Release notes for IBM Cloud VPC

10 April 2025

Private path connectivity from IBM Cloud to on-premises locations (select availability)

Accounts with special approval can now connect a consumer service running in IBM Cloud to an on-premises provider service using an ALB as a member of a Private Path NLB pool. This allows you to target on-premises resources while maintaining a private path across IBM Cloud. For more information, see Using an ALB with a Private Path NLB to host services outside a VPC.

NVIDIA Hopper-1 cluster network profile

The Hopper-1 cluster network profile is now available for IBM Cloud cluster networks. It provides isolated networks for Hopper HGX instances running workloads that require high-bandwidth, low-latency interconnectivity, such as AI training and large-scale simulations. The Hopper-1 network profile supports both H100 and H200 instance profiles. For more information, see NVIDIA Hopper-1 cluster network profile.

8 April 2025

SNI hostname layer-7 rule for application load balancers

A new layer 7 rule for policy matching with application load balancers is now available. The SNI hostname rule allows you to match policy requests when the server provided in the "server name indication" extension during TLS negotiation matches a specified SNI hostname. For more information, refer to Policy-based load balancing.

Policy based layer-4 load balancing for application load balancers

You can now employ layer-4 load balancing policies when using application load balancers. Similar to layer-7 policies, a layer-4 policy is applied with the lowest priority first and only when all of its designated rules are matched. The following actions are supported for layer-4 policies:

• Forward To pool - The request is sent to a specific back-end pool.
• Forward To listener - The request is sent to a specific front-end listener.

For more information, refer to Layer-4 policies.

27 March 2025

Confidential computing with Intel Trusted Domain Extension (TDX) for Virtual Servers for VPC (select availability)

Confidential computing with Intel® Trusted Domain Extension (TDX) for VPC is available only in the Washington DC (us-east) region. Confidential computing with Intel TDX offers confidentiality to virtual machines by providing CPU enhancements that are leveraged by the firmware and hardware to provide confidentiality and integrity. For more information, see Confidential computing for x86 Virtual Servers for VPC. When you create a virtual server instance with a confidential computing profile and Intel Trusted Domain Extension (TDX), you can create that virtual server instance only in the Washington DC (us-east) region. You can’t create a virtual server instance with TDX in any other region, including Dallas (us-south) and Frankfurt (eu-de). For more information, see Confidential computing known issues.

25 March 2025

IBM Cloud Logs private endpoint support for HPVS logging

IBM Cloud Logs private endpoint support is now added for HPVS logging. For more information, see IBM Cloud Logs (ICL).

19 March 2025

Intel Gaudi 3 accelerated virtual server profile now available in Washington DC (us-east) and Frankfurt (eu-de) regions (select availability)

The Intel Gaudi 3 accelerated virtual server profile is now available in the Washington DC (us-east) and Frankfurt (eu-de) regions. The Intel Gaudi 3 profile runs on an Intel Gaudi 3 AI Accelerator that is tuned for AI workloads, including inferencing and fine-tuning. For more information about the gx3d-160x1792x8gaudi3 profile, see GPU profiles and Intel Gaudi 3 instance profiles.

17 March 2025

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-21 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-21, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

Updated workload section for Hyper Protect Secure Build

The workload section for Hyper Protect Secure Build is updated based on the IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-21. For more information, see Configuring and using Hyper Protect Secure Build in Hyper Protect Virtual Servers for VPC.

13 March 2025

Montreal region now available

The Montreal region is now available for provisioning the 3rd generation of virtual servers and dedicated hosts. You can provision 2nd generation bare metal servers from the balanced family on Cascade Lakes hardware. For more information, see IBM Cloud region and data center locations for resource deployment. Storage services are also available, except for the Cross-regional replication feature for file shares and cross-regional copy feature for block volume snapshots. Block volume snapshots are temporarily routed to Cloud Object Storage in the WDC MZR instead of Montreal to provide proper data protection until a local KMS service is provided in the region. For more information see, Storage known issues.

05 March 2025

Backup pool support for load balancers

You can now manage potential failures in your environment by assigning a failover pool to an existing pool. For more information, refer to Creating an application load balancer in the UI.

4 March 2025

Very High Memory (vx3d) profiles for SAP-HANA now available in Washington DC (select availability)

The Very High Memory (vx3d) profiles for SAP-HANA are now available in Washington DC (us-east) for both x86-64 profiles and x86-64 dedicated host profiles. This region is in addition to the Toronto (ca-tor) region. For more information, see x86-64 Very High Memory profiles and x86-64 dedicated host Very High Memory with instance storage. For more information about the Multizone regions, see Region and data center locations for resource deployment.

26 February 2025

Workload update for Hyper Protect Secure Build

The workload section of the Hyper Protect Secure Build is updated based on the IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-20. For more information, see Configuring and using Hyper Protect Secure Build in Hyper Protect Virtual Servers for VPC. Clone the latest Secure-Build-Cli to create a Hyper Protect Secure Build server.

18 February 2025

Storage_generation API property

An informational API property is introduced for Block Storage volume profiles, volumes, and snapshots to help identify which storage generation the volumes and snapshots belong to. When you create a volume, it inherits the generation value from the volume profile that is selected. When you create a snapshot of a block volume, the snapshot inherits the storage_generation from the source_volume. Similarly, when a volume is created from a snapshot, it inherits the storage_generation value from the snapshot. For more information, see Viewing available volume profiles.

Mount Helper utility - new region values

After you install the Mount Helper on your virtual server instance, you must specify the region where you want to use the utility to mount file shares. The accepted values for the region are changed to match the VPC region names. The old values are still accepted on existing instances. For more information, see the IBM Cloud File Share Mount Helper utility.

14 February 2025

Storage optimized profiles are now available in all regions

Storage optimized profiles (ox2) are now available in all regions. For more information on Storage optimized profiles, see x86-64 instance profiles: Storage Optimized.

12 February 2025

GPU H200 profile now available in Washington DC (us-east) and Frankfurt (eu-de) regions (select availability)

The GPU H200 profile is now available in the Washington DC (us-east) and Frankfurt (eu-de) regions. The GPU H200 profile is available on the latest generation GPU-enabled infrastructure for running machine learning (ML) and deep learning (DL) frameworks in support of AI initiatives. When you use the H200 virtual server profile, it runs on an NVIDIA Hopper-based HGX server and is the sole tenant running on the host. For more information about the gx3d-160x1792x8h200 profile, see GPU profiles.

14 January 2025

Confidential computing with Intel Trusted Domain Extension (TDX) for Virtual Servers for VPC (beta)

Confidential computing with Intel® Trusted Domain Extension (TDX) for VPC is available for select customers. Contact IBM Sales if you are interested in being allowlisted and using this offering. Confidential computing with Intel TDX offers confidentiality to virtual machines by providing CPU enhancements that are leveraged by the firmware and hardware to provide confidentiality and integrity. Confidential computing with Intel TDX for VPC is available only in the Washington DC (us-east) region. For more information, see Confidential computing for x86 Virtual Servers for VPC.

17 December 2024

File share snapshots

Snapshots are point-in-time copies of your file share. The file share snapshots can be used to restore individual files, or create other file shares in the same zone with the data that's captured by the snapshot. You can create snapshots manually in the console or from the CLI, and programmatically with the API. You can also schedule the snapshots to be created automatically at regular intervals by using the Backup for VPC service. For more information, see About File Storage for VPC snapshots.

10 December 2024

Cluster networks for VPC (GA)

Cluster Networks for VPC is now generally available. Cluster networks provide high-bandwidth, low-latency networking for workloads such as AI training and large-scale simulations. Review Planning considerations for cluster networks before you create a cluster network. Cluster network profiles define the cluster network performance characteristics and capabilities. Learn more about the H100 cluster network profile, the first cluster network profile being introduced. It provides a specialized network that implements the RoCEv2 protocol to enable remote direct memory access for your workloads that are running on the gx3d-160x1792x8h100 instance profile. For more information, see About cluster networks.

06 December 2024

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-20 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-20, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

Base 64 support for rsyslog configuration

The syslog certificates and the key can be given in base64 format. For more information, see Syslog.

Updated workload section for Hyper Protect Secure Build

The workload section for Hyper Protect Secure Build is updated based on the IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-20. For more information, see Configuring and using Hyper Protect Secure Build in Hyper Protect Virtual Servers for VPC.

18 November 2024

Reservations for Bare Metal Servers for VPC (GA)

Reservations for Bare Metal Servers for VPC is now generally available. A reservation is a great option if you want guaranteed resources for future deployments and cost savings. You can choose between either a 1 or 3-year contract term for your reservation. For more information about reservations, see About Reservations for VPC.

Automatic attachments for Reservations (GA)

Automatic attachments for Reservations are now generally available. You can use automatic attachments to automatically attachment resources to a reservation. For more information, see Automatic attachments for Reservations.

12 November 2024

Private Path services for VPC

Private Path services are now generally available. Private Path services provide targeted and directional connectivity between VPCs and accounts, allowing only consumers to initiate connections to the provider's service endpoint. Explicit authorization gives providers full control of who can access their services. A Private Path service requires a Private Path network load balancer to deploy a service on IBM Cloud, as well as a Virtual Private Endpoint (VPE) gateway for consumers to connect to the service. To get started, providers can create a Private Path service. For more information, see the Private Path solution guide.

Cluster networks for VPC (select availability)

Cluster Networks for VPC is now selectively available for select customers. Contact IBM Support if you are interested in using this functionality. Cluster networks provide high-bandwidth, low-latency networking for workloads such as AI training and large-scale simulations. You can now create cluster networks using a cluster network profile, which defines the cluster network performance characteristics and capabilities. The H100 cluster network profile is the first cluster network profile being introduced. It provides a specialized network that implements the RoCEv2 protocol to enable remote direct memory access for your workloads that are running on the gx3d-160x1792x8h100 instance profile. For more information, see About cluster networks.

29 October 2024

File share replication enhancement

You can now schedule to replicate your data between your source and replica file shares as often as every 15 minutes. This feature is available in the console, from the CLI, or with the API.

Hyper Protect Secure Build

The workload section of the Hyper Protect Secure Build is updated based on the IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-19. For more information, see Configuring and using Hyper Protect Secure Build in Hyper Protect Virtual Servers for VPC. Clone the latest Secure-Build-Cli to create a Hyper Protect Secure Build server.

24 October 2024

Allow SSH and Allow ping are not selected by default when creating a VPC in IBM Cloud console

When you create a virtual private cloud by using IBM Cloud console, the default security group settings for Allow SSH and Allow ping are now not selected by default, ensuring the most secure option by default. During VPC creation, you can select Allow SSH and Allow ping as needed for your VPC configuration. For more information see, Creating a VPC and subnet.

18 October 2024

Deploy a route-based VPN in active/active mode

When creating connections for a route-based VPN, you can now enable the distribution of traffic between the Up tunnels of the VPN gateway connection when a VPC route's next hop is the VPN connection. To accomplish this, you must enable the "distribute traffic" feature when creating or adding a connection to a route-based VPN gateway. For more information, see the Distributing traffic for a route-based VPN use case.

