empty crn
, id
, and href
properties along with an undocumented sentinel value for
name
.
To prepare for this change, verify that your client checks that the volume
property exists for a volume attachment before attempting to access its crn
, id
, href
, or name
sub-properties.
Asynchronous DELETE
response code change. In an upcoming release, the response code output for asynchronous DELETE
operations will change from 204
to 202
. A response code of
204
implies the action is completed, which could be misleading for operations that are still processing. A response code of 202
is more appropriate. This behavior change will occur only for an API version date after
its release. A response code of 204
will continue to be returned for API versions up to this version date.
The new response code will be rolled out gradually. Each phase of the rollout will be tied to a dated API version. These changes will be announced in future change log updates.
29 October 2024
For all version dates
File share replication frequency increase. When creating or updating a replication file share, you can now set the replication schedule
as often as every 15 minutes by setting the replication_cron_spec
property. The previous minimum threshold was 1 hour. For more information, see About file share replication.
15 October 2024
For all version dates
Distributing traffic across tunnels of route-based VPN gateway connections. You can now distribute traffic across tunnels with a status
of up
in a route-based VPN gateway connection. When creating or updating a route-based VPN gateway connection, set the distribute_traffic
property to true
(default is false
). Existing connections
will have the distribute_traffic
property set to false
. The distribute_traffic
property is now included in the VPNGatewayConnection
schema used in responses, for example when retrieving a VPN gateway connection.
For more information, see Distributing traffic for a route-based VPN.
1 October 2024
For all version dates
Private Path network load balancers. Accounts that have been granted special approval to preview this feature can now create a Private Path network load balancer to enable and manage private connectivity for consumers of a hosted service. When creating a load balancer, you can specify the new is_private_path
property value as true
to create a Private Path network load balancer.
Load balancer schema enhancements for Private Path network load balancers. The Private Path network load balancer includes a new load balancer profile network-private-path
, along with the following new load balancer
and load balancer profile properties:
source_ip_session_persistence_supported
indicates whether a load balancer supports source IP session persistence. Source IP session persistence is not supported by Private Path network load balancers.availability
indicates the availability of a load balancer. Load balancers withsubnet
availability remain available if at least one of its subnets is in a zone that's available. Load balancers withregion
availability remain available if at least one zone in the region is available. Private Path network load balancers haveregion
availability. Other load balancers havesubnet
availability.
The value
for load balancer profiles properties route_mode_supported
, security_groups_supported
, udp_supported
, and logging_supported
is set to false
for Private
Path load balancers. Additionally, Private Path load balancers do not support setting or updating the dns
property, because Private Path network load balancers are accessed using endpoint gateways where DNS is configured.
Private Path service gateways. Accounts that have been granted special approval to preview this feature can now create a private path service gateway. Creating, updating, publishing, unpublishing and deleting Private Path service gateways provide cross-account connectivity to the Private Path network load balancers fronting your services. Consumers access your services by targeting their endpoint gateways at your Private Path service gateways. Private Path service gateways also have two child resources:
-
Account policies provide per-account access policies that supersede the Private Path service gateway's default access policy. You can create, update, and delete policies to
permit
,deny
, or manuallyreview
requests from any account. You can also revoke current and future access for an account. For more information, see About account policies. -
Endpoint gateway bindings are created for each endpoint gateway targeting the Private Path service gateway. The access policy for the endpoint gateway's account is applied to all new endpoint gateway bindings. If an account policy doesn't exist, the Private Path service gateway's
default_access_policy
is used. If the resulting policy isreview
, you must explicitly permit or deny the request, and optionally set a new policy for future requests from the account.
Learn about Creating Private Path service gateways, and explore the new API methods.
CRNs for VPC routing tables. VPC routing tables now support the crn
property as an identifier. As a result, the RoutingTable
, RoutingTableReference
and RoutingTableIdentity
schemas now include a crn
property. All operations that use these schemas have been updated. For operations where the response contains a routing table or a reference to a routing table, for example creating a routing table,
retrieving a routing table or retrieving a VPC's default routing table, the crn
property is now included.
When replacing the routing table for a subnet, for example, you can now optionally specify the routing table by its crn
property.
Now that all VPC routing tables have a CRN, you can tag routing tables to control access, as well as search for VPC routing tables using tags.
24 September 2024
For all version dates
Sharing snapshots across accounts. You can now use cross-account authorization in Identity and Access Management (IAM)
to share a snapshot CRN with a target IBM account. Sharing allows that account to create a block storage volume from the shared snapshot. When creating a volume, users who have been authorized
within the target account can specify the source_snapshot.crn
property with the CRN of the snapshot. When listing volumes or retrieving a volume,
the response includes source_snapshot.remote.account
if the snapshot is from a different account.
For more information, see Sharing a snapshot with another account and Restoring a volume from a snapshot.
Block storage defined_performance
family. For accounts that have been granted special approval to preview this feature, a new defined_performance
family is introduced for data and boot volumes.
This family initially contains the new sdp
profile, which provides similar functionality to the existing custom
volume
profile. The sdp
profile introduces the ability to increase capacity and change IOPS to volumes, even when those volumes are not attached to a virtual server instance. To make use of these capabilities in your automation, refer
to Block storage schema enhancements for adjustable capacity and IOPS.
For more information, see About Block Storage for VPC, Block Storage for VPC profiles, Creating Block Storage for VPC volumes, and Viewing available volume profiles.
Block storage schema enhancements for adjustable capacity and IOPS. When listing and retrieving a volume profile,
the new adjustable_capacity_states
, adjustable_iops_states
, boot_capacity
, capacity
, and iops
properties indicate the capacity and IOPS capabilities of the volume profile.
While the capabilities of existing profiles are unchanged, accounts with access to the defined_performance
profile family can use these properties in automation to robustly use the new capabilities. Similarly, when listing,
and retrieving a volume, the new adjustable_capacity_states
and adjustable_iops_states
properties indicate the adjustable capacity and IOPS capabilities of the volume.
10 September 2024
For all version dates
Zone universal names. Unique identifiers for IBM Cloud zones are now available in the Geography API methods. When retrieving a zone and listing zones in a region, new properties universal_name
and data_center
are included in the response. A zone's universal_name
is a persistent identifier of the zone, irrespective of the IBM Cloud account's logical zone name mapping.
The data_center
property denotes the primary physical data center where the logical zone is hosted. This property lets you connect your VPC resources to your resources in IBM Classic data centers. If the data_center
property is absent from the response, no physical data center has been assigned.
The response may also include a new zone status
property value of unassigned
, which indicates that the IBM Cloud account's zone mapping has not yet been assigned. For more information, see the overview Region and data center locations for resource deployment.
23 July 2024
For all version dates
Bare metal server reinitialization. You can now reinitialize a bare metal server. To reinitialize a bare metal server, specify the image
to provision, one or more SSH public keys
, and optionally specify user_data
. Upon successful reinitialization, the bare metal server starts automatically and retains the same physical node, interfaces, IP addresses,
and resource IDs it had before reinitialization.
To reinitialize a bare metal server, the server status
must be stopped
, or have failed
a previous reinitialization. For more information, see Managing Bare Metal Servers for VPC.
9 July 2024
For all version dates
Parameterized redirect target URL for load balancers. The target.url
property now supports the variables {protocol}
, {port}
, {host}
, {path}
, and {query}
,
and embedding RFC 6570 level 1 expressions. When creating or
updating a policy for a load balancer listener, you can specify a value that contains a combination of these variables for the target.url
property. This
enables redirecting requests to a dynamic URL through the application load balancer. For more information, see Layer 7 load balancing.
Firmware update for bare metal servers. You can now update firmware for a stopped bare metal server. This request updates server firmware if newer firmware
is available and automatically starts the bare metal server after the firmware update is successfully completed. If you don't want the bare metal server to start after the® firmware is updated, set the auto_start
property value
to false
in the request.
When listing and retrieving a bare metal server, the response includes the new firmware
property, which in turn
has an update
property that indicates the type of update available (none
, optional
, or required
). For more information, see Managing Bare Metal Servers for VPC.
2 July 2024
For all version dates
Dynamic network bandwidth control for bare metal servers. When provisioning a bare metal server, you can now optionally specify the bandwidth
property
according to the needs of your workload. You can subsequently update the bandwidth
property of an existing bare metal server to support dynamic workload requirements.
Bandwidth changes do not require a restart and are effective immediately. For more information, see Creating Bare Metal Servers on VPC.
When retrieving or listing bare metal server profiles, the bandwidth
property for new profiles can
now return a bandwidth.type
of enum
, with bandwidth.values
providing the supported bandwidth values, and bandwidth.default
providing the profile's default bandwidth.
Third generation of bare metal hardware profiles and Trusted Platform Module. For accounts that have been granted special approval to preview this feature, when creating a bare metal server, the default TPM mode and the supported TPM modes will be determined by the profile. All third generation profiles will default to TPM 2.0 and will no longer support disabling TPM. For more information, see Secure boot with Trusted Platform Module (TPM) for bare metal servers and Creating Bare Metal Servers on VPC.
Provisioned bare metal servers are not affected. Existing bare metal server profiles are also not affected. Therefore, TPM remains disabled by default when provisioning servers using previous generations of bare metal server profiles.
25 June 2024
For all version dates
Accessor file shares. You can now create a share that accesses data from another share, which
may be in another account. Specify the share to access data from, which may also be a replica share, with the new origin_share
property.
Before specifying an origin share in another account, ensure that authorizations are established between the origin share account and accessor account.
You must also have an appropriate (IAM) role with the is.share.share.allow-remote-account-access
action.
When creating or updating a share, specify the new allowed_transit_encryption_modes
property (possible values none
, user_managed
)
to limit the transit encryption modes for the share and its associated accessor shares.
When retrieving and listing file shares, the origin_share
property will be included in the response when the new accessor_binding_role
is accessor
(possible values none
, accessor
, origin
).
Each time an accessor share is created, an accessor binding is created on its origin share, allowing all access to the origin share to be tracked and managed. The following new accessor bindings methods are introduced in this release:
- List accessor bindings for an origin share
- Retrieve an origin share accessor binding
- Delete an origin share accessor binding
Revoking an account's access to an origin share requires both removing the accessor account's authorizations and deleting its existing accessor bindings. For more information, see Removing access to a file share from other accounts.
Currently, when creating, updating or retrieving an accessor share, the accessor_bindings
and lifecycle_reasons
properties may be missing from the response. Additionally, when creating, updating, or retrieving an
origin share, the value of the href
sub-property of the accessor_bindings
property may be incorrect.