15 October 2024

Linux SysRq key now available to troubleshoot Linux virtual server instance

When a Linux virtual server instance becomes unresponsive, you can now use Linux SysRQ key to troubleshoot the virtual server from the serial console. For more information, see How can I use Linux SysRq key to troubleshoot a Linux virtual server instance from the serial console?.

08 October 2024

GPU H100 profile now available in Dallas (us-south) and Frankfurt (eu-de) regions (select availability)

The GPU H100 profile is now available in the Dallas (us-south) and Frankfurt (eu-de) regions, in addition to London (eu-gb), Sydney (au-syd), Toronto (ca-tor), Madrid (eu-es), Washington DC (us-east), Tokyo (jp-tok), and Sao Paulo (br-sao) regions. The GPU H100 profile is available on the latest generation GPU-enabled infrastructure for running machine learning (ML) and deep learning (DL) frameworks in support of AI initiatives. When you use the H100 virtual server profile, it runs on an NVIDIA Hopper-based HGX server and is the sole tenant running on the host. For more information about the gx3d-160x1792x8h100 profile, see GPU profiles.

30 September 2024

Tagging VPC routing tables

VPC routing tables now support a cloud resource name (CRN) as an identifier when creating and updating routing tables. When reassigning the routing table for a subnet, the new routing table for the subnet can now optionally be specified by its CRN.

Now that routing tables have a CRN, VPC routing tables can be tagged, and access to VPC routing tables can be controlled by using tags.

26 September 2024

File Storage for VPC monitoring

You can monitor the read and write throughput, read and write IOPS, number of mount targets, and capacity usage of your share over time in the IBM Cloud console. For more information, see Getting started with monitoring and Monitoring metrics for File Storage for VPC.

25 September 2024

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-19 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-19, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

HPVS supports IBM Cloud Logs

HPVS supports IBM Cloud Logs solution. For more information, see ICL.

IBM log analysis is deprecated

Migrate HPVS instances to IBM Cloud log. For more information on migration, see Steps to migrate for existing customers.

24 September 2024

Block Storage for VPC snapshots for cross-account restore

You can now share a snapshot with another account and allow the other account to create volumes with the snapshot. To do so, you must set up cross-account authorization in Cloud Identity and Access Management, and share the CRN of the snapshot with the other account. The other account's authorized storage administrator can use the CRN to create a volume in the console, from the CLI, with the API, or Terraform. For more information, see Sharing a snapshot with another account in the console and Restoring a volume from a snapshot.

23 September 2024

Backup service integration with Event Notifications

Backup jobs that create or delete backup snapshots run according to the backup plan and the retention policy. You can now set up a connection between the Backup service and Event Notifications and receive notifications to your preferred destinations if a backup job fails. For more information, see Enabling event notifications for Backup for VPC.

20 September 2024

GPU H100 profile now available in Tokyo (jp-tok) and Sao Paulo (br-sao) regions (select availability)

The GPU H100 profile is now available in the Tokyo (jp-tok) and Sao Paulo (br-sao) regions, in addition to London (eu-gb), Sydney (au-syd), Toronto (ca-tor), Madrid (eu-es), and Washington DC (us-east). The GPU H100 profile is now available on the latest generation GPU-enabled infrastructure for running machine learning (ML) and deep learning (DL) frameworks in support of AI initiatives. When you use the H100 virtual server profile, it runs on an NVIDIA Hopper-based HGX server and is the sole tenant running on the host. For more information about the gx3d-160x1792x8h100 profile, see GPU profiles.

Secure boot for Virtual Servers for VPC (GA)

Secure boot is now generally available. Secure boot is a security standard that makes sure that your server starts with trusted software by verifying the digital signatures for all code in the boot process. When a server starts in secure boot mode, the firmware checks the signature of the boot software, including UEFI firmware drivers, EFI applications, and the operating system. If the signatures are valid, the server boots, and the firmware grants control to the operating system. Which means that secure boot helps prevent malicious software from loading when your server starts. For more information, see Secure boot for Virtual Servers for VPC.

18 September 2024

Next generation instance profiles available in Sao Paulo (br-sao) region (GA)

The 3rd generation of IBM Cloud Virtual Servers for VPC are now available in the Sao Paulo (br-sao) region, in addition to the Dallas (us-south), London (eu-gb), Frankfurt (eu-de), Washington DC (us-east), Toronto (ca-tor), Madrid (eu-es), Sydney (au-syd), Tokyo (jp-tok), and Osaka (jp-osa) regions. This new generation features virtual server profile families hosted exclusively on 4th Generation Intel® Xeon® Scalable processors to provide the most powerful and performant general-purpose profiles available. For more information, see Next generation instance profiles. In the Balanced family, see the bx3d profiles tab. In the Compute family, see the cx3d profiles tab. In the Memory family, see the mx3d profiles tab. 3rd generation dedicated host profiles are also available. For more information, see bx3d, cx3d, and mx3d profiles in x86-64 dedicated host profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

17 September 2024

Very High Memory profiles for SAP-HANA (select availability)

New Very High Memory profiles for SAP-HANA are now available. These profiles are only available in Toronto (ca-tor) region. For more information, see x86-64 Very High Memory profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

11 September 2024

Hyper Protect Secure Build

The workload section for Hyper Protect Secure Build is updated based on the IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-18. For more information, see Configuring and using Hyper Protect Secure Build in Hyper Protect Virtual Servers for VPC.

10 September 2024

Zone Maps and Universal Names for Zones

Account specific zone mapping has been introduced in all regions. Zones have an extra name that can serve as a global, cross-account identifier. A zone's universal name is documented per region and can be viewed when you view or retrieve a zone. For more information, see Zone mapping per account.

05 September 2024

Red Hat Enterprise Linux AI BYOL custom images (GA)

The Red Hat Enterprise AI (RHEL AI) operating system can be imported as a bring your own license (BYOL). An RHEL AI qcow2 file is available directly from Red Hat. For more information, see Red Hat Enteprise Linux AI BYOL custom images.

03 September 2024

GPU H100 profile available in select regions (select availability)

The GPU H100 profile is now available on the latest generation GPU-enabled infrastructure for running machine learning (ML) and deep learning (DL) frameworks in support of AI initiatives. The GPU H100 profile is available in the following regions: London (eu-gb), Sydney (au-syd), Toronto (ca-tor), Madrid (eu-es), and Washington DC (us-east). When you use the H100 virtual server profile, it runs on an NVIDIA Hopper-based HGX server and is the sole tenant running on the host. For more information about the gx3d-160x1792x8h100 profile, see GPU profiles.

28 August 2024

Reservations for Bare Metal Servers for VPC (beta)

Reservations for Bare Metal Servers for VPC is now available as a beta feature. A reservation is a great option if you want guaranteed resources for future deployments and cost savings. You can choose between either a 1 or 3-year contract term for your reservation. For more information about reservations, see About Reservations for VPC.

21 August 2024

Select availability for Hyper Protect Virtual Servers for VPC profiles

Instance profiles for the Hyper Protect Virtual Server instances are available in the Dallas (us-south), US East (Washington, DC), Toronto (ca-tor), São Paulo (br-sao), London (eu-gb), Frankfurt (eu-de), Madrid (eu-es), and Tokyo (jp-tok) regions.

15 August 2024

IBM Wazi as a Service available in Frankfurt (eu-de) region

IBM Wazi as a Service (Wazi aaS) is now available in the Frankfurt (eu-de) region in IBM Cloud. For more information, see IBM Wazi as a Service product page.

7 August 2024

UI enhancement: Filter instance profiles by business scenario

When provisioning a virtual server, you can now use the By scenario tab on the Select an instance profile page to narrow the results to include only applicable instance profiles. For example, you can filter profiles by the following business scenarios: SAP; Web Development and Test; HPC; Confidential computing; AI, Deep learning & Machine learning; Visualizations, VDI; and Storage optimized. When a specific filter is selected, the profile results display only the profiles related to the defined business scenario.

5 August 2024

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-18 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-18, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

Hyper Protect Virtual Servers image now supports IBM Cloud Log analysis renewed certificate that is signed with Digicert Global Root G2.

22 July 2024

Hyper Protect Secure Build

The workload section for Hyper Protect Secure Build is updated based on the IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-17. For more information, see Configuring and using Hyper Protect Secure Build in Hyper Protect Virtual Servers for VPC.

18 July 2024

Reinitialization on Bare Metal Servers for VPC (GA)

With the new Reinitialization action on Bare Metal Servers for VPC, you can reinitialize the bare metal server. This action is not available if the status is Running or if the bare metal server was provisioned with a boot volume. You can only reinitialize a bare metal server that is stopped or failed. When the bare metal server is reinitialized, the contents of the boot disk are wiped and the specified operating system is installed. The server retains the same physical node, interfaces, IP addresses, and resource IDs. Data on secondary drives is preserved. For more information, see Managing Bare Metal Servers for VPC.

08 July 2024

Parameterized redirect for application load balancers

You can now redirect traffic on Uniform Resource Identifier (URI), as well as other customizable parameters, when creating load balancer listener policies using the updated Redirect to URL action. You can redirect traffic to a dynamic URL through the application load balancer. You can also enter a static URL or retain the values from the incoming traffic request by using the default values of the URL parameters. This includes the protocol, port, host, path, and query, which, as a combination, makes the URL dynamic. For more information, refer to Layer 7 load balancing.

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-17 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-17, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

28 June 2024

Hyper Protect Secure Build

The workload section for Hyper Protect Secure Build is updated based on the IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-17. For more information, see Configuring and using Hyper Protect Secure Build in Hyper Protect Virtual Servers for VPC.

27 June 2024

Sapphire Rapids (x3 and x3d) x86-64 bare metal server profiles (Select availability)

Sapphire Rapids (x3 and x3d) x86-64 bare metal server profiles are now available in the Dallas (us-south) region. For more information, see x86-64 bare metal server profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

25 June 2024

Sharing file share data between accounts and services

With this new feature, administrators with the correct authorizations can share an NFS file system across multiple accounts. It's useful for customers who manage multiple accounts and need to share data across different VPCs. Customer can also share their File Storage for VPC shares with the IBM watsonX service. For more information, see About File Storage for VPC.

24 June 2024

Update firmware on Bare Metal Servers for VPC (GA)

The new Update firmware action on Bare Metal Servers for VPC is now generally available. You can see if a firmware update is available for your bare metal server and also initiate the update. You can use the UI, CLI, and API to update the firmware. In the UI, this action is only visible if the server is stopped and there is a firmware update available. It is recommended to back up your bare metal server before any firmware update. For more information, see Managing Bare Metal Servers for VPC.

20 June 2024

UI Enhancements to Images for VPC

The Images for VPC UI includes multiple enhancements. When you click any image name, a side panel is displayed for that specific image. From this Details page, you can review both the Details and IDs for the selected image. You can also click Continue to provisioning which takes you to Virtual server for VPC, where you can create a virtual server instance with the selected image.

Images for VPC also now includes the ability to filter the list of images with the following options.

• Region
• Operating system
• Architecture
• Deployment target
• Status

When you select a catalog image on Virtual server for VPC to create a virtual server instance, you are now prompted to Select version and pricing plan. From here, you can select the version and pricing plan for the catalog image, which must be completed first. You can then select to Save the catalog image.

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-16 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-16, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

Base64 format of the attestationPublicKey

Besides the plain text format of the attestation public key, you can also use its base64 format to encrypt the attestation document during the contract preparation. For more information, see Preparing the attestation.

06 June 2024

Generic operating system custom images with Virtual Server Instances and Bare Metal Servers for VPC (GA)

Generic operating system custom images is now generally available. When you create a server on IBM Cloud® Virtual Private Cloud (VPC) using an x86 profile, you can use an operating system that is not listed in IBM Cloud by specifying a generic operating system custom image. You can create this custom image by specifying one of the new operating systems with properties that indicate it is generic. When you provision a server by using a generic operating system custom image, most operating system-specific provisioning steps aren't performed, such as console setup and automatic registration. You must provide the appropriate user data if you want your generic operating system custom image to perform these steps. For more information, see Generic operating system custom images and Creating a generic operating system custom image.

Network boot of operating systems with Bare Metal Servers for VPC (GA)

Network boot of operating systems is now generally available. When you create a bare metal server on IBM Cloud® Virtual Private Cloud (VPC), you can select to network boot an operating system over the network. The operating system image can be hosted on your own server or on a public server. You can install the booted operating system to a disk or you can run the operating system without a disk. For more information, see Network booting your own operating system with Bare Metal Servers on VPC.

31 May 2024

Update firmware on Bare Metal Servers for VPC (beta)

With the new Update firmware action on Bare Metal Servers for VPC, you can see if a firmware update is available for your bare metal server and also initiate the update. You can use the UI, CLI, and API to update the firmware. In the UI, this action is only visible if the server is stopped and there is a firmware update available. It is recommended to back up your bare metal server before any firmware update. For more information, see Managing Bare Metal Servers for VPC.

Protocol state filtering on virtual network interfaces can be updated

Protocol state filtering works well if the packet forwarding path and the return path are the same, and if the packet forwarding path is never changed. However, the VPC routing table supports two-way ECMP routes. When a two-way ECMP route is configured, the forward path might differ from the return path and protocol state filtering can cause legitimate packets to drop. You can now disable protocol state filtering when intermittent routing issues occur. For more information, see Protocol state filtering mode.

Third-party image billing and metering (GA)

When you select a catalog image, you now have associated billing plans to choose from. Catalog images are billed in one of the following ways.

• Free trial
• Useage-based billing
• BYOL

30 May 2024

Next generation instance profiles available in Tokyo and Osaka regions (select availability)

The 3rd generation of IBM Cloud Virtual Servers for VPC are now available as a select availability offering in the Tokyo (jp-tok) and Osaka (jp-osa) regions, in addition to the Dallas (us-south), London (eu-gb), Frankfurt (eu-de), Washington DC (us-east), Toronto (ca-tor), Madrid (eu-es), and Sydney (au-syd) regions. This new generation features virtual server profile families hosted exclusively on 4th Generation Intel® Xeon® Scalable processors to provide the most powerful and performant general-purpose profiles available. For more information, see Next generation instance profiles. In the Balanced family, see the bx3d profiles tab. In the Compute family, see the cx3d profiles tab. In the Memory family, see the mx3d profiles tab. 3rd generation dedicated host profiles are also available. For more information, see bx3d, cx3d, and mx3d profiles in x86-64 dedicated host profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

Security group support for secondary IP addresses (GA)

You can now attach both primary and secondary IP addresses to a security group to refine the binding of security groups rules to a particular port IP instead of all IPs belonging to the port. Also, security group rules now support both source and destination on ingress and egress rules. This allows customers with multiple, secondary private IP addresses associated with a single vNIC to have the ability to apply security group rules to source and destination IP addresses, thus enabling finer granularity in security rules. This enhancement provides the capability to secure the primary IP different from the secondary IPs, and also applies to VIP prefixes (custom routes) used with a vNIC with IP spoofing disabled. For more information, see Applying security group rules to source and destination IP addresses.

29 May 2024

Confidential computing with Intel Software Guard Extensions (SGX) for Virtual Servers for VPC (select availability)

Confidential computing with Intel® Software Guard Extensions (SGX) protects your data through hardware-based server security by using isolated memory regions that are known as encrypted enclaves. This hardware-based computation helps protect your data from disclosure or modification. Which means that your sensitive data is encrypted while it is in virtual server instance memory by allowing applications to run in private memory space. To use SGX, you must install the SGX drivers and platform software on SGX-capable worker nodes. Then, design your app to run in an SGX environment. Confidential computing with Intel SGX for VPC is available only in US-South (Dallas) region. For more information, see Confidential computing with Intel Software Guard Extensions (SGX) for Virtual Servers for VPC.

14 May 2024

Next generation instance profiles available in Sydney region (select availability)

The 3rd generation of IBM Cloud Virtual Servers for VPC are now available as a select availability offering in the Sydney (au-syd) region, in addition to the Dallas (us-south), London (eu-gb), Frankfurt (eu-de), Washington DC (us-east), Toronto (ca-tor), and Madrid (eu-es) regions. This new generation features virtual server profile families hosted exclusively on 4th Generation Intel® Xeon® Scalable processors to provide the most powerful and performant general-purpose profiles available. For more information, see Next generation instance profiles. In the Balanced family, see the bx3d profiles tab. In the Compute family, see the cx3d profiles tab. In the Memory family, see the mx3d profiles tab. 3rd generation dedicated host profiles are also available. For more information, see bx3d, cx3d, and mx3d profiles in x86-64 dedicated host profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

03 May 2024

Advertise routes to transit gateway and direct link for ingress routing integration

VPN for VPC now allows route advertisement so that on-prem CIDR blocks can be advertised to other VPCs without creating address prefixes. For more information, see Configuring route propagation for VPN gateways. For more information about migrating to advertised routes, see VPN for VPC migration to advertise routes.

Client VPN for VPC now allows route advertisement so that on-prem CIDR blocks can be advertised to other VPCs by creating a deliver action instead of a translate action. For more information, see Configuring route propagation for VPN servers. For more information about migrating to advertised routes, see Client VPN for VPC migration to advertise routes.

VPN for VPC: Configurable IKE identity and peer FQDN

When you configure a VPN gateway connection, you can now specify a peer FQDN as the peer gateway address. This allows you to use a dynamic public IP on the peer gateway. The VPN gateway connection also supports configuring the IKE identity with supported types: IPv4 address, FQDN, Hostname, and Key ID. The default local IKE identity value is the public IP address of the active member of the VPN gateway while the default peer IKE identity value is the peer gateway address or FQDN.

You can control which side initiates IKE protocol negotiations and rekeying processes on the VPN gateway connection. By default, the VPN gateway initiates IKE protocol negotiations and rekeying processes while also accepting IKE protocol negotiations or rekeying from the peer gateway. You can disable the VPN gateway from initiating IKE protocol negotiations and rekeying processes, and instead accept only the peer gateway to initiate IKE protocol negotiations and rekeying processes by setting Establish mode to Peer only. This enhancement enables you to connect the peer gateway behind a firewall and avoid conflicts in IKE negotiations. For more information, see Creating a VPN gateway.

Ubuntu 24.04 now available to provision virtual servers

Support for the Ubuntu 24.04 release, codenamed "Noble Numbat", is now available. You can use the ibm-ubuntu-24-04-minimal-amd64-1 stock image to provision virtual server instances. After the virtual server is created, you can also use it as a starting point for a custom image by creating an image from the boot volume of the virtual server.

02 May 2024

GPU l4 and l40S profiles now available in Brazil region (GA)

The l4 and l40S GPU profiles are now available in the São Paulo (br-sao) region. With this additional region, these profiles are now available in all regions. For more information, see GPU x86-64 instance profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

18 April 2024

Third-party image billing and metering (beta)

When you select a catalog image, you now have associated billing plans to choose from. Catalog images are billed in one of the following ways:

• Free trial
• Usage-based billing
• BYOL

09 April 2024

Generic operating system custom images with Virtual Server Instances and Bare Metal Servers for VPC (beta)

When you create a server on IBM Cloud® Virtual Private Cloud (VPC) using an x86 profile, you can use an operating system that is not listed in IBM Cloud by specifying a generic operating system custom image. You can create this custom image by specifying one of the new operating systems with properties that indicate it is generic. When you provision a server by using a generic operating system custom image, most operating system-specific provisioning steps aren't performed, such as console setup and automatic registration. You must provide the appropriate user data if you want your generic operating system custom image to perform these steps. For more information, see Generic operating system custom images and Creating a generic operating system custom image.

Network boot of operating systems with Bare Metal Servers for VPC (beta)

When you create a bare metal server on IBM Cloud® Virtual Private Cloud (VPC), you can select to network boot an operating system over the network. The operating system image can be hosted on your own server or on a public server. You can install the booted operating system to a disk or you can run the operating system without a disk. For more information, see Network booting your own operating system with Bare Metal Servers on VPC.

08 April 2024

Next generation instance profiles available in Madrid region (select availability)

The 3rd generation of IBM Cloud Virtual Servers for VPC are now available as a select availability offering in the Madrid (eu-es) region, in addition to the Dallas (us-south), London (eu-gb), Frankfurt (eu-de), Washington DC (us-east), and Toronto (ca-tor) regions. This new generation features virtual server profile families hosted exclusively on 4th Generation Intel® Xeon® Scalable processors to provide the most powerful and performant general-purpose profiles available. For more information, see Next generation instance profiles. In the Balanced family, see the bx3d profiles tab. In the Compute family, see the cx3d profiles tab. In the Memory family, see the mx3d profiles tab. 3rd generation dedicated host profiles are also available. For more information, see bx3d, cx3d, and mx3d profiles in x86-64 dedicated host profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

03 April 2024

Next generation instance profiles available in Toronto region (select availability)

The 3rd generation of IBM Cloud Virtual Servers for VPC are now available as a select availability offering in the Toronto (ca-tor) region, in addition to the Washington DC (us-east), Dallas (us-south), London (eu-gb), and Frankfurt (eu-de) regions. This new generation features virtual server profile families hosted exclusively on 4th Generation Intel® Xeon® Scalable processors to provide the most powerful and performant general-purpose profiles available. For more information, see Next generation instance profiles. In the Balanced family, see the bx3d profiles tab. In the Compute family, see the cx3d profiles tab. In the Memory family, see the mx3d profiles tab. 3rd generation dedicated host profiles are also available. For more information, see bx3d, cx3d, and mx3d profiles in x86-64 dedicated host profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

29 March 2024

Sharing DNS resolution for endpoint gateways across VPCs

When multiple VPCs are connected together using Transit Gateway, Direct Link, or other connectivity options, a VPC in the connected topology can now be enabled as a DNS hub to centralize the DNS resolution for Virtual Private Endpoint (VPE) gateways. For more information, see About DNS sharing for VPE gateways.