11 June 2024
For all version dates
Generic operating system images. You can now create a generic operating system image, which is an image containing a specific operating system that is not in
the response from listing operating systems. To facilitate creating these images and provisioning servers from them, two new immutable operating system properties, user_data_format
and allow_user_image_creation
, and one new immutable image property, user_data_format
, are provided. The operating system property, user_data_format
(possible values cloud_init
, esxi_kickstart
,
ipxe
), populates the image property, user_data_format
, which specifies how user_data
is interpreted and used when
creating a virtual server instance or creating a bare metal server. The operating system property, allow_user_image_creation
,
indicates whether that operating system may be used to create a generic operating system image.
For more information, see Importing and validating custom images into VPC.
Images that are used to create virtual server instances or to create instance templates must have a user_data_format
value of cloud_init
.
Network bootable bare metal servers. You can now use a specific stock image to create a bare metal server that will network boot an image using iPXE. This stock image must have user_data_format
value of ipxe
.
4 June 2024
For all version dates
Provisioning instances with IBM Cloud billed catalog offering plans. You can now provision a virtual server instance with a billed catalog offering from the IBM Catalog. When creating an instance specify the catalog_offering.version.crn
or catalog_offering.offering.crn
property as before, and additionally specify
the billing plan using the new catalog_offering.plan.crn
property. You can still provision an instance without a plan, but if it's a billed plan, you must specify catalog_offering.plan.crn
. The same requirements
apply when provisioning an instance template for a billed offering. For more information, see Provision an instance from a private catalog image by using the API.
When retrieving an instance that was provisioned with a billed catalog offering, the new catalog_offering.plan.crn
property provides the associated billing plan.
Enhancements to volumes and shapshots in support of catalog offering plans. When retrieving a volume that was originally provisioned as a boot volume from an instance with a
billed catalog offering, the response now includes both catalog_offering.version.crn
and catalog_offering.plan.crn
properties. The response includes the same properties when retrieving a snapshot with a source_volume
that had those properties.
28 May 2024
For all version dates
Virtual network interface protocol state filtering mode. Protocol state filtering monitors each network connection flowing over a virtual network interface
(VNI), and drops any packets that are invalid based on the current connection state and protocol. Certain use cases, such as having a virtual server instance function as a network gateway, require selective disabling of this filtering. To
accommodate these use cases, if you have the is.virtual-network-interface.virtual-network-interface.manage-protocol-state-filtering-mode
IAM action, you can now set non-default values for the protocol_state_filtering_mode
property when you are creating or updating a VNI.
The new protocol_state_filtering_mode
property is supported for VNI methods and all methods in which a VNI can be created.
This release introduces the following updates for accounts that have been granted special approval to preview these features:
Confidential computing capabilities. On select instance profiles, you can now enable Intel® Software Guard Extensions. When creating or updating an instance, or when creating or updating an instance template,
you can specify the new confidential_compute_mode
property (disabled
or sgx
) to use for a virtual server instance. The new confidential_compute_modes
instance profile property indicates
which profiles will support which modes. If you do not specify the confidential_compute_mode
property when creating an instance or instance template, the default confidential compute mode from the profile will be used. For more
information, see Confidential computing with Intel Software Guard Extensions (SGX) for Virtual Servers for VPC.
Secure boot capabilities. When creating or updating an instance, or when creating or updating an instance template, you can set the new enable_secure_boot
property to true
to enable secure boot on the virtual server instance. The new
secure_boot_modes
instance profile property indicates the secure boot modes supported by the profile. If you do not specify the enable_secure_boot
property when creating an instance or instance template, the default
secure boot mode from the profile will be used. To use secure boot, the image must support secure boot or the instance will fail to boot. For more information, see Secure boot for Virtual Servers for VPC.
To update the enable_secure_boot
and confidential_compute_mode
properties, the virtual server instance status
must be stopping
or stopped
.
21 May 2024
For version 2022-02-28
or later
Snapshots DELETE
response code change. When deleting a snapshot or deleting a filtered collection of snapshots using a version
query parameter of 2022-02-28
or later, the response will now return an HTTP response code of 202
upon success, instead of 204
. The underlying deletion operations were already
asynchronous, and remain unchanged.
To avoid regressions in client functionality, before issuing requests using a version
query parameter of 2022-02-28
or later, ensure that any clients deleting snapshot resources will also regard a response code of
202
as success.
A response code of 204
will continue to be returned for API requests using a version
query parameter of 2022-02-27
and earlier.
This feature was originally released on 28 February 2022, but an announcement was not included at the time.
14 May 2024
For all version dates
Local IP address support for security group rules. You can now specify local IP addresses or address ranges in security group rules. When creating or updating a security group rule, specify the optional local
property. The value can be an IP address or a range of IP addresses in CIDR format. If not specified, the default value is cidr_block: 0.0.0.0/0
, which means the
rule allows traffic to all local IP addresses (or from all local IP addresses, for outbound rules). This default value will be applied to all existing security group rules. For more information, see Applying security group rules to source and destination IP addresses.
30 April 2024
The 2024-04-30
release includes incompatible changes. To avoid regressions in client functionality, read and follow Updating to the 2024-04-30
version (VPN gateway connection) before specifying version 2024-04-30
or later in any API requests.
For version 2024-04-30
or later
Advanced VPN gateway configuration. Using a version
query parameter of 2024-04-30
or later, you can specify peer.fqdn
instead of peer.address
when creating or updating a VPN gateway connection. You can also now fully control the local and peer IKE identities assigned to a VPN gateway connection by using properties local.ike_identities
and peer.ike_identity
. If unspecified, the local IKE identities will default to the public IP addresses of the VPN gateway and member's VPN connection tunnel. The peer identity will default to either the peer's address or FQDN,
depending on what was specified.
For migration guidance, see Updating to the 2024-04-30
version (VPN gateway connection). See also the known issue about updating the peer.address
or peer.fqdn
of a VPN connection tunnel.
Migration of VPN gateway connection CIDR paths. Using a version
query parameter of 2024-04-30
or later, API paths for listing,
removing, checking, or setting a local CIDR, and listing, removing, checking,
or setting a peer CIDR are changed. See Updating to the 2024-04-30
version (VPN gateway connection) for guidance on migration.
VPN gateway connection schema change. As of version 2023-04-30
, the VPN gateway connection peer_address
, peer_cidrs
, and local_cidrs
properties have been replaced by new
peer
and local
properties. These changes apply to all methods that interact with VPN gateway connections, including creating, retrieving,
and updating a VPN gateway connection. See Updating to the 2024-04-30
version (VPN gateway connection) for a full list of affected methods and guidance on migration.
For all version dates
Establish mode for VPN gateway connections. When creating or updating a VPN gateway connection,
you can specify the new establish_mode
property to control which side of the gateway can initiate the connection by setting the value to bidirectional
(default) or peer_only
.
26 March 2024
For all version dates
Reservations for Virtual Servers for VPC. You can now purchase a capacity reservation for a specified instance profile in a specified zone. Reservations provide resources for future deployments and cost savings over the life of the term within the availability zone of your choice.
When creating or updating a reservation, specify the capacity.total
and committed_use.term
properties to use
for this reservation. Optionally specify the committed_use.expiration_policy
property to apply when the committed use term expires (default: release
). Specify the profile.name
and profile.resource_type
properties of the profile, and the zone
property to use for this reservation. After you confirm the reservation is configured the way you want it, you must activate the reservation.
The reservation cannot be deleted until the committed use term expires. To provision an instance using a reservation's capacity, specify the reservation using the reservation_affinity.pool
property when creating the instance.
You can also update an instance that's been provisioned to associate it with a reservation.
When retrieving an instance, the new reservation_affinity
property indicates the reservation affinity policy in effect for the virtual server instance. The new health_state
property indicates the instance's overall health state, while an accompanying health_reasons
property indicates the reason for any unhealthy health states, such as a failed reservation.
For more information, see Provisioning reserved capacity for VPC.
Local IP addresses in security group rules. Accounts that have been granted special approval to preview this feature can now specify local IP addresses or address ranges in security group rules. When creating or updating a security group rule, specify the optional local
property. The value can be an IP address or a range of IP addresses in CIDR format, where 0.0.0.0/0
means the rule allows traffic to all local IP addresses (or from all local IP addresses, for an outbound rule). The default value is cidr_block: 0.0.0.0/0
, which is also used for all existing rules.
19 March 2024
For all version dates
Sharing DNS resolution for endpoint gateways across VPCs. When multiple VPCs are connected together using Transit Gateway, Direct Link, or other connectivity options, a VPC in the connected topology can now be enabled as a
DNS hub to centralize the DNS resolution for endpoint gateways. When creating or updating a VPC, the dns
property includes new configuration
options for DNS. Specify the dns.enable_hub
property as true
to enable the VPC as a DNS hub (default is false
). Specify a DNS hub VPC when creating a DNS resolution binding on another VPC to share its DNS resolution with that DNS hub VPC. The dns.resolution_binding_count
response property specifies how many other VPCs a VPC is bound to for DNS resolution sharing. For more information, see About DNS sharing for VPE gateways.
Configuring DNS resolvers for a VPC. You can now use the dns.resolver
property to configure the DNS resolvers for a VPC. Use a dns.resolver.type
of manual
to specify the DNS resolvers
by IP address. Use a dns.resolver.type
of delegated
to specify another VPC (typically a DNS hub VPC) whose DNS resolvers will be used. Use a dns.resolver.type
of system
to restore the system
default DNS resolvers. When dns.resolver.type
is manual
, updating specifying the VPC's dns.resolver.manual_servers
requires the If-Match
header also be provided with the VPC's current ETag
value.
12 March 2024
For all version dates
Virtual network interfaces. Accounts that have not requested a feature deferral through IBM Support can use a new feature that expands the support for virtual network interfaces.
Your account is affected by these changes if you have API clients (such as custom automations, auditing scripts, or dashboards) that interact with instances, bare metal servers, network interfaces, or file shares. For more information about what changed, along with guidance on avoiding possible failures due to these changes, see Mitigating behavior changes to virtual network interfaces, instances, bare metal servers, and file shares.
- You can now create instances and bare metal servers with virtual network interfaces attached to new child resources called network
attachments. You can specify a
primary_network_attachment
(instead of aprimary_network_interface
) and provide either the identity of an already created virtual network interface, or a subnet to create a new virtual network interface for the instance or bare metal server. - Virtual network interfaces now have lifecycles that are independent of the resources they are attached to. You can update the
auto_delete
property tofalse
to allow a virtual network interface to persist beyond the lifecycle of its original bare metal server or instance, and be re-attached to another bare metal server or instance. - Virtual network interfaces now support secondary IP addresses. You can now add and remove reserved IPs to and from a virtual network interface.
- For compatibility with existing clients, instances and bare metal servers with virtual network interfaces now include a read-only representation of their network attachments and virtual network interfaces as old-style network interface child resources. Learn about support for old API clients.