28 March 2024

VMware ESXi 7 End of Market for Bare Metal for VPC

VMware ESXi image on Bare Metal Servers for VPC will no longer be available when you provision a bare metal for VPC servers. If looking to deploy a VMware solution in VPC, consider provisioning VMware Cloud Foundation (VCF) through IBM Cloud VMware Solutions. For more information about this solution, see VMware Cloud Foundation overview. For more information on the updated packaging and pricing for VMware® portfolio, see Packaging and pricing for VMware by Broadcom.

Next generation instance profiles available in Washington DC region (select availability)

The 3rd generation of IBM Cloud Virtual Servers for VPC are now available as a select availability offering in the Washington DC (us-east) region, in addition to the Dallas (us-south), London (eu-gb), and Frankfurt (eu-de) regions. This new generation features virtual server profile families hosted exclusively on 4th Generation Intel® Xeon® Scalable processors to provide the most powerful and performant general-purpose profiles available. For more information, see Next generation instance profiles. In the Balanced family, see the bx3d profiles tab. In the Compute family, see the cx3d profiles tab. In the Memory family, see the mx3d profiles tab. 3rd generation dedicated host profiles are also available. For more information, see bx3d, cx3d, and mx3d profiles in x86-64 dedicated host profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

26 March 2024

Security group support for secondary IP addresses (select availability)

Accounts that are granted special approval to preview this feature can now attach both primary and secondary IP addresses to a security group to refine the binding of security groups rules to a particular port IP instead of all IPs belonging to the port. Also, security group rules now support both source and destination on ingress and egress rules. This allows customers with multiple, secondary private IP addresses associated with a single vNIC to have the ability to apply security group rules to source and destination IP addresses, thus enabling finer granularity in security rules. This enhancement provides the capability to secure the primary IP different from the secondary IPs, and also applies to VIP prefixes (custom routes) used with a vNIC with IP spoofing disabled. For more information, see Applying security group rules to source and destination IP addresses.

25 March 2024

Reservations for VPC (GA)

Reservations for VPC are now GA (generally available). A reservation is a great option if you want guaranteed resources for future deployments and cost savings. You can choose between either a 1 or 3-year contract term for your reservation. Reservations are available the Dallas (us-south), Washington DC (us-east), São Paulo (br-sao), Toronto (ca-tor), London (eu-gb), Frankfurt (eu-de), Madrid (eu-es), Osaka (jp-osa), Tokyo (jp-tok), and Sydney (au-syd) multizone regions (MZRs). For more information, see About reservations for VPC.

22 March 2024

Private Path Services for VPC (Beta)

Accounts that are granted special approval to preview this feature can now create a Private Path service and Private Path network load balancer.

Private Path services provide private connectivity for IBM Cloud and third-party services. A Private Path service requires a Private Path network load balancer to deploy a service on IBM Cloud and a Virtual Private Endpoint (VPE) gateway for consumers to connect to the service. Traffic stays on the IBM Cloud backbone without traversing the public internet.

For more information, see the Private Path solution guide. If you are interested in getting early access to this beta offering, contact your IBM Support representative.

21 March 2024

UI Enhancement to SSH Keys

The UI process for uploading SSH keys is improved where you Select SSH key input method. Improvements were made to the ability to copy and paste, drag and drop, and the upload buttons. Previously, these three actions were all individually located. These actions are now combined to use the same space within the UI.

15 March 2024

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-15 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-15, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

You can also set the expiry of contract during signature. Contract signature is an optional feature that can be used with the contract. You can choose to sign a contract before it is passed as input. Contracts that are in plain text or encrypted can be signed. Certificate can also be parsed as base64 string. For more information, see Contract Signature

Validation of the contract signature is done by the Hyper Protect Virtual Servers for VPC image. You can validate the certificates that you download for contract encryption and attestation. For more information, see Validating the Certificates

Updated workload section for Hyper Protect Secure Build

The workload section for Hyper Protect Secure Build is updated based on the IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-15. For more information, see Configuring and using Hyper Protect Secure Build in Hyper Protect Virtual Servers for VPC.

From April 15, only the latest IBM Hyper Protect Container Runtime image will be available on IBM Cloud GUI. For more information, see Downloading the encryption certificate and extracting the public key

12 March 2024

Virtual Network Interfaces for VPC

A new feature is generally available in the Virtual Private Cloud (VPC) service that expands the support for virtual network interfaces. The following features are available.

• Virtual network interfaces have an independent lifecycle, which means that when you delete a resource to which the virtual network interface is attached, the virtual network interface persists and retains its IP address.
• New instances and bare metal servers can be created with virtual network interfaces attached to new child resources called network attachments.
• Virtual network interfaces support secondary IP addresses.
• For compatibility with existing clients, instances and bare metal servers with virtual network interfaces include a read-only representation of their network attachments and virtual network interfaces as legacy network interface child resources.
• For instances and bare metal servers with virtual network interfaces, the IAM permissions for options to allow IP spoofing or disable infrastructure NAT are managed on their attached virtual network interfaces.
• Flow log collectors can target instance network attachments and virtual network interfaces.

You can choose to defer access to this feature through IBM Support. Users in an account that has deferred access will not be able to create instances or bare metal servers with virtual network interfaces. If you need more time to assess, remediate, and test changes for virtual network interfaces, request deferral for your production accounts while you complete the mitigations using your test accounts.

GPU l4 and l40S profiles now available in US South region

The l4 and l40S GPU profiles are now available Dallas (us-south) region. For the l4 profiles, these regions are in addition to Washington DC (us-east), Toronto (ca-tor), London (eu-gb), Frankfurt (eu-de), Madrid (eu-es), Sydney (au-syd), and Tokyo (jp-tok) regions. For the l40S profiles, this region is in addition to Washington DC (us-east), Toronto (ca-tor), London (eu-gb), Frankfurt (eu-de), Madrid (eu-es), Sydney (au-syd), and Tokyo (jp-tok) regions. For more information, see GPU x86-64 instance profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

11 March 2024

GPU l40S profiles now available in Canada and United Kingdom regions

The l40S GPU profiles are now available in the Toronto (ca-tor) and London (eu-gb) regions. These regions are in addition to Washington DC (us-east), Frankfurt (eu-de), Madrid (eu-es), Sydney (au-syd), and Tokyo (jp-tok) regions. For more information, see GPU x86-64 instance profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

07 March 2024

UI update for Block storage

When you create a Block Storage for VPC volume from the Block storage volumes for VPC list, you can now choose to import data from a snapshot and to apply a backup policy as part of the new Optional configurations section.

06 March 2024

GPU l4 and l40S profiles now available in Washington DC (us-east) region

The l4 and l40S GPU profiles are now available in the Washington DC (us-east) region. For more information, see GPU x86-64 instance profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

29 February 2024

UI navigation change to Auto scale

Previously, Auto scale was found in VPC Infrastructure > Auto scale in the IBM Console navigation. This path is now changed. The new navigation path is VPC Infrastructure > Compute.

27 February 2024

GPU l40S profiles with PCIe now available

New l40S GPU profiles that include NVIDIA's L40S 48GB GPU are now available in the Frankfurt (eu-de), Madrid (eu-es), Sydney (au-syd), and Tokyo (jp-tok) regions. For more information, see GPU x86-64 instance profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

GPU l4 profiles now available

New l4 GPU profiles that include NVIDIA's L4 24GB GPU are now available in the Toronto (ca-tor), London (eu-gb), Frankfurt (eu-de), Madrid (eu-es), Sydney (au-syd), and Tokyo (jp-tok) regions. For more information, see GPU x86-64 instance profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

23 February 2024

London 1 AZ for bare metal servers

The London 1 availability zone (AZ) is now available for Bare Metal Servers for VPC.

20 February 2024

Virtual Network Interfaces for VPC (Select availability)

Accounts that have been granted special approval can preview a new feature in the Virtual Private Cloud (VPC) service that expands the support for virtual network interfaces. The following features are available.

• Virtual network interfaces have an independent lifecycle, which means that when you delete a resource to which the virtual network interface is attached, the virtual network interface persists and retains its IP address.
• New instances and bare metal servers can be created with virtual network interfaces attached to new child resources called network attachments.
• Virtual network interfaces support secondary IP addresses.
• For compatibility with existing clients, instances and bare metal servers with virtual network interfaces include a read-only representation of their network attachments and virtual network interfaces as legacy network interface child resources.
• For instances and bare metal servers with virtual network interfaces, the IAM permissions for options to allow IP spoofing or disable infrastructure NAT are managed on their attached virtual network interfaces.
• Flow log collectors can target instance network attachments and virtual network interfaces.

If you have automation for managing your virtual network interfaces, bare metal servers, and file share mount targets, and you are not interested in expanded support for virtual network interfaces, you'll have the option to opt out when the feature becomes generally available.

Next generation instance profiles available in Frankfurt (eu-de) region (select availability)

The 3rd generation of IBM Cloud Virtual Servers for VPC are now available as a select availability offering in the Frankfurt (eu-de) region, in addition to the Dallas (us-south) and London (eu-gb) regions. This new generation features virtual server profile families hosted exclusively on 4th Generation Intel® Xeon® Scalable processors to provide the most powerful and performant general-purpose profiles available. For more information, see Next generation instance profiles. In the Balanced family, see the bx3d profiles tab. In the Compute family, see the cx3d profiles tab. In the Memory family, see the mx3d profiles tab. 3rd generation dedicated host profiles are also available. For more information, see bx3d, cx3d, and mx3d profiles in x86-64 dedicated host profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

13 February 2024

Dashboard template IDs

Template IDs and dashboard names for Virtual server for VPC, Flow logs for VPC, and VPC Infrastructure Service Resource Quota Overview are changed.

• VPC service metric definitions dashboard names:
  • VPC VSI Gen 2 Overview is changed to Virtual Server for VPC Overview
  • VPC Flow Logs Overview is changed to Flow Logs for VPC Overview
  • VPC Resource Quota Overview is changed to VPC Infrastructure Service Resource Quota Overview
• VPC virtual server instances metrics definitions:
  • ibm_resource_name is changed to ibm_is_resource_name
• Monitoring flow logs for VPC metrics:
  • ibm_flow_log_collector_instance is changed to ibm_is_flow_log_collector_instance
• VPC Infrastructure Service Resource Quota Overview:
  • ibm_secondary_resource_id is changed to ibm_is_secondary_resource_id
  • ibm_resource_quota_name is changed to ibm_is_resource_quota_name

For more information, see IBM Cloud VPC monitoring dashboards.

07 February 2024

Updated workload section for Hyper Protect Secure Build

The workload section for Hyper Protect Secure Build is updated based on the IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-14. For more information, see Configuring and using Hyper Protect Secure Build in Hyper Protect Virtual Servers for VPC.

UI enhancement: New SAP Certified filter when selecting an instance profile

When provisioning a virtual server, you can now use the SAP Certified filter on the Select an instance profile page to narrow the results to include only the available SAP profiles (SAP HANA, SAP NetWeaver, or SAP Business One). When the SAP Certified filter is selected, the profile results display the SAP certification status for the specific SAP enabled profiles.

06 February 2024

New Madrid (eu-es) region for ux2d profiles (GA)

The Ultra High Memory family of profiles are now available in the Madrid (eu-es) region. The addition of this region makes the ux2d profiles available in all regions. For more information, see the Ultra High Memory profile information. For more information about the Multizone regions, see Region and data center locations for resource deployment.

24 January 2024

Next generation instance profiles available in London (eu-gb) region (select availability)

The 3rd generation of IBM Cloud Virtual Servers for VPC are now available as a Select Availability offering in the London (eu-gb) region, in addition to the Dallas (us-south) region. This new generation features virtual server profile families hosted exclusively on 4th Generation Intel® Xeon® Scalable processors to provide the most powerful and performant general-purpose profiles available. For more information, see Next generation instance profiles. In the Balanced family, see the bx3d profiles tab. In the Compute family, see the cx3d profiles tab. In the Memory family, see the mx3d profiles tab. 3rd generation dedicated host profiles are also available. For more information, see bx3d, cx3d, and mx3d profiles in x86-64 dedicated host profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

16 January 2024

Reservations for VPC (select availability)

You can now provision reservations for VPC. A reservation is a great option if you want guaranteed resources for future deployments and cost savings. You can choose between either a 1 or 3-year contract term for your reservation. Reservations are available in only the Sydney (au-syd) region. For more information, see About reservations for VPC.

11 January 2024

UI enhancement to VPC download button

Previously, when you downloaded a list of resources from a table, you could download only the current page if the resource list length was more than 200 records. With this UI enhancement, you can now download all the pages regardless of length of the resource list.

19 December 2023

Corrected events

The following table shows activity tracker events that have been corrected.

15 December 2023

IBM Wazi as a Service and LinuxONE (s390x processor architecture) dedicated host (select availability)

You can now create dedicated hosts with s390x memory profiles in the Madrid (eu-es) and Dallas (us-south) regions to carve out a single-tenant compute node and create virtual server instances according to your needs. For more information, see s390x dedicated host profiles and Creating dedicated hosts and groups.

VPC route advertisement to Direct Link and Transit Gateway

You can now advertise routes in VPC ingress routing tables to Direct Link, Transit Gateway, or both. For more information, see VPC routing tables and routes.

14 December 2023

Tokyo 2 AZ for bare metal servers

The Tokyo 2 availability zone (AZ) is now available for Bare Metal Servers for VPC.

12 December 2023

File Storage for VPC - Cross-region Replication

Customers who have VPCs in multiple regions in the same geography can now create replicas of their file shares in another zone of a different region. For more information, see About file share replication.

08 December 2023

GPU A100 profiles with PCIe now available

Two additional a100 GPU profiles that include NVIDIA's A100 PCIe GPU are now available in the Washington DC (us-east), Tokyo (jp-tok), and London (eu-gb) regions. For more information, see GPU x86-64 instance profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

05 December 2023

Snapshot consistency groups and consistency group backups

You can now create a snapshot consistency group to capture snapshots of multiple block storage volumes that are attached to a virtual server instance. You can include or exclude the boot volume. Instance storage is not included. You can later use the individual snapshots in the consistency group to restore multiple volumes of a virtual server instance. You can automate the creation and retention of consistency group snapshots with the Backup service. For more information, see Snapshot consistency groups and About Backup for VPC.

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-14 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-14, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

01 December 2023

Reserved Capacity for VPC (Beta)

You can now reserve capacity for VPC. Reserved capacity is a great option if you want guaranteed resources for future deployments and cost savings. You can choose between either a 1 or 3-year contract term for your reserved capacity. For more information, see About Reserved Capacity for VPC.

16 November 2023

Client VPN for VPC: Automate the client certificate authentication process for private certificates

As a VPN server administrator, you were required to download the client profile, manually insert the private certificate into the client profile, and, finally, distribute it to users. Now, when a private certificate is used for client authentication, you can download the client profile with the merged private certificate and key for all or selected private certificates. There is also no need for the VPN client user to modify their client profile manually. For more information, see Setting up a client VPN environment and connecting to a VPN server.

Encryption in transit is now available in Madrid (eu-es) region

Encryption in transit for File Storage for VPC is now available in the Madrid (eu-es) region in IBM Cloud. For more information, see Encryption in transit.

15 November 2023

GPU A100 profile available on Intel Ice Lake hardware in Washington DC (us-east) region (select availability)

The GPU a100 profile is now availableon the Intel®'s quad processor Xeon® Gold 6342 Ice Lake with 96 cores that are running at a base speed of 2.8 GHz and an all-core turbo frequency of 3.5 GHz. The Ice Lake processor is available only in the Washington DC (us-east) region. For more information, see the GPU profile family documentation.

13 November 2023

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-13 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-13, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

You can attach multiple volumes when you bring up the virtual server instance. For more information, see The workload - volumes subsection, and The env - volumes subsection.

Updated workload section for Hyper Protect Secure Build

The workload section for Hyper Protect Secure Build is updated based on the IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-13. For more information, see Configuring and using Hyper Protect Secure Build in Hyper Protect Virtual Servers for VPC.

10 November 2023

IBM Wazi as a Service available in Dallas (us-south) region

IBM Wazi as a Service (Wazi aaS) is now available in the Dallas (us-south) region in IBM Cloud. For more information, see IBM Wazi as a Service product page.

Dallas (us-south) region is now available for IBM Cloud Hyper Protect Virtual Server for IBM Cloud® Virtual Private Cloud

You can create IBM Cloud Hyper Protect Virtual Server for IBM Cloud VPC instances on LinuxONE (s390x processor architecture) in the Dallas (us-south) region, in addition to Tokyo (jp-tok), São Paulo (br-sao), Madrid (eu-es), Toronto (ca-tor), London (eu-gb), and Washington DC (us-east) regions. To create IBM Cloud Hyper Protect Virtual Server for IBM Cloud VPC instances on LinuxONE (s390x processor architecture), see Creating virtual server instances, and IBM Hyper Protect Container Runtime image. A valid contract is required for creating an instance. For more information, see About the contract.

Dallas (us-south) region is now available for LinuxONE (s390x processor architecture)

You can now create virtual server instances on LinuxONE (s390x processor architecture) in IBM Cloud in the Dallas (us-south) region, in addition to Tokyo (jp-tok), São Paulo (br-sao), Madrid (eu-es), Toronto (ca-tor), London (eu-gb), and Washington DC (us-east) regions. For more information about available LinuxONE (s390x processor architecture) profiles, see s390x instance profiles. To create instances on LinuxONE (s390x processor architecture), see Creating virtual server instances by using the UI.

UI enhancement: architecture and image selection when provisioning

When you create resources such as virtual server instances, bare metal servers, and instance templates, the image selection option is now available in an enhanced side panel when you click Change image. For virtual server instances and instance templates, you can select from stock images, custom images, catalog images, snapshots, and existing volumes. For bare metal servers, you can select from stock images and custom images. Additionally, architecture selection is now included on the image side panel.

24 October 2023

Security group integration for network load balancers

For enhanced security, network load balancers can now be associated with security groups. You can associate one or more security groups with a new network load balancer when creating it, as well as associate security groups with your existing network load balancers. For more information, see Integrating an IBM Cloud Network Load Balancer for VPC with security groups.

Very High Memory profiles available in all regions (GA)

The Very High Memory family of profiles are now available in the Madrid (eu-es) region. This makes the vx2d profiles available in all regions. For more information about the Very High Memory profile family, see Very High Memory. For more information about the Multizone regions, see Region and data center locations for resource deployment.

12 October 2023

VPNs for VPC: Diagnose unhealthy VPN gateways and servers

When you see an existing VPN gateway or server in a degraded or faulted state, you can now diagnose the issue. You are presented with reasons for the state and actions to resolve the issue. For more information, see Diagnosing VPN gateway health, Diagnosing VPN gateway connection health, and Diagnosing VPN server health.

Next generation instance profiles available in Dallas (us-south) region (select availability)

The 3rd generation of IBM Cloud Virtual Servers for VPC are available as a Select Availability offering in the Dallas (us-south) region. This new generation features virtual server profile families hosted exclusively on 4th Generation Intel® Xeon® Scalable processors to provide the most powerful and performant general-purpose profiles available. For more information, see Next generation instance profiles. In the Balanced family, see the bx3d profiles tab. In the Compute family, see the cx3d profiles tab. In the Memory family, see the mx3d profiles tab. 3rd generation dedicated host profiles are also available. For more information, see bx3d, cx3d, and mx3d profiles in x86-64 dedicated host profiles. For more information about the Multizone regions, see Region and data center locations for resource deployment.

UI enhancements

The following enhancements were made to the VPC UI.

• General fixes and updates
• VPN status reason and suspended status
• VPN Route Advertisement

02 October 2023

New regions for ux2d profiles

The Ultra High Memory family of profiles are now available in the São Paulo (br-sao), Tokyo (jp-tok), Osaka (jp-osa), and Sydney (au-syd) regions. For more information, see the Ultra High Memory profile information. For more information about the Multizone regions, Region and data center locations for resource deployment.

29 September 2023

Backup as a Service Enterprise enablement

As an enterprise account administrator, you can view and manage the backup policies and plans for the subaccounts for compliance reporting and billing from one place. Enterprise account users can see all backup policies and associated jobs. They can also see the reference of the backup snapshot that is created in the subaccount. Subaccounts can create and manage their backups as before. For more information, see About Backup for VPC.

22 September 2023

IBM Wazi as a Service available in Madrid (eu-es) region

IBM Wazi as a Service (Wazi aaS) is now available in the Madrid (eu-es) region in IBM Cloud. For more information, see IBM Wazi as a Service product page.

21 September 2023

IBM Cloud Hyper Protect Virtual Server for IBM Cloud® Virtual Private Cloud

You can now create IBM Cloud Hyper Protect Virtual Server for IBM Cloud VPC instances on LinuxONE (s390x processor architecture) in the Madrid (eu-es) region, in addition to São Paulo (br-sao), Toronto (ca-tor), Tokyo (jp-tok), and Washington DC (us-east) regions. To create IBM Cloud Hyper Protect Virtual Server for IBM Cloud VPC instances on LinuxONE (s390x processor architecture), see Creating virtual server instances, and IBM Hyper Protect Container Runtime image. A valid contract is required for creating an instance. For more information, see About the contract.

LinuxONE (s390x processor architecture)

You can now create virtual server instances on LinuxONE (s390x processor architecture) in IBM Cloud in the Madrid (eu-es) region, in addition to Tokyo (jp-tok), São Paulo (br-sao), Toronto (ca-tor), and London (eu-gb) regions. For more information about available LinuxONE (s390x processor architecture) profiles, see s390x instance profiles. To create instances on LinuxONE (s390x processor architecture), see Creating virtual server instances by using the UI.

05 September 2023

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-12 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-12, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

You can now roll or rotate the seeds that are used in the contract to improve the security posture or if the seed is compromised. For more information, see The workload - volumes subsection, and The env - volumes subsection.

Ultra High Memory profiles are now available in the London (eu-gb) region

The Ultra High Memory profile family (ux2d) is now available in the United Kingdome (London) region. For more information about this profile family, see Ultra High Memory. For more information about the Multizone regions, see Region and data center locations for resource deployment.