- For instances and bare metal servers with virtual network interfaces, the IAM permissions for options to allow IP spoofing or disable infrastructure NAT are now managed on their attached virtual network interfaces. When creating or updating a virtual network interface, you can set non-default values for the
allow_ip_spoofing
andenable_infrastructure_nat
properties only if you have theis.virtual-network-interface.virtual-network-interface.manage-ip-spoofing
andis.virtual-network-interface.virtual-network-interface.manage-infrastructure-nat
IAM permissions respectively. - You can now use flow log collectors to target instance network attachments and virtual network interfaces. There is no support for flow logs for bare metal servers and share mount targets.
Resource suspension for instance groups. The list all instance groups and retrieve an instance group methods now include
lifecycle_reasons
and lifecycle_state
properties. An instance group that violates the IBM Cloud Acceptable Use Policy will have its lifecycle_state
property set to suspended
. A suspended instance group will not auto scale or self heal, and you cannot enable, update, or delete it.
30 January 2024
For all version dates
Reservations for Virtual Servers for VPC. Accounts that have been granted special approval to preview this feature can now purchase a capacity reservation for a specified instance profile in a specified zone. Reservations provide resources for future deployments and cost savings over the life of the term within the availability zone of your choice.
When creating or updating a reservation, specify the capacity.total
and committed_use.term
properties to use
for this reservation. Optionally specify the committed_use.expiration_policy
property to apply when the committed use term expires (default: release
). Specify the profile.name
and profile.resource_type
properties of the profile, and the zone
property to use for this reservation. After you confirm the reservation is configured the way you want it, you must activate the reservation.
The reservation cannot be deleted until the committed use term expires. To provision an instance using a reservation's capacity, specify the reservation using the reservation_affinity.pool
property when creating the instance.
You can also update an instance that's been provisioned to associate it with a reservation.
When retrieving an instance, the new reservation_affinity
property indicates the reservation affinity policy in effect for the virtual server instance. The new health_state
property indicates the instance's overall health state, while an accompanying health_reasons
property indicates the reason for any unhealthy health states, such as a failed reservation.
For more information, see Provisioning reserved capacity for VPC.
This feature is now generally available. See the 26 March 2024 announcement.
19 December 2023
For all version dates
VPC route advertisement to Direct Link and Transit Gateway. When creating or updating a route
in a routing table, you can set the new advertise
property to true
(default is false
). For the route to be advertised, the route's routing table must be configured for the source or sources to advertise
it to:
- When creating or updating a VPC routing table, you can set the new
advertise_routes_to
array property to include the valuedirect_link
. Including this value requires that the routing table'sroute_direct_link_ingress
property be set totrue
. Routes in this routing table with theadvertise
property set totrue
will be advertised to Direct Link sources. - When creating or updating a VPC routing table, you can set the new
advertise_routes_to
array property to include the valuetransit_gateway
. Including this value requires that the routing table'sroute_transit_gateway_ingress
property be set totrue
. Routes in this routing table with theadvertise
property set totrue
will be advertised to Transit Gateway sources.
When creating a routing table, the default value for the advertise_routes_to
property is an empty array. When the advertise_routes_to
property is an empty
array, the advertise
property for routes in the table has no effect.
Virtual network interface expanded support. Accounts that have been granted special approval can preview a new feature that expands the support for virtual network interfaces:
- Instances and bare metal servers can now be created with virtual network interfaces attached to new child resources called network
attachments. You can specify a
primary_network_attachment
(instead of aprimary_network_interface
) and provide either the identity of an existing virtual network interface, or a subnet to create a new virtual network interface for the instance or bare metal server. - Virtual network interfaces can now have lifecycles that are independent of the resources they are attached to. When creating a virtual network interface, the
auto_delete
property is set tofalse
. When automatically creating a new virtual network interface in the context of creating another resource, theauto_delete
property for the automatically created virtual network interface defaults totrue
. You can override it, or you can later update theauto_delete
property tofalse
. A virtual network interface withauto_delete
set tofalse
persists beyond the lifecycle of its currenttarget
resource. After the target resource is deleted, you can re-attach the virtual network interface to another resource, such as to a bare metal server, an instance, or a share mount target. - Virtual network interfaces now support secondary IP addresses. To add a secondary IP, bind a reserved IP to a virtual network interface. To remove a secondary IP, unbind a reserved IP from from a virtual network interface.
- For compatibility with existing clients, instances and bare metal servers with virtual network interfaces now include a read-only representation of their network attachments and virtual network interfaces as legacy network interface child resources. Learn about support for old API clients.
- For instances and bare metal servers with virtual network interfaces, the IAM permissions for options to allow IP spoofing or disable infrastructure NAT are managed on their attached virtual network interfaces. When creating or updating a virtual network interface, you can set non-default values for the
allow_ip_spoofing
andenable_infrastructure_nat
properties only if you have theis.virtual-network-interface.virtual-network-interface.manage-ip-spoofing
andis.virtual-network-interface.virtual-network-interface.manage-infrastructure-nat
IAM permissions respectively. - Flow log collectors can now target instance network attachments and virtual network interfaces. There is currently no support for flow logs for bare metal servers and share mount targets.
12 December 2023
For all version dates
Cross-region replication of file shares. When creating a file share, you can now specify a zone in an associated partner region to create a replica file share. For more information about cross-region pairings, see About file share replication. A service-to-service authorization for cross-region replication between the regional file services must be created before creating a replica.
An important difference between setting up in-region and cross-region replication is configuring the encryption for the replica share.
- When the replica is created in another zone of the same region, the encryption type and the encryption key are inherited from the source share and can't be changed.
- When the replica is created in another region, only the encryption type is inherited. Therefore, if the source share has
user_managed
encryption, you must specify the root key by using theencryption_key
property when creating the replica share.
When retrieving a file share, the source_share
property now includes a remote
sub-property that, if present in the response, indicates that the resource that is associated
with this reference is remote and might not be directly retrievable.
Last replication sync information. When retrieving a file share, the response now includes the properties completed_at
, started_at
, and data_transferred
.
These properties provide information about the replication process that can be used to monitor the health of the replication. For more information, see Replication sync information.
5 December 2023
For all version dates
Multi-volume snapshots and backups. This release introduces a new way to create snapshots. You can now create a snapshot consistency group and specify one
or more snapshots that are attached to the same virtual server instance. When you create a consistency group, you are implicitly creating one or more snapshots. Snapshots taken simultaneously are data-consistent with one another, which helps
to ensure consistent backups of a group of Block Storage for VPC volumes attached to the same instance. Deleting a snapshot consistency group will delete the snapshots in
the group by default. However, you can keep the snapshots and delete the consistency group by specifying the delete_snapshots_on_delete
property.
You can also automate the creation of snapshots in consistency groups. When creating a backup policy you can now specify instance
as a match_resource_type
value
that this backup policy will apply to. Resources that have both a matching type and a matching user tag will be subject to the backup policy. You can exclude boot volumes from backup policies by specifying the included_content
property. The default behavior includes boot volumes and data volumes.
For more information, see Backup service concepts, Snapshot consistency groups, and explore the backup policy and snapshot consistency group methods.
For version 2023-12-05
or later
When making API requests using a version
query parameter of 2023-12-05
or later, the backup policy match_resource_types
property has been changed to match_resource_type
. This change applies
when creating, updating, listing, retrieving,
and deleting a backup policy. See Updating to the 2023-12-05
version (backup policies) for guidance
on migrating from match_resource_types
to match_resource_type
.
24 October 2023
For all version dates
Network load balancer security group integration. For enhanced security, you can now associate security groups with network load balancers. When creating a load balancer,
you can now specify the security_groups
property, which associates those security groups with the load balancer. If you do not specify security_groups
, the network load balancer will be associated with the VPC's
default security group. Before using the default security group, review your default security group rules and, if necessary, edit the rules to accommodate your expected network load balancer traffic.
All existing network load balancers in your account will continue to allow all inbound and outbound traffic. This is indicated by the security_groups
property being set to an empty array (no security groups configured).
When creating a network load balancer, you must now have an appropriate Identity and Access Management (IAM) role with the is.security-group.security-group.operate
action.
You can update security groups for a network load balancer by adding a network load balancer to or removing a network load balancer from a security group's targets.
You will not be able to remove the only remaining security group from a network load balancer. As a result, if you add a security group to a network load balancer that had no security groups, you will not be able to revert that network load balancer to have no security groups.
Finally, the security group targets
property can now refer to a network load balancer, as can the responses for the get security group target and list security group targets methods.
17 October 2023
For all version dates
Non-uniform memory access (NUMA) awareness on instances and dedicated hosts. When retrieving and listing an instance, the new
numa_count
property indicates the number of NUMA nodes on which a virtual server instance is provisioned. This property will be absent from the response if the instance's status
is not running
. When
retrieving and listing a dedicated host, the new numa.count
and numa.nodes
properties describe the processor
topology.
When retrieving and listing an instance profile, the numa_count
property indicates the total number of NUMA nodes
for an instance with this profile. When the type
is dependent
, the total number of NUMA nodes for an instance with this profile depends on its configuration and the capacity constraints within the zone. Not all
instance profiles have a strict NUMA definition within them.
For more information, see Next generation instance profiles.
Status on instance profiles and dedicated host profiles. When retrieving and listing an instance profile or
retrieving and listing a dedicated host profile, a new status
property indicates the status of the instance profile or dedicated host profile. A status
value of previous
indicates an older profile generation that remains provisionable and usable. A status
value of current
indicates the latest generation of a given profile. For more information, see
Next generation instance profiles and Dedicated host profiles.
Viewing DNS resolver information for VPCs. When retrieving a VPC, the new dns.resolver
property contains information about the DNS resolvers provided by the system for
DHCP clients in the VPC.
This release introduces the following updates for accounts that have been granted special approval to preview these features:
-
Sharing DNS resolution for endpoint gateways across VPCs. When multiple VPCs are connected together using Transit Gateway, Direct Link, or other connectivity options, a VPC in the connected topology can now be enabled as a DNS hub to centralize the DNS resolution for endpoint gateways. When creating or updating a VPC, a new
dns
property includes configuration options for DNS. Specify thedns.enable_hub
property astrue
to enable the VPC as a DNS hub (default isfalse
). Specify a DNS hub VPC when creating a DNS resolution binding on another VPC to share its DNS resolution with that DNS hub VPC. The newdns.resolution_binding_count
response property specifies how many other VPCs a VPC is bound to for DNS resolution sharing. For more information, see About DNS sharing for VPE gateways. -
Configuring DNS resolvers for a VPC. You can use the new
dns.resolver
property to configure the DNS resolvers for a VPC. Use adns.resolver.type
ofmanual
to specify the DNS resolvers by IP address. Use adns.resolver.type
ofdelegated
to specify another VPC (typically a DNS hub VPC) whose DNS resolvers will be used. Use adns.resolver.type
ofsystem
to restore the system default DNS resolvers. Whendns.resolver.type
ismanual
, updating specifying the VPC'sdns.resolver.manual_servers
requires theIf-Match
header also be provided with the VPC's currentETag
value.