31 August 2023

Bare metal network hardware

Bare metal servers now use upgraded network cards. For network workloads that leverage very high packets per second for smaller packets, you can update your drivers to the latest available Pensando device drivers. For more information, see Special considerations for bare metal network performance upgrade and AMD Pensando Support.

File Storage for Bare metal servers for VPC

File Storage for VPC is now supported by Bare Metal Servers for VPC. Users can leverage file storage as an addition or alternative to local NVMe drives. About File Storage for VPC.

25 August 2023

Next generation instance profiles (Beta)

The 3rd generation of IBM Cloud Virtual Servers for VPC are available as a beta offering to select customers. This new generation features virtual server profile families hosted exclusively on 4th Generation Intel® Xeon® Scalable processors to provide the most powerful and performant general-purpose profiles available. For more information, see Next generation instance profiles and the bx3d and mx3d profiles in the Balanced and Memory profile families.

22 August 2023

VPC Status History

You can now customize notification settings for your VPC dashboard. When status history is enabled, your notification history is retained to help you find old error messages or track down when the creation or deletion of a resource occurred. To enable Status History, make sure that your browser alllows local storage access. For more information, see Enabling local storage in your browser.

15 August 2023

Metadata Instance identity certificates

You can now use the instance identity access token and a Certificate Signing Request (CSR) to create an instance identity certificate with the Metadata API. For more information, see Generating an instance identity certificate by using an instance identity access token. Instance identity certificates can be used when the traffic between an authorized client and the mounted file share is encrypted in transit.

08 August 2023

File Storage for VPC (GA)

NFS-based file shares for a zone within a region are now generally available. You can create and share file storage over multiple virtual service instances within the same zone across multiple VPCs. For more information about this service, see About File Storage for VPC.

14 July 2023

Very High Memory (vx2d) profile family now available in all regions (GA)

The vx2d profile is now available in the São Paulo (br-sao) region. Adding this region makes this profile family available in all regions. For more information about the Very High Memory profile family, see Very High Memory. For more information about the Multizone regions, see Region and data center locations for resource deployment.

11 July 2023

Image lifecycle management for custom images (GA)

This image lifecycle management feature is now generally available. You can use the UI, CLI, and API to manage the lifecycle of your custom images with the following three statuses. You can move the image back and forth through all the statuses. You can also schedule status changes to manage the entire lifecycle of the image. For more information, see Custom image lifecycle in Getting started with custom images.

• available: The image can be used to create an instance.
• deprecated: The image can be used to create an instance. Using the deprecated status can discourage use of the image before the status changes to obsolete.
• obsolete: The image can't be used to create an instance.

27 June 2023

Snapshots for VPC Cross Regional Copy GA

Customers can now create a copy of a snapshot in a different region, and later use that copy to restore a volume in the new region. This feature can be beneficial in disaster recovery scenarios when the customer needs to start their virtual server instance and data volumes in a different region. Customers can also use the remote copy to create storage volumes in a new region and expand their VPC in new locations. For more information, see Cross Regional Snapshot copies.

Backup for VPC Cross Regional Copy (GA)

Customers can now save a copy of their backup in a different region. Customers can copy the backup snapshot to another region manually or add the copy option to their backup policy plans. Customers can manage and use the cross-regional copy in the target region independently from the parent volume or the original backup. For more information, see Cross Regional backup copies.

22 June 2023

New Ed25519 SSH key type is available

The Ed25519 SSH key type is a new, supported SSH key type and can be used as an alternative to the RSA SSH key type. The Ed25519 SSH key can be used with Linux operating systems, but is not supported for Windows or VMware images. For more information, see Getting started with SSH keys and Managing SSH Keys.

Madrid multi zone region (MZR)

A new MZR is available for VPC and Classic infrastructures. Classic Virtual Servers will not be available in the Madrid MZR. The Madrid (eu-es) region supports only dedicated host profiles with instance storage. For more information, see Region and data center locations for resource deployment, Setting up access to classic infrastructure, and Dedicated host profiles.

20 June 2023

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-11 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-11, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

Support for customer-managed keys through integration with Hyper Protect Crypto Services

• Without the feature, the data volume that you attach to your instance is encrypted automatically with a LUKS passphrase generated by using the two seeds from the workload - volumes and env - volumes sections of the contract. Starting from the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-11, Hyper Protect Virtual Servers support integration with the key management service (KMS) Hyper Protect Crypto Services. You can enable the integration by providing KMS configurations in the contract. Your Hyper Protect Virtual Server instance calls Hyper Protect Crypto Services to generate a random value as the third seed and wrap it with your root key. The wrapped seed is stored in the metadata partition of your data volume. The LUKS passphrase is generated by using three seeds - the seed in the metadata partition (unwrapped first) and the two seeds from the contract. For more information about how the integration works and detailed instructions, see Securing your data.

Deploying multiple containers

• In the workload section of the contract, you can define the workload via Pod descriptors. Each pod can contain one or more container definitions. Previously, only one container described by docker compose was supported. For more information about using Pod descriptors, see the play subsection. Container images described by Pod descriptors can be validated by RedHat Simple Signing.

Changes to the attestation document

• In the attestation document se-checksums.txt, user-data.decrypted is removed, and Machine Type/Plant/Serial (the information required to identify the host machine) is added. For more information, see Attestation.

Instance group integration with network load balancers (GA)

Network Load Balancer for VPC is now integrated with instance groups to improve pool member scaling. When you create or update an instance group for auto scaling, you can now specify the Network Load Balancer pool for the instance group to manage. For more information see Creating an instance group for auto scaling.

Access control modes and granular authorization for File Storage for VPC file shares (beta)

For users with accounts that have access to file shares, you can now specify an access control mode to either restrict mounting a file share to a specific virtual server instance in the VPC or allow VPC-wide file share mounting. File share mount targets that were created before 20-June-2023 have a default of VPC-wide file share mounting. File shares that are created after that date can specify security group access control mode to restrict access to a specific instance. For this option, file shares must be based on the dp2 profile. From the UI, CLI, or API, you set the access control mode when you create or update file shares, and can see the setting when you list file shares and in the file share details. When you create a mount target for a file share with security group access mode, you can specify a virtual network interface to be created and attached to the mount target with a security group. For the virtual network interface, you can specify an existing reserved IP, or specify a subnet and allow the system to assign an IP address. When the mount target is attached and the share is mounted, the virtual network interface performs security group policy check to ensure only authorized virtual server instances can communicate with the share. For more information, see Mount targets for file shares.

Data encryption in transit for file shares (beta)

For users with accounts that have access to file shares, you can enable secure end-to-end encryption of your data when using security group based access control on file shares and mount targets with virtual network interfaces. The traffic between the authorized virtual server and the file share can optionally be IPsec encapsulated by the client. By using an Internet Security Protocol (IPsec), you can establish an encrypted mount connection between the virtual server instance and a file share with the dp2 profile. The IBM Cloud® file service provides a mount helper utility to automate the complex tasks of configuring and maintaining the connection. For more information, see Encryption in transit - Securing mount connections between file share and host.

Virtual network interface (beta)

Virtual network interfaces are now available in a beta release for use with file share mount targets. For more information see About virtual network interfaces.

16 June 2023

VPC routing table authorizations

You can use the new VPC routing table authorizations to allow users to administer VPC routing tables but not allow them to administer the broader VPC. Routing table operations were updated to check for these new authorizations, instead of the broader VPC authorizations. The VPC Administrator, Editor, Operator, and Viewer IAM access roles were updated so that users with those roles function as before. However, custom roles that require access to routing tables must be updated. For more information, see Managing IAM access for VPC Infrastructure Services.

15 June 2023

New regions available for Ultra High Memory profiles:

Ultra High Memory (ux2d) profiles are now available in the Washington DC (us-east), Toronto (ca-tor), and Frankfurt (eu-de) regions. For more information, see the Ultra High Memory profiles documentation. For more information about the Multizone regions, see Region and data center locations for resource deployment.

08 June 2023

New stock images for bare metal servers

The following stock images are now available for bare metal servers:

• CentOS 7.x is now supported as an image when you provision a bare metal server.
• CentOS Stream 9.x is now supported as an image when you provision a bare metal server. For more information, see Bare metal server images.

01 June 2023

UI Enhancement to the List view

You can now export table data with the current table column format. The supported export formats are CSV and Microsoft Excel.

30 May 2023

File Storage for VPC file share activity tracker event name changes (beta)

For users with accounts that have access to file shares, when making API requests using a version query parameter of 2023-05-30 or later, the shares targets property was changed to mount_targets. This change affects file share Activity Tracker events. Events generated when creating, listing, retrieving, deleting, and updating mount targets for a file share are now is.share.mount-target.create, is.share.mount-target.list,is.share.mount-target.read, is.share.mount-target.delete, and is.share.mount-target.update. Events for is.share.target.create, is.share.target.list, is.share.target.read, is.share.target.delete, and is.share.target.update are deprecated and will be removed in a future API release per the VPC beta API versioning policy.

19 May 2023

Removal of weak VPN for VPC ciphers

Effective 18 May 2023, the following VPN IKE and IPsec ciphers are now removed:

• Authentication algorithms md5 and sha1
• Encryption algorithm triple_des
• Diffie–Hellman groups 2 and 5

After this date, you cannot create an IKE/IPsec policy or connection that includes a weak cipher, but you can still upgrade weak cipher suites on an existing policy or connection. Starting 10 July 2023, any existing connections with customized IKE or IPsec policies that contain weak ciphers will be disabled, and any connections with auto IKE or IPsec policies that were created before September 20, 2022 will be forced to upgrade to the enhanced auto-negotiation policy.

11 May 2023

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-10

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-10, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

9 May 2023

New -a100 GPU profile is available (select availability)

There is a new profile available for customers with special approval to preview this service that is for provisioning instances based on NVIDIA's A100 Amperere GPU attached to a single virtual server instance. The gx2-80x1280x8a100 profile supports artificial intelligence and machine language frameworks and includes instance storage. Only Redhat and Ubuntu are supported for this profile. This profile is currently only available in the Washington DC (us-east) region. For more information, see GPU profiles. To request access to this profile, you must open a support case.

6 April 2023

Image lifecycle management for custom images (beta)

For customers with special access to this feature, you can use the UI, CLI, and API to manage the lifecycle of your custom images with the following three statuses. You can move the image back and forth through all the statuses. You can also schedule status changes to manage the entire lifecycle of the image. For more information, see Custom image lifecycle in Getting started with custom images.

• available: The image can be used to create an instance.
• deprecated: The image can be used to create an instance. Using the deprecated status can discourage use of the image before the status changes to obsolete.
• obsolete: The image can't be used to create an instance.

4 April 2023

File Storage for VPC high-performance profile (beta)

For customers with special access to this feature, you can now create file shares by using the dp2 high-performance profile. This profile provides higher IOPS and greater capacity than earlier profiles. You can also modify existing file shares to use this profile. For more information, see the file share profiles overview.

31 March 2023

New network latency dashboard to view latency between zones in a multi-zone region (MZR)

Not only can you view inter-region latency metrics, but you can now view inter-AZ metrics between all regions and availability zones (AZs) to help you plan the optimal selection for your cloud deployment. To view performance metrics, see the Network latency dashboards.

29 March 2023

VCPU manufacturer support for instances and dedicated hosts (select availability)

For accounts authorized to preview this functionality, you can now choose between profiles from different processor manufacturers when you provision an instance or dedicated host in the Toronto (ca-tor) region. For more information, see x86-64 instance profiles, Dedicated host profiles.

28 March 2023

Private DNS zones for network load balancers

You can now use IBM Cloud Application and Network Load Balancers for VPC to bind DNS zones from IBM Cloud DNS Services, which you can use to move all DNS resolutions into private networks. Private DNS zones are resolvable only on IBM Cloud, and only from explicitly permitted networks in an account or with cross account access. For more information, see Integrating a load balancer with IBM Cloud DNS Services.

Enhancements to viewing profiles - number of supported network interfaces

In IBM Cloud console, when you click View all profiles on the Create virtual server instance page, the Bandwidth column values include a tooltip. The tooltip now includes the number of network interfaces that can be attached for the profile. A similar feature is now available in the API when you list instance profiles. For more information, see Network interface configuration for instance profiles.

23 March 2023

New network latency dashboard

Provides visibility into network latency between all regions to help you plan the optimal selection for your cloud deployment and plan for scenarios, such as data residency and performance. This dashboard provides the average network round-trip latency (round-trip time or RTT) for all pairs of regions in IBM Cloud over a 30-day period.

You can view and monitor performance in the following IBM Cloud regions: Dallas (us-south), Toronto (ca-tor), Washington DC (us-east), Frankfurt (eu-de), London (eu-gb), Osaka (jp-osa), Sydney (au-syd), Tokyo (jp-tok), and São Paulo (br-sao).

To view performance metrics, see the Network latency dashboard.

21 March 2023

Instance provision by volume

You can now reuse an existing boot volume to provision a virtual server instance. The specified volume must be unattached, be in the same zone as the instance profile, and must have an operating system with the same architecture as the instance profile. By default, a boot volume that was created as part of provisioning a virtual server instance is deleted when the instance is deleted. You can control this behavior when you create or update an instance. For more information, see Creating virtual server instances, and Managing virtual server instances.

Designating VPC route priority

When multiple VPC routes exist for a destination, you can now control the priority of these routes (from 0 to 4). New and existing routes, which are created without a priority value, are automatically set to the default priority (2). Smaller values have higher priority. For more information, see Determining route preference.

The route priority is considered on identical destinations only.

Modifying the next hop for VPC routes

You can now update the next-hop of a VPC route. For more information, see Creating a route.

20 March 2023

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-9 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-9, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

Two partitions in new data volume

• For new Hyper Protect Virtual Servers instances, the data volume is partitioned into two parts. The first partition (100Mib) is reserved for internal metadata; the second partition remains as the data volume for workload. Only new volumes are partitioned, and you can't use the partitioned volume with an older version of the HPCR image. Provisioning with an existing encrypted volume also works. The difference is that the existing volume does not get partitioned, and you can also go back to an older image with this volume.

Support for using a dynamic registry reference

• There exist use cases in which the registry is not known when the workload section is pre-encrypted, for example, when the workload provider wants to allow the deployer to use a registry mirror or a private container registry. In such a case, it's possible to dynamically override the registry and the pull credentials - which is a coordinated effort between the workload provider and the deployer. For more information, see Using a dynamic registry reference.

16 March 2023

Client-to-site VPN server private certificate support

VPN servers now support the use of Secrets Manager private certificates. Private certificates are SSL/TLS certificates that you can sign, issue, and manage in the Secrets Manager service. For VPN server considerations, see Using a private certificate. For Secrets Manager information, see Creating a private certificate.

10 March 2023

Client-server timeout for application load balancers

You can now configure the client and server timeout parameters for IBM Cloud Application Load Balancer for VPC by using the UI, CLI, and API. The maximum timeout period for each listener is 2 hours, and the minimum is 50 seconds. If you need a timeout amount greater than 2 hours, open a support case with IBM Support. For more information about setting the client and server timeout period, refer to Creating an application load balancer. This functionality is only available for application load balancers.

14 February 2023

VPC instance metadata communication protocol and hop limit

You can now control the communication protocol and hop limit for IP response packets that are used by the VPC Instance Metadata service. When you provision or update an instance, use the new Secure access setting to specify either http (default) or https (secure access) communication. In addition, use the new Hop limit setting to specify a value between 1 (default) and 64. Both of these settings apply only when the metadata service is enabled. For more information, see Configure metadata settings by using the UI.

Hyper Protect Secure Build

You can now use Hyper Protect Secure Build to securely build an Open Container Initiative (OCI) image in Hyper Protect Virtual Servers for VPC. You can push the image to DockerHub or IBM Cloud Container Registry (ICR). Later, you can pull the image from the registry to provision it in another Hyper Protect Virtual Servers for VPC instance. You can also pull SLES BaseContainerImages (BCI) from the SUSE registry, and use the images to provision Hyper Protect Virtual Servers for VPC instances.

9 February 2023

Export custom images (Beta)

For accounts that are authorized to preview this feature, you can now export custom images to IBM Cloud Object Storage. For more information, see Exporting a custom image to IBM Cloud Object Storage (Beta).

7 February 2023

Block Storage fast restore snapshots

You can now restore a fully provisioned volume with all its data from a snapshot by using a fast restore snapshot clone. You can use fast restor to restore a volume more quickly than restoring from a regular snapshot. To create the clone, you specify a zone or zones in the same region as the source snapshot. The clone is used to automatically restore a volume with all of its data in the zone where the clone exists. For more information, see Restoring a volume by using fast restore.

Extra security for VPC snapshots (closed beta)

For customers with special access to this security beta feature, data isolation is provided to store snapshots created from your dedicated hosts. With data isolation extra security, your data is encrypted at rest with a unique key and access to your data is protected by a private firewall.

3 February 2023

Images for VPC UI Updates

Previously, the path to custom images was VPC Infrastructure > Compute > Custom Images. The new path is VPC Infrastructure > Compute > Images. The new page is Images for VPC and now has a tab for each type of image:

• Custom images
• Stock images
• Catalog images

31 January 2023

Secure boot with Trusted Plaform Module (TPM) (select availability)

Secure boot makes sure that your server starts with trusted software by verifying the signatures for all code in the boot process. Trusted Platform Module (TPM) provides hardware-based security functions. With supporting software, TPM helps maintain platform integrity and generates cryptographic keys. For more information, see Secure boot with Trusted Platform Module (TPM).

30 January 2023

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-8 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-8, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

Using Hyper Protect Virtual Servers for VPC in a private network

• You can use your Hyper Protect Virtual Servers for VPC instance in private-only network configurations, in which the VPC doesn't have a public gateway, and the virtual server instance doesn't have a floating IP. You can connect to private endpoints of other services, including container registry and IBM Log Analysis. The prerequisite is that you need a DNS server that is attached to your virtual server instance. You don't need to do any extra configurations.

Security enhancement to disk encryption verification

• To address Denial-of-Service attacks, the requests to verify disk encryption status are throttled at three per five minutes.

27 January 2023

Context-based restrictions

Context-based restrictions are now available for IBM Cloud VPC resources. With context-based restrictions, account owners and administrators can define and enforce network access policies. For more information, see Protecting Virtual Private Cloud (VPC) Infrastructure Services with context-based restrictions.

17 January 2023

Application Load Balancer and VPN for VPC

As a reminder, end of support for IBM Cloud Certificate Manager was 31 December 2022. Remaining instances of Certificate Manager were deleted. If any user-provided Ingress secrets are stored in Certificate Manager, they are no longer valid.

End of support (EOS) for deprecated VPN for VPC IKE and IPsec ciphers

On 20 September 2022, the following VPN IKE and IPsec ciphers were deprecated:

• Authentication algorithms md5 and sha1
• Encryption algorithm triple_des
• Diffie–Hellman groups 2 and 5

Effective today, these ciphers are no longer supported in the UI and EOS for use with the CLI and API is forthcoming. If you didn't upgrade to more secure ciphers, do so now.

20 December 2022

Instance provision by volume (Beta)

By default, when a virtual server instance is deleted attached boot volumes are deleted. You can disable this behavior, causing the boot volume to instead be detached when the virtual server instance is deleted. You can then attach the boot volume to a new virtual server instance. For more information, see Creating virtual server instances, Creating VPC resources with CLI and API, and Managing virtual server instances.

Backup for VPC

The backup policy jobs feature, previously released as a Beta, is now generally available. You can now view all backup policy jobs or details of a single job from the UI, CLI, or API. A backup policy job is triggered when a scheduled backup snapshot is being created or deleted. If the create or delete action is successful, the job contains information about the backup snapshot that was created or deleted. If the job ran unsuccessfully, the job contains the reason for the failure. For more information, see Viewing backup jobs.

17 December 2022

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-7 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-7, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

Certificate revocation list

• Starting from ibm-hyper-protect-container-runtime-1-0-s390x-7-encrypt.crt and ibm-hyper-protect-container-runtime-1-0-s390x-7-attestation.crt, the certificates contain Certificate Revocation List (CRL) Distribution Points. You can use the CRL to verify that your certificates are valid (not revoked). For more information, see Certificate revocation list.

15 December 2022

Bare metal servers now support custom images

You can now create custom images to use on your bare metal servers. For more information, see Custom image considerations and Bare metal server considerations.

13 December 2022

Volume creation from a Block Storage snapshot

You can now use the UI and CLI, in addition to the VPC API, to create a stand-alone Block Storage volume from a snapshot. Stand-alone data volumes can be attached to a virtual server instance at any time. You can select a snapshot of a boot volume and use it to boot a new virtual server instance. For more information, see Restore a stand-alone data volume from a snapshot.

Block Storage volume health states

You can now view the health state of a Block Storage volume from the UI, CLI, and API. Health indicated whether a volume is performing as expected or degraded. You can view health status and reasons from the list of volumes and volume details, and when you create and updating volumes. For more information, see Block Storage volume health states.

14 November 2022

IBM Hyper Protect Container Runtime image ibm-hyper-protect-container-runtime-1-0-s390x-6 updates

For the IBM Hyper Protect Container Runtime image version ibm-hyper-protect-container-runtime-1-0-s390x-6, new certificates are available.

• Attestation certificate
• Encryption certificate
• Intermediate certificate

Logging for Hyper Protect Virtual Servers for VPC

• Apart from IBM Log Analysis, you can now configure logging with a generic syslog backend. For more information, see Logging for Hyper Protect Virtual Servers for VPC.

Security claims on disks encryption

• Both the root disk and data disks in the Hyper Protect Virtual Servers for VPC instance are configured with Linux Unified Key Setup (LUKS) Encryption. You can verify the encryption status by checking related messages in the log. For more information, see Verifying disk encryption status.