10 October 2023
For all version dates
Diagnosing VPN gateway and VPN server issues. You can now diagnose and resolve issues with your deployed VPN gateways and VPN servers:
-
The list all VPN gateways and retrieve a VPN gateway methods now include
health_reasons
,health_state
,members[].health_reasons
, andmembers[].health_state
properties. An unhealthy VPN gateway or VPN gateway member now has itshealth_state
property set todegraded
orfaulted
. Thehealth_reasons
property includes the reasons for the current VPN gateway or VPN gateway member health state. For more information, see Diagnosing VPN gateway health. -
The list all VPN gateway connections and retrieve a VPN gateway connection methods now include
status_reasons
andtunnels[].status_reasons
properties for a static-route-mode VPN gateway. A VPN gateway connection or tunnel in a down state now includes the reasons for the current VPN gateway connection or tunnel through thestatus_reasons
property. For more information, see Diagnosing VPN gateway connection health. -
The list all VPN servers and retrieve a VPN server methods now include a
health_reasons
property. An unhealthy VPN server now has itshealth_state
property set todegraded
orfaulted
. Thehealth_reasons
property includes the reasons for the current VPN server health state. For more information, see Diagnosing VPN server health. -
The list all VPN server routes and retrieve a VPN server route methods now include
health_reasons
andhealth_state
properties. An unhealthy VPN server route now has itshealth_state
property set todegraded
orfaulted
. Thehealth_reasons
property includes the reasons for the current VPN server route health state. For more information, see Diagnosing VPN server route health.
Resource suspension for VPNs for VPC.
-
VPN gateway. The list all VPN gateways and retrieve a VPN gateway methods now include
lifecycle_reasons
andlifecycle_state
properties. The same properties are also included for VPN gateway member child resources. A VPN gateway that violates the IBM Cloud Acceptable Use Policy will have itslifecycle_state
property set tosuspended
, along with thelifecycle_state
of its members. A suspended VPN gateway is automatically disabled, causing all connections to be brought down, and you cannot enable, update, or delete it or its connections. -
VPN server. The list all VPN servers and retrieve a VPN server methods now include
lifecycle_reasons
andlifecycle_state
properties. The same properties are also included for the VPN server route child resource. A VPN server that violates the IBM Cloud Acceptable Use Policy will have itslifecycle_state
property set tosuspended
, along with thelifecycle_state
of its server routes. A suspended VPN server is automatically disabled, and you cannot enable, update, or delete it or its routes.
For more information, see Resource suspension.
For version 2023-10-10
or later
When listing all VPN gateways and retrieving a VPN gateway using a version
query parameter of 2023-10-10
or later,
the response will no longer include status
and members[].status
properties. These properties remain supported for API requests using a version query parameter of 2023-10-09
or earlier. To avoid regressions
in client functionality, follow the guidance in Updating to the 2023-10-10
version (VPN) before specifying version 2023-10-10
or later in VPN gateway requests.
3 October 2023
For all version dates
Enterprise Backup as a Service. As an enterprise account administrator, you can now create backup policies and plans that apply to resources of all accounts within your enterprise. Specify the enterprise CRN in the scope
property when you create a backup policy, and the policy will apply to all resources that have tags that match with the policy across all accounts within your enterprise. For more information,
see Scope of the backup policy. As a prerequisite, ensure that authorizations are in place between services and between the enterprise account
and the child accounts. For more information, see Establishing service to service authorizations.
8 August 2023
For all version dates
File storage for VPC. You can now create NFS-based file shares in a zone in your region. Share file storage over multiple virtual server instances within the same zone across multiple VPCs. Learn about file shares and mount targets, and explore the new API methods.
11 July 2023
For all version dates
Image lifecycle management. You can now deprecate or obsolete custom images directly. Alternatively, you can schedule transition
at a later date by specifying the deprecation_at
or obsolescence_at
properties when creating or updating an image. If
you need to revert a status change, you can transition deprecated
or obsolete
images back to available
. For more information, see Managing custom images.
deprecated
custom images remain usable, while obsolete
images cannot be used to provision instances or bare metal servers.
27 June 2023
For all version dates
Copying snapshots and backups across regions. You can now specify an existing snapshot in one region to create a copy of the snapshot in another region. When you list all snapshots, you can see the direct snapshot copies in the other regions and you can use them to restore volumes in the other regions. You can create copies in multiple regions, but only one copy of the snapshot can exist in each region. The cross-region snapshot copy contains the same data as the source snapshot, but the cross-region snapshot copy has its own, independent lifecycle and is billed independently. For more information, see Cross-regional snapshots and Cross-regional copy array issue.
You can now create a backup policy that creates backup copies in other regions, in addition to creating a backup snapshot in the current region. Listing all plans for a backup policy or retrieving a backup policy plan shows the copies
of the snapshot in other regions. For more information, see Cross-regional backup copies.
Extended SSH key encryption. When creating an SSH key, you can now specify a type
property value of ed25519
for the crypto-system used by the key. If type
is not specified during key creation, the default value rsa
continues to be used. When listing all keys and retrieving a key, the response
provides the key type
used. For more information, see Getting started with SSH keys. See also Extended SSH key encryption in the VPC Instance Metadata API change log.
20 June 2023
For all version dates
Instance group integration with Network Load Balancer for VPC. Network load balancer is now integrated with instance groups to improve pool member scaling. When creating or updating an instance group for auto scaling, you can now also specify a network load balancer pool for the load_balancer_pool
property. As before, if load_balancer_pool
is set, load_balancer
and application_port
must also be set. As with application load balancers, the pool must not be used by another instance group in the VPC. When you configure a listener with a range of ports,
the instance group's application port is used only for checking the health status of targets. For more information see Creating an instance group for auto scaling.
In the future, load balancer profiles may be introduced that do not support instance groups. To ensure your clients will work reliably in the future, check that the new instance_groups_supported
property on the load balancer is true
before specifying that load balancer or one of its pools.
13 June 2023
For all version dates
VPC routing table authorizations. You can use the new VPC routing table authorizations to allow users to administer VPC routing tables but not allow them to administer the broader VPC. The VPC API methods that operate on routing tables have been updated to check for these new authorizations, instead of the broader VPC authorizations. The VPC Administrator, Editor, Operator, and Viewer IAM access roles have been updated so that users with those roles will function as before. However, custom roles that require access to routing tables must be updated. For more information, see Granting user permissions for VPC resource.
23 May 2023
For all version dates
Removal of weak VPN for VPC ciphers. Effective 18 May 2023, the following VPN IKE and IPsec ciphers are removed:
- Authentication algorithms
md5
andsha1
- Encryption algorithm
triple_des
- Diffie–Hellman groups
2
and5
As a result, you will no longer be able to create an IKE/IPsec policy or VPN connection that includes a weak cipher on an existing policy or connection.
2 May 2023
For all version dates
Exporting custom images. You can now export custom images to an authorized IBM Cloud Object Storage bucket. Specify the target storage_bucket
to export
the image to. The image will be exported as qcow2
unless you specify another value using the format
property. For more information, see Exporting a custom image to IBM Cloud Object Storage,
or start using the new export jobs methods.
18 April 2023
For all version dates
Resource suspension for bare metal servers. The list all bare metal servers and retrieve a bare metal server methods now provide lifecycle_reasons
and lifecycle_state
properties. A bare metal server that violates IBM Cloud’s Acceptable Use Policy will now have its lifecycle_state
property set to suspended
. A suspended bare metal server is automatically powered off and you cannot update, delete, or power it on. For more information, see Viewing bare metal status and lifecycle_state in the API and Resource suspension.
11 April 2023
For all version dates
Console type configuration for bare metal server profiles. When you retrieve a bare metal server profile or list all bare metal server profiles,
the response now provides a console_types
property that denotes the console type configuration for a bare metal server with this profile.
Network interface configuration for bare metal server profiles. When you retrieve a bare metal server profile or list all bare metal server profiles,
the response now provides a network_interface_count
property. When the type
is range
, the new property provides max
and min
sub-properties that denote the maximum and minimum
number of network interfaces that are supported for a bare metal server with the specified profile. The values for max
and min
include both the primary network interface and secondary network interfaces. When the
type
is dependent
, the network interface count depends on another value that is specified when the server is created. For more information about network interfaces, see Overview of bare metal server network interfaces,
and Managing network interfaces for bare metal servers on VPC.
28 March 2023
For all version dates
VCPU manufacturer support for instances and dedicated hosts. When provisioning an instance or dedicated host, you can now use the new vcpu_manufacturer
property
in the instance or dedicated host profile to choose between profiles from different processor manufacturers. You can
also view the virtual server instance VCPU configuration through the vcpu
sub-property manufacturer
. For more information and limitations, see x86-64 instance profiles and Dedicated host profiles.
Network interface configuration for instance profiles. When you retrieve an instance profile or list all instance profiles,
the response now provides a network_interface_count
property. When the type
is range
, the new property provides max
and min
sub-properties that denote the maximum and minimum
number of network interfaces that are supported for a virtual server instance with the specified profile. The values for max
and min
include both the primary network interface and secondary network interfaces. When
the type
is dependent
, the network interface count depends on another value that is specified when the instance is created. For more information about instance profiles and network interface count, see Bandwidth allocation with multiple network interfaces.
Private DNS integration for load balancers. When you create or update a load balancer, you can now bind the IP addresses
of your VPC load balancers to your private DNS zone by specifying the new dns.instance
and dns.zone
properties. When you specify these properties, load balancer IPs will no longer be registered to the publicly resolvable
lb.appdomain.cloud
domain name. For more information, see IBM Cloud Network Load Balancer for VPC and IBM Cloud Application Load Balancer for VPC.
21 March 2023
For all version dates
Instance provision by volume. You can now reuse an existing boot volume to provision a virtual server instance by specifying the existing volume using the id
or crn
sub-properties of the boot_volume_attachment
property. The specified volume must be unattached and must have an operating system with the same architecture as the instance profile. You can use the new volume attachment_state
property and expanded operating_system
property to determine its eligibility. You can also use the new list volumes filters to list volumes that have specific attachment_state
, operating_system
, and encryption_type
values.
By default, a boot volume created as part of provisioning a virtual server instance will be deleted when the instance is deleted. You can control this by specifying the delete_volume_on_instance_delete
property when creating the instance or updating the boot volume attachment. For more information, see Creating virtual server instances.
VPC route priority. You can now control the priority of VPC routes. When you create or update a VPC route, use the new priority
property to specify a value between 0
and 4
(default: 2
). Smaller values have higher priority. For more information, see Determining route preference.