11 November 2022

Access management tags to manage VPC resources

You can now use access management tags to control access to VPC resources, such as virtual server instances and Block Storage volumes. See the Access management tags section in Managing IAM access for VPC Infrastructure Services. For more information about using access management tags, see the following IAM resources:

• Controlling access to resources by using tags UI tutorial
• Working with tags
• Granting users access to tag resources and service IDs

8 November 2022

Backup policy jobs

You can now list all jobs for a backup policy and retrieve backup policy job details from the UI, CLI, or API. Backup policy job information includes the backup plan used to create the backup snapshot, the backup job type, job status, source volume, target snapshot, and additional information. For more information, see Viewing backup jobs.

31 October 2022

Terraform is now available for sharing images across an enterprise account

You can now share or publish custom images by using Terraform to other accounts within your enterprise by using a private catalog. If you select a catalog image that belongs to a different account, review Using cross-account image references in a private catalog in Terraform for additional considerations and limitations. To create a private catalog, see the tutorial Onboarding a virtual server image with Terraform. To create an instance from a catalog image using Terraform, see Creating virtual server instances by using Terraform.

21 October 2022

Context-based restrictions (limited availability)

For accounts authorized to preview this functionality, account owners and administrators are now able to define and enforce network access policies for IBM Cloud VPC resources. For more information and for specific VPC Infrastructure services that are supported for context-based restrictions, see Protecting Virtual Private Cloud (VPC) Infrastructure Services with context-based restrictions (limited availability).

19 October 2022

Windows BYOL for multi-tenant hosts

You can now bring your own license for Windows operating systems with a custom image to provision virtual server instances on multi-tenant hosts. Previously Windows BYOL was limited to dedicated hosts. For more information, see Bring your Own License and Getting started with custom images.

23 September 2022

IBM Wazi as a Service

IBM Wazi as a Service (Wazi aaS) is now generally available in IBM Cloud in Tokyo (jp-tok), São Paulo (br-sao), Toronto (ca-tor), London (eu-gb), and Washington DC (us-east) regions. For more information, see IBM Wazi as a Service product page.

• For the latest updates of z/OS dev and test stock images, see Change log for z/OS stock images.
• For instructions on creating z/OS virtual server instances, see Creating virtual server instances.

Network interfaces for virtual servers

You can now add up to 15 network interfaces to virtual server instances. The number of interfaces that a virtual server supports depends on the vCPU count that is in the instance profile. Profiles that include 17 - 48 vCPUs now support up to 10 network interfaces. Profiles that include 49 or more vCPUs now support up to 15 network interfaces. For existing virtual servers with 17 or more vCPUs to take advantage of the new network interface limits, a running virtual server instance must be stopped and restarted. For more information about multiple network interfaces, see Managing network interfaces.

22 September 2022

Sharing images across an enterprise account

You can now share or publish custom images to other accounts within your enterprise by using a private catalog. A private catalog provides a way for you to manage access to products for multiple accounts. You can use any existing x86 virtual server custom image with a private catalog, with the exception of an encrypted image. For more information, see Getting started with Catalog Images on VPC and the tutorial Onboarding a virtual server image for VPC. Custom images can't be deleted while being managed from a catalog and can only be managed from one catalog product offering version at a time. Deleting the catalog does not free its managed resources for a 7-day reclamation period. For more information, see Deleting a custom image in a private catalog and Using resource reclamations. If you plan to share images with other accounts, users in those accounts should be aware of considerations related to cross-account references to those images. For more information, see Using cross-account image references in a private catalog. Custom images can also be published to the IBM Cloud catalog and to other (non-enterprise) accounts. This process requires onboarding to the IBM Cloud Partner Center.

Deprecated VPN for VPC ciphers

The following VPN for VPC IKE and IPsec ciphers are now deprecated:

• Authentication algorithms md5 and sha1
• Encryption algorithm triple_des
• Diffie–Hellman groups 2 and 5

You have until 13 December 2022 to upgrade to more secure ciphers. After this date, VPN connections using deprecated ciphers show a status of down (and no longer transfer data) until you upgrade from the weak cipher.

Additional VPN for VPC ciphers

VPN gateways now provide new algorithms to help meet your security and compliance requirements.

• IKE policy now supports the sha384 value for authentication, aes192 for encryption, and 15, 16, 17, 18, 20, 21, 22, 23, 24, and 31 values for Diffie–Hellman groups.

• IPsec policy now supports sha384 and disabled values for authentication, aes192, aes128gcm16, aes192gcm16, and aes256gcm16 values for encryption, and group_15, group_16, group_17, group_18, group_20, group_21, group_22, group_23, group_24, and group_31 Diffie–Hellman groups.

Specifying IKE and IPsec policies when configuring a VPN connection is optional. If a policy is not selected, one is chosen through auto-negotiation. For more information, see About policy negotiation.

20 September 2022

Updating subnets for existing application load balancers

You can now add or remove subnets for existing ALBs by using the UI, API, or CLI. ETag support was added for load balancer resources, as it is required for any resource that allows arrays to be updated. For more information, see to Updating subnets for existing application load balancers.

For more information about using ETags, see Concurrent update protection.

12 September 2022

New stock images for VPC

The following stock images are now available for x86-64 virtual server instances:

• The Windows Server 2019 Standard Edition with SQL Server 2019 Web Edition bundle is now supported as an image when you provision a IBM Cloud VPC server. If you select this stock image when you provision a virtual server instance, the software that is part of that bundle is also included in your instance.
• SUSE Linux Enterprise Server is now supported as an operating system stock image when you provision an x86-64 virtual server. For more information, see x86-64 virtual server images.

31 August 2022

Configuration governance

New VPC config rules for the Image service and Virtual Servers are now available with the Security and Compliance Center. For more information, see the Security and regulation compliance section of Understanding your responsibilities when using Virtual Private Cloud.

30 August 2022

IBM Cloud Hyper Protect Virtual Server for IBM Cloud® Virtual Private Cloud

You can now create IBM Cloud Hyper Protect Virtual Server for IBM Cloud VPC instances on LinuxONE (s390x processor architecture) in the London (eu-gb) region, in addition to São Paulo (br-sao), Toronto (ca-tor), Tokyo (jp-tok), and Washington DC (us-east) regions. To create IBM Cloud Hyper Protect Virtual Server for IBM Cloud VPC instances on LinuxONE (s390x processor architecture), see Creating virtual server instances, and IBM Hyper Protect Container Runtime image. A valid contract is required for creating an instance. For more information, see About the contract.

23 August 2022

Additional user tag support for boot and data volumes

You can now add user tags to boot and data volumes when provisioning a virtual server instance or creating an instance template. You can add tags to the boot volume by editing it during instance provisioning. You can also add user tags for any data volumes you create and attach. If you import from a snapshot, any tags defined for the snapshot will be applied to the new volume. For more information, see Create and attach a Block Storage volume when you create a new instance. For more information about user tags, see Working with tags.

17 August 2022

New stock image for bare metal servers

Debian 11 is now supported as an image when you provision a bare metal server.

15 August 2022

Health check metrics for application load balancer pools

Two new health check metrics have now been added to IBM Cloud Monitoring for application load balancers, specifically for pools:

• A metric for reporting the total number of members in a pool.
• A second metric for reporting the total number of healthy (or active) members in a pool.

: For more information about these new metrics or the IBM Cloud Monitoring service, refer to Monitoring Application Load Balancer for VPC metrics.

09 August 2022

VPC Instance Metadata service

A restriction was removed from the instance metadata service in which you had to stop and restart the virtual server instance to fully enable the metadata service. You can now create instances with the metadata service disabled and then enable the service for the instance to start using it immediately.

08 August 2022

Virtual servers for VPC

You can now use the UI, CLI, and API to specify user tags for volume resources when you create an instance. You can add user tags to the instance's boot volume by editing the boot volume. You can also add user tags when attaching a data volume to the instance. For more information, see Adding user tags to Block Storage volumes.

Snapshot and Backup for VPC

The quota of snapshots and backup snapshots you can create per volume has been increased to 750.

01 August 2022

Sharing images across an enterprise account (beta)

You can now share or publish custom images to other accounts within your enterprise by using a private catalog. A private catalog provides a way for you to manage access to products for multiple accounts. You can use any existing x86 virtual server custom image with a private catalog, with the exception of an encrypted image. For more information, see Getting started with Catalog Images on VPC.

30 June 2022

IBM Wazi as a Service (s390x processor architecture)

You can now create virtual server instances of IBM z/OS with IBM Wazi as a Service (Wazi aaS) image on IBM Z (s390x processor architecture) in IBM Cloud in the Tokyo (jp-tok), São Paulo (br-sao), Toronto (ca-tor), and London (eu-gb) regions. The option to select the Wazi aaS z/OS dev and test image is offered as an IBM Cloud allow-listed service. For more information, see IBM Wazi as a Service product page.

File Storage for VPC

You can now access a customer root key (CRK) from one account, and then use that key to encrypt file shares you create in another account. When you create the file share, you specify the CRN of a root key from the account that contains the key. For more information, see Creating file shares with customer-managed encryption.

24 June 2022

New stock image for bare metal servers

Ubuntu (20.04 and 18.04) is now supported as an image when you provision a bare metal server.

21 June 2022

Backup for VPC (GA)

You can now create automated backup snapshots of your Block Storage volumes. If your original volume is compromised, you can restore it from a backup snapshot. You create a backup policy to control which source volumes are selected for backup by matching user tags in the volume with tags that are defined in the policy. Each policy contains up to four backup plans, which define how often backup snapshots are taken (daily, weekly, monthly, or more frequently by using a cron-spec) and retained (by date or by count). You can also view backup jobs, which show status of backup snapshots that are being created or deleted. For more information about this service, see Backup for VPC.

10 June 2022

Block Storage for VPC

You can use the volumes API to restore an unattached data volume from a snapshot. Restoring from a snapshot creates a new, fully provisioned volume. The data volume that was created from the snapshot is fully hydrated (data is restored) when you later attach it to an instance. For more information, see Restoring a volume from a snapshot.

01 June 2022

File Storage for VPC

For accounts authorized to preview this service, you can increase or decrease file share IOPS to meet your performance needs. Adjust IOPS within an IOPS tier profile or a custom profile. Or, adjust IOPS between profiles, for example, from a 3 IOPS/GB tiered profile to a custom profile. Adjusting IOPS within a profile or between profiles depends on the file share size. For more information, see Adjusting file share IOPS.

27 May 2022

Secrets Manager for application load balancers

Application load balancers now support IBM Secrets Manager. With Secrets Manager, you can create, lease, and centrally manage secrets that are used in IBM Cloud® services or your custom-built applications.

As a reminder, end of support for IBM Cloud Certificate Manager was 31 December 2022. Remaining instances of Certificate Manager have been deleted. If you have any user-provided Ingress secrets stored in Certificate Manager, they are no longer valid.

17 May 2022

File Storage for VPC

For accounts authorized to preview this service, you can configure replication for new and existing file shares. Replication creates a read-only copy of your file share data in a different zone. You can fail over to the replica share if the source share becomes damaged or compromised. For more information, see About file share replication.

You can now add user tags from the UI, CLI, or API when you create a new file share or update file shares. For more information, see Adding user tags.