Modifiable next hop for VPC routes. You can now update the next_hop
property of a VPC route. For more information about next hop, see Creating a route.
7 March 2023
For all version dates
Idle connection timeout control for application load balancers. You can now control the maximum time a client can be inactive when connected to the server by specifying the idle_connection_timeout
property when
creating a load balancer, creating a load balancer listener, and updating a load balancer listener.
The idle_connection_timeout
value defaults to the minimum of 50 seconds, and has a maximum of 2 hours, specified in seconds. For more information, see Creating an application load balancer.
14 February 2023
For all version dates
VPC instance metadata new endpoint URL. You can now use the fully qualified domain name (FQDN) api.metadata.cloud.ibm.com
for the metadata service endpoint. The FQDN resolves to the link-local IP address 169.254.169.254
without requiring the application of special configurations. For more information, see Endpoint URLs in the VPC Instance Metadata API.
VPC instance metadata communication protocol and hop limit. You can now control the communication protocol and hop limit for IP response packets used by the VPC Instance Metadata service.
When you create or update an instance, use the new metadata_service.protocol
property to specify either http
(default)
or https
(secure access) communication. In addition, use the new metadata_service.response_hop_limit
property to specify a value between 1
(default) and 64
. Both of these properties apply
only when the metadata service is enabled by setting metadata_service.enabled
to true
. The default is false
. For more information, see Configure metadata settings on an existing instance with the API.
7 February 2023
For all version dates
Snapshot clones for fast restore. You can now quickly restore a volume from a snapshot by using a fast restore snapshot clone. You can create a fast restore clone when you create a new snapshot or update an existing snapshot by adding one or more zonal clones for a snapshot in the same region as the snapshot. Later, you can restore a volume, and all of its data, from that fast restore snapshot clone. When you no longer need a zonal snapshot clone, you can delete it. Although the delete operation cannot be reversed, you can create an new, equivalent zonal clone from the snapshot.
When creating or updating a backup policy plan, you can now specify the clone_policy.zones
in which backup
service will create snapshot clones.
For more information, see Restoring a volume using fast restore or dive into the new API methods.
31 January 2023
For all version dates
Bare metal server secure boot. When you create or update a bare metal server, you can now enable secure
boot. The default is false
(disabled). If enabled, the image must support secure boot or the server will fail to boot. To toggle secure boot, the server must be stopped
. For more information, see Bare metal server images.
Bare metal server trusted platform module (TPM) support. When you create or update a bare metal server,
you can now set a TPM mode. Specify a mode
value (disabled
or tpm_2
) in the trusted_platform_module
property. The default is disabled
. To change the TPM mode, the server must
be stopped
. To determine the supported TPM modes, use the supported_trusted_platform_modes
property included in the bare metal server profile. For
more information, see Secure boot with Trusted Platform Module (TPM).
17 January 2023
For all version dates
Bare metal server DELETE response code change. Bare metal DELETE
methods now return an HTTP response code of 202
upon success:
- Delete a network interface
- Disassociate a floating IP from a network interface
- Delete a bare metal server
Unlike previous response code changes, the transition from 204
to 202
applies to all API versions. Therefore, a response code of 204
will not be returned for any API requests for these methods, regardless
of the version
query parameter value. Future transitions from 204
to 202
will be tied to a dated API version, as described in Upcoming changes.
20 December 2022
For all version dates
Backup policy jobs. You can now list all jobs for a backup policy or retrieve a backup policy job. A backup policy job is triggered when a scheduled backup snapshot is being created or deleted. If the create or delete action is successful, the job contains information about the backup snapshot that was created or deleted. If the job ran unsuccessfully, the job contains the reason for the failure. For more information, see Viewing backup jobs.
13 December 2022
For all version dates
Health states for block storage volumes. When you list all volumes or retrieve volume details, the responses now include health_state
and health_reasons
properties. For more information, see Block storage volume health states.
15 November 2022
For all version dates
Access management tag support. As described in Authorization in the VPC API reference, you can now use IBM Cloud Identity and Access Management to control access to VPC resources by using access management tags. For details, see Managing IAM access for VPC Infrastructure Services.
Some VPC APIs currently require additional authorizations beyond those defined in the API specification. For more information, see Known issues.
25 October 2022
For all version dates
VPC route naming restriction. You can no longer create VPC routes that begin with the prefix ibm-
or rename an existing route to have the prefix ibm-
. Existing routes that begin with ibm-
will not be affected. If you have automation that creates routes using the prefix ibm-
, you will need to remove or change the prefix used by your automation for it to succeed.
11 October 2022
For all version dates
Public internet ingress routing. You can now route public internet ingress traffic destined to a floating IP to a next-hop IP. When you create a new VPC routing table or update an existing VPC routing table, the new route_internet_ingress
property lets you route traffic that originates from the public internet. For more information,
see Creating a routing table by using the API and limitations and guidelines for Ingress routes.
4 October 2022
For all version dates
Enhanced network interface support for flow logs. Flow logs are now collected for all network interfaces attached to a subnet, even if those network interfaces are in another account. As a result, flow logs for network interfaces associated with IBM Cloud Kubernetes Service (IKS)/Red Hat OpenShift Kubernetes Service (ROKS) worker nodes, load balancers, and VPN gateways are now collected. For example, if you have an existing flow log collector that targets a VPC or subnet that also has attached IKS worker nodes, it will now collect flow logs for traffic flowing through those IKS worker nodes in those VPCs and subnets. For more information, see Flow log limitations.
27 September 2022
For all version dates
Sharing images across accounts within an enterprise. You can now use a catalog to share custom images with users in other accounts within
the same enterprise. When you create an image, a new catalog_offering
property includes a managed
sub-property that is set to false
by default. When the
custom image is imported to a catalog the managed
sub-property is set to true
, indicating that the image is added to a catalog offering version
and is managed from a catalog. Any user who has been authorized
to the catalog offering version can provision a virtual server instance with that image by specifying the offering version's CRN as catalog_offering.version.crn
. Alternatively,
users can specify the offering's CRN as catalog_offering.offering.crn
to provision a virtual server instance with the latest image associated with the catalog offering. For more information, see Custom images in a private catalog,
the tutorial Onboarding a virtual server image for VPC, and the Import offering method in the Catalog Management API.
The image may not be deleted or used in a different catalog product offering version while it is managed from a catalog. If the catalog is deleted, a 7 day reclamation period will apply that prevents any images managed by the catalog from being deleted or re-used during the reclamation period. For more information, see Deleting a custom image in a private catalog and Using resource reclamations.
Image references may refer to custom images in other accounts. Before using this feature, verify that your clients handle image reference lookup failures gracefully and do not assume inaccessible images have been deleted, even when running
with full access to your images. To avoid possible retrieval or use of the wrong image by name
, specify the image id
, crn
, or href
instead. For more information, see Using cross-account image references in a private catalog in the API.
Increased network interface limits for virtual server instances. You can now have up to 14 secondary network interfaces on a virtual server instance. The previous limit for secondary network interfaces was 4. The number of
interfaces that a virtual server instance supports is dependent on the VCPU count that is included in the instance profile. For more information about the number of interfaces that a virtual server
supports, see Bandwidth allocation with multiple network interfaces. To utilize the increased limit for network interfaces, you can create secondary network
interfaces by specifying network_interfaces
when you create an instance. You also can add secondary network interfaces to an existing instance by creating a network interface on an instance.
For an existing, running instance with 17 or more vCPUs to take advantage of the new network interface limits, it must be stopped and then started again. A reboot action on the running virtual server does not activate the increased network interface limit.
IBM® LinuxONE Bare Metal Servers. Accounts with access to the profiles for s390x bare metal servers can now create LinuxONE Bare Metal Servers. These profiles have
a cpu_architecture
of s390x
and must be used with Red Hat Enterprise Linux for s390x and SUSE Linux Enterprise Server (SLES) for s390x. For more information, see Creating bare metal servers on VPC.
In support of s390x bare metal servers, the following enumerations have been expanded:
-
Because s390x local disks are attached through Fiber Channel protocol, a value of
fcp
has been added to theinterface_type
enumeration that is returned when you retrieve or list the disks for a bare metal server. -
Because s390x provides TCP/IP connectivity by using HiperSockets, a value of
hipersocket
has been added to theinterface_type
enumeration returned when you retrieve or list the network interfaces on an s390x bare metal server. Similarly, when you create an s390x bare metal server, or add a network interface to an existing s390x bare metal server, you must specify aninterface_type
ofhipersocket
. For more information, see the IBM HiperSockets Implementation Guide.
s390x bare metal servers have different network bandwidth and maximum network interface limits from x86 bare metal servers.
20 September 2022
For all version dates
Deprecated VPN for VPC ciphers. The following VPN IKE and IPsec ciphers are now deprecated:
- Authentication algorithms
md5
andsha1
- Encryption algorithm
triple_des
- Diffie–Hellman groups
2
and5
You have until 13 December 2022 to upgrade to more secure ciphers. After this date, VPN connections using deprecated ciphers will have a status
of down
(and no longer transfer data) until you upgrade from the weak
cipher.
Additional VPN for VPC ciphers. VPN gateways now provide new algorithms to help meet your security and compliance requirements.
IKE policy methods now support the sha384
value for the authentication_algorithm
property, aes192
value for the encryption_algorithm
property,
and groups 15-18, 20-24, and 31 for the dh_group
property.
IPsec policy methods now support sha384
and disabled
values for the authentication_algorithm
property, aes192
, aes128gcm16
,
aes192gcm16
, and aes256gcm16
values for the encryption_algorithm
property, and groups 15-18, 20-24, and 31 for the dh_group
property.
Specifying IKE and IPsec policies when configuring a VPN connection is optional. If a policy is not specified, one is chosen through auto-negotiation. For more information, see About policy negotiation.
13 September 2022
For all version dates
Updating subnets for application load balancers. You can now update the subnets attached to an application load balancer by specifying subnets
when updating a load balancer.
The specified subnets must be in the same VPC as the load balancer's current subnets. If the update requires moving your load balancer to a different zone, its provisioning_status
will change to migrate_pending
until the move is complete. For more information, see Updating subnets for Application Load Balancers for VPC.
Verify that any clients retrieving the provisioning_status
property will gracefully handle unknown values. For example, a client might bypass the load balancer, log a message, or halt processing and surface an error.
Because the subnets
property is an array, the specified value will replace the load balancer's existing array of subnets. To guard against concurrent updates, you must provide the resource's current ETag using the If-Match
header. For guidance on the use of ETags, see Concurrent update protection.
For version 2022-09-13
or later
Load balancer DELETE response code change. For requests using a version
query parameter of 2022-09-13
or later, all load balancer DELETE
methods will return an HTTP response code of 202
upon success:
- Delete a load balancer
- Delete a load balancer listener
- Delete a load balancer listener policy
- Delete a load balancer listener policy rule
- Delete a load balancer pool
- Delete a load balancer pool member
The underlying deletion operations were already asynchronous, and remain unchanged.
To avoid regressions, before issuing requests using a version
query parameter of 2022-09-13
or later, ensure that any clients deleting load balancer resources will also regard a response code of 202
as
success.
A response code of 204
will continue to be returned for API requests using a version
query parameter of 2022-09-12
and earlier.
6 September 2022
For all version dates
Improved reserved IP support for bare metal servers. The following methods have been added for convenience and parity with the virtual server instance reserved IP methods:
- List all reserved IPs bound to a network interface for a bare metal server
- Retrieve bound reserved IP for a bare metal server
23 August 2022
For all version dates
Additional user tag support for boot and data volumes. You can now add user tags to boot and data volumes when provisioning a virtual server instance or adding a volume attachment. You can specify the user_tags
property when you create an instance, create an instance template, and create a volume attachment.
For more information, see Create and attach a block storage volume when you create a new instance and Working with tags.
16 August 2022
For all version dates
Improved VLAN support for bare metal servers. The restriction limiting a VLAN ID in the allowed_vlans
property to a single PCI network interface on a bare metal server has been removed. As a result, you can now move VLAN interfaces between PCI interfaces on the same bare metal server.
26 July 2022
For all version dates
Resource suspension for virtual server instances. The list all instances and retrieve an instance methods now provide lifecycle_reasons
and lifecycle_state
properties. A virtual server instance that violates IBM Cloud’s Acceptable Use Policy will now have its lifecycle_state
property set to suspended
. A suspended instance is automatically powered off and you cannot update, delete, or power it on. For more information, see Viewing instance status and lifecycle_state in the API and Resource suspension.
5 July 2022
For all version dates
Client VPN for VPC. Client-to-site connectivity is now available. This feature allows remote devices to securely connect to a VPC using an OpenVPN (or other compatible) software client. For more information about VPN client-to-site connectivity and how it complements the existing VPN site-to-site connectivity, see About client-to-site VPN servers.
- A VPN server allows VPN clients from the internet to connect to a VPC. When creating a VPN server, you can specify a security group to protect the VPN server, and subnets in your VPC in which the VPN server will allocate its reserved IP addresses. For more information, see Creating a VPN server and the new VPN server methods.
- A VPN client represents a client connecting from the internet. You can retrieve the OpenVPN client configuration to use to configure a VPN client for a VPN server. For more information, see Setting up a client VPN environment and connecting to a VPN server and the new VPN client methods.
- A VPN route controls which subnets the VPN client can access and how the traffic from the VPN client reaches these subnets. For more information, see Managing VPN routes and the new VPN server route methods.
Configuring route propagation for VPN gateways and VPN servers. When you create a VPC routing table, you can now control if the routing table accepts routes from a
VPN gateway or server by specifying the accept_routes_from
property. When you view a route in a VPC routing table, the new origin
property shows who
created the route (either user
or service
), and the service
routes include a new creator
property that references the resource that created the route. Routes with the creator
property present cannot be deleted directly. For more information, see Configuring route propagation for VPN gateways and VPN servers.
Concurrent update protection. ETags returned on GET
, POST
, and PATCH
requests represent the modifiable state of the resource. When updating the accept_routes_from
property
on a routing table, or updating the client_authentication
, client_dns_servers
, or subnets
properties on a VPN server,
you must provide the resource's ETag using the If-Match
header. For general guidance on the use of ETags, see Concurrent update protection.
28 June 2022
For all version dates
Block storage. You can now create a volume from a snapshot without having to also create and attach it to a virtual server instance. When you create a volume, a new source_snapshot
property lets you specify a snapshot which will be used as source data for the new volume. The volume's data is fully restored later, when you attach it to an instance. Volume performance is initially degraded until the volume data is fully
restored. For more information, see Restoring an unattached data volume from a snapshot with the API.
Cross-zone member support for network load balancers. You can now create a load balancer pool with members across any zone in the region. You can also use the create pool member and replace pool member methods to update an existing pool with members across any zone in the region. The zone of the network load balancer is still identified by the subnet that you specify when you create a load balancer.
Network load balancers with route_mode
enabled do not support cross zone members.
21 June 2022
For all version dates
Backup for VPC. You can now create backup policies to schedule automatic backups of your block storage volumes. Backups are made when a user tag in a block storage volume matches a user tag defined in a backup policy. Backups
are created by a schedule defined in a backup plan. Each plan also has a deletion policy for managing backups created by the plan, which you can customize by specifying the deletion_trigger
sub-property. At the scheduled interval, a backup snapshot is created of that volume. You can have up to four backup plans per policy. See Backup for VPC.
The backup policy jobs API remains in beta.
29 March 2022
The 2022-03-29
release includes incompatible changes. To avoid regressions in client functionality, be sure to read and follow the 2022-03-29
API migration guide before specifying version 2022-03-29
or later in any API requests.
For version 2022-03-29
or later
Reserved IPs for compute. Using a version
query parameter of 2022-03-29
or later, you can now fully control the IP addresses assigned to your network interfaces by specifying a new or existing reserved
IP when you create an instance or create a bare metal server.
Migration of network interface IP addresses. In support of reserved IPs, for requests using a version
query parameter of 2022-03-29
or later, the network interface primary_ipv4_address
string property has been migrated to the primary_ip
object property. See Migrating use of IP addresses for guidance on how to migrate to primary_ip
.
Removal of security group network interfaces. The methods for associating security groups with network interfaces that were deprecated in API version 2021-02-23
have been removed as of version 2022-03-29
. See Migrating use of security group associations for guidance on how to migrate to use security
group targets, which allow security groups to be associated with VPC resources beyond network interfaces, such as endpoint gateways and load balancers.
For all version dates
Reserved IP management. You can explicitly Reserve an IP in a subnet ahead of time, and List all reserved IPs on a subnet to see all your VPC resources that are using IP addresses on that subnet, including load balancers and VPN gateways. For more information, see Managing IP addresses.
UDP support for network load balancers. When creating a network load balancer (NLB), you can now set User Datagram Protocol (UDP) as the communications protocol for NLB
listeners and pools by specifying udp
for the protocol
sub-property of the listener
and pool
properties respectively. (Health checks do not support UDP for monitoring the health of pool members.) For more information, see Configuring UDP for network load balancers.
You must set the same protocol for the load balancer pool and listeners using that pool.
Not all network load balancer offerings will support UDP. Before creating a UDP network load balancer (or updating an existing NLB listener to use UDP), check that the udp_supported
property of the load balancer profile is true
.
22 March 2022
For all version dates
Concurrent update protection. To prevent multiple clients from unknowingly overwriting each other's updates, select API methods support entity-tags and conditional requests. For details, see Concurrent update protection in the Virtual Private Cloud API.
22 February 2022
For all API version dates
Instance availability policies for compute host failures. A new availability_policy
property has been added to the create and update instance methods to control the behavior when the instance's underlying compute host experiences a failure. The host_failure
sub-property can be used to set the host failure availability_policy
of the virtual server
instance. The default policy is restart
, which relocates the instance to a healthy host and restarts the instance. The policy may be set to stop
to have the instance remain stopped if the compute host experiences
a failure.
For more information, see Host failure recovery policies.
15 February 2022
For all version dates
Resizable boot volumes. You can now increase the capacity of a boot volume, up to 250 gigabytes (GB). When creating an instance from an image or an instance template,
you can specify a larger capacity than the image's minimum_provisioned_size
default. Specify capacity
in the volume
sub-property of the boot_volume_attachment
property. You can also increase
the size of an existing boot volume by specifying the capacity
property when updating the volume.
8 February 2022
For all version dates
Port ranges for public network load balancers. When creating a public network load balancer you can now specify a range of listener
ports. When you configure a load balancer with a port range, the port
property of the load balancer's pool members will not be used for port translation on incoming
traffic. Instead, traffic will arrive at the member on the same port it arrived on at the listener.
Before using this feature on a load balancer, update client applications that integrate with it to check the port_min
and port_max
properties on the load balancer listener.
If those properties do not have the same value, the client must consider the inclusive range between port_min
and port_max
as the possible ports on which traffic can arrive at the member. However, if port_min
and port_max
have the same value, the behavior will be unchanged and traffic will arrive on the port specified by the port
property of the load balancer pool member.
1 February 2022
For all version dates
Bare metal servers for VPC. You can now create bare metal servers to host VMware® clusters in IBM Cloud VPC. You can set up VMware management applications and create VMware virtual machines on the bare metal servers. The new bare metal server APIs use a similar structure and employ the same concepts as the existing instance APIs. There is also a parallel but separate set of bare metal server profile APIs with similar conventions to the existing instance profile APIs. After you've learned one concept, it will apply to the other.
For more information, see About Bare Metal Servers for VPC and Bare metal server profiles, or dive into the new API methods.
25 January 2022
For all version dates
Security groups for endpoint gateways. For enhanced security, you can now associate security groups with endpoint gateways. When you create an endpoint gateway,
you can now specify the security_groups
property, which associates those security groups with the endpoint gateway. If you do not specify security_groups
, the endpoint gateway will be associated with the VPC's default
security group. Before using the default security group, review your default security group rules and, if necessary, edit the rules to accommodate your endpoint gateway traffic.
Responses that return an endpoint gateway now include the security_groups
property. On endpoint gateways created before 25 January 2022, the security_groups
property in the response is an empty array ([]
),
and no security groups are set.
You can update security groups for an endpoint gateway by adding an endpoint gateway to or removing an endpoint gateway from a security group's targets.
You will not be able to remove the only remaining security group from an endpoint gateway. As a result, if you add a security group to an endpoint gateway which had no security groups, you will not be able to revert the endpoint gateway to have no security groups.
Finally, the security group targets
property can now refer to an endpoint gateway, as can the responses for the get security group target and list security group target methods.
Snapshots for VPC. A captured_at
property has been added to each snapshot, indicating the date and time when the snapshot was captured from the volume. The captured_at
timestamp value is a close approximation to the actual snapshot time, typically within a few seconds. The actual snapshot capture is between the created_at
and captured_at
timestamps. (The created_at
property indicates when the snapshot creation process was initiated.)
If captured_at
is absent from the response, the snapshot's data has not yet been captured. Additionally, the property may be absent for snapshots created before 1 January 2022.
23 November 2021
For all version dates
Snapshots for VPC. Restrictions have been removed for deleting snapshots. You can now delete any snapshot in the chain of snapshots. If the snapshot is actively being used
to restore a volume, the snapshot will remain in deleting
until the restore completes. The deletable
property, which indicated whether a snapshot could be deleted, has been deprecated.
19 October 2021
For all version dates
GPU instances. Updated instance and instance profile methods now include details about GPUs attached to the instance. New profiles provide support for GPUs. These GPUs provide accelerated computing to help you run workloads with more powerful compute capabilities.
The list all instances method returns a new gpu
property with additional sub-properties: count
, manufacturer
, model
, and memory
.
The retrieve an instance profile method returns new properties: gpu_count
, gpu_manufacturer
, gpu_model
, and gpu_memory
. For more information,
see Managing GPUs.
28 September 2021
For all version dates
Route mode for VNF support for network load balancers. Network load balancers now support a new "route mode" enabling virtual network functions (VNFs) as back-end
targets. A route_mode
property has been added to the load balancer resource to indicate if the load balancer is in route mode. A route_mode_supported
property has been added to the load balancer profile resource
to indicate if the profile supports route mode. Presently, only network load balancer profiles support route mode.
The Create load balancer and Create load balancer listener methods now accept properties port_min
and port_max
.
You can request a load balancer listener for a single port by setting either the port
property, or by setting the port_min
and port_max
properties to the same value. All load balancer listener responses
now include port_min
and port_max
properties, with port_min
matching the value of the existing port
property.
When creating load balancers with route mode enabled, you must specify the listener's port_min
value as 1
, the port_max
value as 65535
, and omit the port
property. Other port
range values are not currently supported, as noted in Known issues.
For more information, see Creating a route mode Network Load Balancer for VPC.
7 September 2021
For all version dates
Instance bandwidth. New properties have been added to the create and update instance methods to allow adjustment to the amount
of total bandwidth (in megabits per second) allocated exclusively to attached volumes. The range of acceptable volume bandwidth values depends on the selected instance profile. A new total_volume_bandwidth
property, added to
each instance profile, provides the range of possible values, and the default value used when creating an instance. An increase in total_volume_bandwidth
will result in
a corresponding decrease to total_network_bandwidth
.
The volume bandwidth allocated to your existing instances will be unaffected unless:
- The instance's
total_volume_bandwidth
is lowered - The total bandwidth requested by the instance's attached volumes exceeds the amount already requested by its attached volumes
For more information about this feature, see Bandwidth allocation for instance profiles.
31 August 2021
For all version dates
Block storage volumes:
-
Adjustable IOPS. To manage the performance the your data volumes attached to running virtual server instances, use the update volume method to specify a different tiered
profile
value, or a differentiops
value within the custom IOPS tier. For more information, see Adjusting IOPS for block storage volumes. -
Expandable volumes. You can now expand a secondary volume attached to a running virtual server instance. Use the
capacity
property in the update volume method to request a new volume capacity, up to 16 TB (depending on the volume's profile). While the volume's capacity is being updated, the volume will remain available for use, but will have astatus
value ofupdating
. For more information, see Expanding block storage volume capacity.If you expand an existing data volume, be aware that existing applications will be exposed to the new
updating
value. To avoid disruption, first check that your applications are written to gracefully handle unexpectedstatus
values.
24 August 2021
For all version dates
Application load balancers. Use the HTTPS redirect feature to redirect traffic from an HTTP load balancer listener to an HTTPS listener.
An HTTPS redirect can be configured on either load balancer listeners or load balancer policies,
or both. An HTTPS redirect is configured on the listener using the new https_redirect
property, and will be used if none of the listener policy's rules match (or if it has no rules). An HTTPS redirect is configured on a load
balancer policy using the new policy action
value of https_redirect
, and will be used only when all of the policy's rules match.
If you configure an HTTPS redirect on a listener policy, be aware that existing applications will be exposed to the new https_redirect
value. To avoid disruption, check that your applications are written to gracefully handle unexpected
action
values first.
Additional API restrictions are enforced after an HTTPS redirect is configured:
- You will not be able to update the
protocol
andaccept_proxy_protocol
properties of the HTTP and HTTPS listeners. Instead, delete the listener and create a new listener with the new property values. - You will not be able to delete an HTTPS listener until the HTTP listener referring to it is deleted.
17 August 2021
For all version dates
Larger size boot volumes for custom images. You can import custom images with a boot disk size from 10 GB to 250 GB, which will become the image's minimum_provisioned_size
after import. When you specify the image
as part of creating an instance, the boot volume capacity
is set to the image's minimum_provisioned_size
. For details, see Planning custom images.
Placement groups. Placement groups for IBM Cloud® Virtual Private Cloud are logical groupings of virtual server instances that can be configured to reduce the risk of correlated failures inherent in your physical environment, such as networking issues, power loss, or hardware failure. Define a placement group strategy for high-availability workloads, such as for host or power spread. For more information, see About placement groups or dive into the new API methods.
10 August 2021
For all version dates
LinuxONE (s390x processor architecture). You can now create virtual server instances on LinuxONE in IBM Cloud® using new virtual server instance profiles. Instances provisioned with these profiles will have a VCPU architecture of s390x and interoperate with other VPC storage and networking features such as block storage volumes, floating IPs, and security groups. For more information, see x86 instance profiles, and Service limitations.
29 June 2021
For all version dates
Keys. Pagination has been added to the List all keys method. Pagination will not occur until your account includes more than 50 keys in a region, but we recommend that you update your existing client applications in preparation. Contact IBM support if you need assistance.
15 June 2021
For all version dates
Load balancer pools. New cookie-based values have been added to the session_persistence
enumeration returned by the load balancers pool methods. If you create or update pools with these new values to enforce session persistence, client applications will expose cookie values in all requests. For details, see Cookie-based session persistence.
8 June 2021
For version 2021-06-08
or later
Load balancers. For requests using a version
query parameter of 2021-06-08
or later, you can now use pagination when listing all load balancers in the region. Requests using a version
query parameter of 2021-06-07
or earlier remain unpaginated, but may time out if you have many load balancers.
If you expect to use many load balancers at once, migrate your applications to the paginated API to improve responsiveness and reliability. Contact IBM support if you need help migrating your existing client applications.
25 May 2021
For all version dates
Image from volume. On a POST /images
request, you can now specify source_volume
with an instance boot volume identity. Specifying the encryption_key
property in that request encrypts
the image with a root key of your choosing. For details, see Creating an image from a volume.
18 May 2021
For all version dates
Snapshots for VPC. Use the new regional snapshot service to create point-in-time copies of your block storage boot or data volumes. Select a snapshot during instance provisioning and restore a new, fully-provisioned boot volume to start the instance. You can also create and attach a data volume from a snapshot within a running virtual server instance. Learn about creating and using snapshots and explore the new API methods.
6 May 2021
For all version dates
Scheduled scaling. Use scheduled scaling for VPC to schedule actions that automatically add or remove instance group capacity, based on daily, intermittent, or seasonal demand. You can create multiple scheduled actions that scale capacity monthly, weekly, daily, hourly, or even every set number of minutes. Explore the instance group managers methods and the new manager actions methods.
30 March 2021
For all version dates
Instance storage. New instance profiles can now optionally include a set of solid state disks. These instance storage disks provide temporary storage to improve the performance of cloud-native workloads that need scratch space, large data caches, or data replicated across availability zones.
The following API methods have been added:
- List all disks on an instance (
GET /instances/{instance_id}/disks
) - Retrieve an instance disk (
GET /instances/{instance_id}/disks/{id}
) - Update an instance disk (
PATCH /instances/{instance_id}/disks/{id}
) - List all disks on a dedicated host (
GET /dedicated_hosts/{dedicated_host_id}/disks
) - Retrieve a dedicated host disk (
GET /dedicated_hosts/{dedicated_host_id}/disks/{id}
) - Update a dedicated host disk (
PATCH /dedicated_hosts/{dedicated_host_id}/disks/{id}
)
API methods that return instance and dedicated host profiles now include a disks
property with information about the storage capability (where present) of resources provisioned with those profiles.
API methods that return instances and dedicated hosts now include a disks
property with information about the disks configured for those resources.
For more information, see About instance storage.
Virtual server instance console. You can now access your instances by connecting to a VNC or serial console. Learn about Accessing virtual server instances by using VNC or serial consoles, and explore the new instance console API methods:
- Create a console access token for an instance (
POST /instances/{instance_id}/console_access_token
) - Retrieve the console WebSocket for an instance (
GET /instances/{instance_id}/console
)
Instance resize. You can now resize an instance by providing the profile
property in the API method PATCH /instances/{id}
(Update an instance). For
more information, see Resizing a virtual server instance.
23 March 2021
For all version dates
New parameter-based rule types for an application load balancer. When creating a load balancer listener policy rule, the field
property may now be set to query
or body
to perform additional
forms of layer 7 load balancing:
query
- Write layer 7 rules that use the query string to route traffic to a specific target. For aquery
type rule,field
andvalue
must be percent-encoded, same as the query string in the URL.body
- If the body of thePOST
request uses form encoding (UTF-8), then you can create layer 7 rules to route traffic based on the parameter name and value in the body. TheContent-Type
in the request is ignored.
If you use these new rule types, be aware that existing client applications will be exposed to those new values in the existing properties. To avoid disruption, check that client applications are written to gracefully handle unexpected values for these properties before using these new rule types for an application load balancer.
19 March 2021
For all version dates
Bring your own license. You can now bring your own license (BYOL) for custom images that you create and import to IBM Cloud VPC. When you import a custom image, you can choose
from new byol
Red Hat Enterprise Linux (RHEL) and Windows operating systems.
A new dedicated_host_only
property has been added to operating system resources. Any instance with a boot volume created from an image with operating_system.dedicated_host_only
set to true
must be placed
on a dedicated host (or into a dedicated host group). Because Windows BYOL images have dedicated_host_only
set to true
, they must be placed on a dedicated host (or into a dedicated host group). There are no restrictions
on placing instances using RHEL BYOL images.
Every operation that returns an OperatingSystem
resource now includes a dedicated_host_only
property.
9 March 2021
For all version dates
Additional VPN for VPC IKEv2 encryption/hash/Diffie Hellman (DH) group support. For enhanced security, VPN for VPC now supports SHA2-512 (a Secure Hash Algorithm) and DH group 19 (a 256-bit elliptic curve algorithm) to generate a symmetric key.
If you use these new algorithms, be aware that existing client applications will be exposed to those new values in the existing authentication_algorithm
and dh_group
properties. To avoid disruption, check that client
applications are written to gracefully handle unexpected values for these properties before using these new algorithms.
The following VPN for VPC methods have been updated:
- In IKE policies, the
authentication_algorithm
property now includes asha512
value, and thedh_group
property includes a19
value. - In IPsec policies, the
authentication_algorithm
property now includes asha512
value, and thepfs
property includes agroup_19
value.
New VPN gateway property. Each element of the existing VPN gateway members
array now includes a private_ip
property, which provides the IP address assigned to that VPN gateway member.
23 February 2021
For all version dates
Application load balancer security group integration. For enhanced security, application load balancers can now be associated with security groups. You can specify one or more security groups when you create the application load balancer, and associate security groups with your existing application load balancers. If you omit security groups during load balancer creation, the default security group for the VPC is used.
If you plan to use default security groups for new application load balancers, review your default security group rules. If necessary, edit the rules to accommodate your expected application load balancer traffic.
The following load balancer methods have been updated:
- Create a load balancer (
POST /load_balancers
) can now accept a list of security groups - Get load balancer details (
GET /load_balancers/{id}
) now returns references to the security groups to which a load balancer is attached
New security group methods have been added for managing security group targets:
- Attach a security group to a target network interface or load balancer (
PUT /security_groups/{security_group_id}/targets/{id}
) - List targets attached to a security group (
GET /security_groups/{security_group_id}/targets
) - Retrieve a target in a security group (
GET /security_groups/{security_group_id}/targets/{id}
) - Delete targets from a security group (
DELETE /security_groups/{security_group_id}/targets/{id}
)
Use the security group target methods to manage security group attachments to both load balancers and network interfaces. The original methods specific to network interfaces are now deprecated:
GET /security_groups/{security_group_id}/network_interfaces
DELETE /security_groups/{security_group_id}/network_interfaces/{id}
GET /security_groups/{security_group_id}/network_interfaces/{id}
PUT /security_groups/{security_group_id}/network_interfaces/{id}
For more information, see Integrating an IBM Cloud Application Load Balancer for VPC with security groups.
Bring Your Own IP (BYOIP) support for VPC. VPC address prefixes are no longer restricted to RFC-1918 addresses. You must now configure
VPCs that use both non-RFC-1918 addresses and have public connectivity (floating IPs or public gateways) using a custom route that contains the new delegate_vpc
property. You must specify this property for destination CIDRs
that are non-RFC-1918 compliant and outside of the VPC, such as for destinations that are reachable through IBM Cloud® Direct Link, IBM Cloud Transit Gateway, or VPC classic access.
The delegate_vpc
property is not required if a VPC uses only RFC-1918 addresses or has no public connectivity.
The following API methods have been updated:
- View the
delegate_vpc
property in the requests and responses for/vpcs/{vpc_id}/routing_tables/{routing_table_id}/routes
. - View reserved IP ranges in
POST /vpcs/{vpc_id}/address_prefixes
, which creates an address pool prefix.
27 January 2021
For all version dates
Checksum (SHA256) for imported images. When you import a custom image to IBM Cloud VPC, you can now view the checksum that was generated for the image during the import operation. By generating a checksum for the image locally, and checking that the checksums match, you can verify the integrity of the imported image. For more information, see Importing and validating custom images into VPC.
The sha256
checksum is available in the file
details in API method GET /images/{id}
. See Retrieve an image.
19 January 2021
For all version dates
The quantity of memory for virtual server instance profiles is now provisioned in gibibytes (GiB), instead of gigabytes (GB). For example, creating a new bx2-4x16
virtual server instance provisions the instance with 16 GiB (17,179,869,184
bytes), instead of 16 GB (16,000,000,000 bytes). Virtual server instances that have already been provisioned are not affected.
For version 2021-01-19
or later
For requests using a version
query parameter of 2021-01-19
or later, memory for virtual server instances is now expressed in gibibytes (GiB), instead of gigabytes (GB). For example, the memory
property
returned from GET /instances/{id}
now reports in GiB (truncated to a whole number).
16 December 2020
For all version dates
Customer-managed encryption for block storage volumes and encrypted custom images. When you disable or delete a customer root key (CRK) that is encrypting your block storage or custom image resources, the API displays a status
of unusable
for these resources, along with the reason codes encryption_key_deleted
or encryption_key_disabled
.
The unusable
status appears in the following API methods:
- List all volumes (
GET /volumes
) - Retrieve a specific volume (
GET /volumes/{id}
) - List all images (
GET /images
) - Retrieve the specified image (
GET /images/{id}
)
For more information about key states and resource statuses, see User actions that impact root key states and resource status.
Dedicated hosts are now supported in the VPC API. Learn more about using dedicated hosts and explore the new API methods.
20 November 2020
For all version dates
Datapath log forwarding with IBM Log Analysis is now available for IBM Cloud Application Load Balancer for VPC. Data and health check logs are valuable for debugging, analysis, and maintenance purposes. With the datapath logging feature enabled, your load balancer forwards these logs to your account's IBM Log Analysis dashboard.
View the logging
property in the following API methods:
- List all load balancers (
GET /load_balancers
) - Retrieve a load balancer (
GET /load_balancers/{id}
)
For more information, see Datapath log forwarding with IBM Log Analysis.
19 November 2020
For all version dates
Support for ingress routing is included as part of routing tables, which were released on 30 October 2020. Use ingress routing to control the policy for packets that are coming in to your VPC or one of its zones. The policy can vary, depending on the type of source and the destination IP address range.
Routing tables for the VPC API are the same for both egress and ingress routing, with the following additional properties that you can specify for ingress routing:
route_direct_link_ingress
route_transit_gateway_ingress
route_transit_gateway_ingress
For more information, see About routing tables and routes.
13 November 2020
For version 2020-11-13
or later
Static-route-based VPN gateways are now available for requests using a version
query parameter of 2020-11-13
or later. For a static-route-based VPN gateway,
virtual tunnel interfaces are created. Any traffic that is routed to these interfaces with user-defined routes is encrypted. For more information, see About VPN gateways.
30 October 2020
For all version dates
-
Custom routing tables are now supported in the VPC API. This feature controls where network traffic is directed on a per-subnet basis. Explore new API methods for routing tables and routes. This feature subsumes the VPC routing API, which remains supported but is deprecated and might be removed in a future API release.
-
Virtual private endpoint gateways. Use virtual private endpoint gateways to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choice, which is allocated from a subnet within your VPC. For more information, see About virtual private endpoint gateways.
-
VPC network interfaces. IP anti-spoofing checks had already been provided for enhanced security. However, certain use cases, such as having a virtual server instance act as a network gateway, require selective disabling of these checks. To accommodate these use cases, if you have the
is.instance.instance.ip-spoofing
IAM action, you can now enable theallow_ip_spoofing
property when you create a network interface. Alternatively, toggle the property when you update an existing network interface. See also About IP spoofing checks. -
Proxy protocol for application load balancers for VPC. When you configure a load balancer pool to use proxy protocol, the pool will pass information about the client to a back-end pool member when a connection is opened.
You can also configure a load balancer listener to accept proxy protocol information. This feature is useful when the client is, itself, a proxy (which, in turn, was connected to by the actual client) that supports the proxy protocol. This allows client information to be obtained and passed on to any pools that, themselves, have the proxy protocol enabled.
For more information, see Enabling proxy protocol.
5 October 2020
For all version dates
Encrypted images. Use the VPC API to create your own image, encrypt it with your own key, and import it, encrypted, into IBM Cloud. After you import the image, use it like any other image. If you use the image to provision an instance, its boot volume is encrypted using the image's root encryption key or another root encryption key of your choosing.
Dive into the APIs to import an encrypted image and provision an instance from that encrypted image. See also Creating an encrypted custom image.
31 August 2020
For all version dates
Network load balancers. You can now use the load balancers API to distribute traffic among multiple server instances within the same region of your VPC. To learn how to create and manage a network load balancer, see About IBM Cloud Network Load Balancer for VPC.
The network load balancers API is shared between IBM Cloud application load balancers and network load balancers.
25 August 2020
For all version dates
This API release supports the following changes:
- Create an instance group of a fixed size and use it as a stand-alone feature
- Use the instance group manager to manage the instance group, which can associate an auto scale policy with that group
For more information, see Creating an instance group for auto scaling.
The following new methods are available for instance groups:
GET
andPOST
for/instance_groups
DELETE
,GET
, andPATCH
for/instance_groups/{id}
DELETE
for/instance_groups/{instance_group_id}/load_balancer
GET
andPOST
for/instance_groups/{instance_group_id}/managers
DELETE
,GET
, andPATCH
for/instance_groups/{instance_group_id}/managers/{id}
GET
andPOST
for/instance_groups/{instance_group_id}/managers/{instance_group_manager_id}/policies
DELETE
,GET
, andPATCH
for/instance_groups/{instance_group_id}/managers/{instance_group_manager_id}/policies/{id}
GET
for/instance_groups/{instance_group_id}/memberships
DELETE
,GET
, andPATCH
forinstance_groups/{instance_group_id}/memberships/{id}
You can also use the new instance template feature independently of auto scale. For example, create a template, and then create instances from that template, without creating an instance group.
The following new endpoints are now available for instances:
GET
andPOST
for/instance/templates
GET
,PATCH
, andDELETE
for/instance/templates/{id}
POST /instances
now supports a source_template
.
23 July 2020
For all version dates
The flow log collectors API is now generally available.
22 July 2020
For all version dates
This API release supports the following enhancements for customer-managed encryption for block storage boot and data volumes:
POST /instances
-- Create an instance and new volume, encrypted, using your customer root key (CRK). CRKs are imported to IBM Cloud or created in a key management service.POST /volumes
-- Create an unattached data volume, encrypted, using your CRK.
12 May 2020
For all version dates
Configure load balancer pool resources and their health monitors to use the HTTPS protocol. This enhancement enables end-to-end SSL encryption with HTTPS listeners, along with HTTPS health checks for increased availability. See the load balancers API.
1 May 2020
For all version dates
This API release supports the following changes:
- Flow log collectors API is available as beta
GET
/security_groups now supportsvpc.crn
andvpc.name
filters
17 April 2020
For all version dates
IBM Cloud interprets volume capacity units in gibibytes, but the API documentation used gigabytes. This issue is now resolved in the documentation.
10 April 2020
For all version dates
Usage recommendations are provided for the following load balancer properties:
protocol
property for load balancer poolstype
property for load balancer pool health monitors
The guidance notes that new values for these properties might be added in the future, and unexpected values are handled gracefully. See the load balancers API.
6 February 2020
For all version dates
Support is temporarily suspended for creating instances from an existing boot volume. This feature was available through the API only, with no CLI or UI support. In the interim, you must specify the image
property when you call
POST /instances
.
You can still create instances that reference existing data volumes.
3 December 2019
For all version dates
Device IDs are now shown when you retrieve an instance's volume attachments.
26 November 2019
For all version dates
This API release supports the following changes:
- Network access control list (ACL) methods
- Instance filtering by VPC
21 November 2019
For all version dates
A VPC’s cloud service endpoint source IPs now appear in output. Learn about cloud service endpoint source addresses and how DNS resolves shared cloud service endpoints.
5 November 2019
For all version dates
This API release supports the following changes:
- Load balancers API is available as beta
- VPN gateways are available as beta
- Pagination is now supported for instances
- Classic access to VPCs (also known as classic peering) is supported