Managed Services in VMs

This is the general service definition for services offered and delivered by VSHN, based on virtual machines running Linux, managed by Puppet. VSHN manages servers and services running on these VMs in any cloud or on-premises virtualization environments as long as the requirements defined in this document are met.

Included Services and Features

Configuration Management

All VSHN managed services including the operating system and its core components are configured, enforced and versioned by the VSHN Configuration Management which is based on Puppet Server. This notably includes the following aspects of the server (operating system):

  • Basic server configuration using current best practices

  • Hardening by configuration incl. continuous improvements

  • SSHd configuration

  • IPtables (local firewall)

  • NTP (timezone and time sync)

  • DNS resolvers

  • Enforcement of package repositories

  • Semi-automated weekly package updates (see Maintenance)

  • Puppet agent to use our Puppet Server infrastructure

  • Security-related configuration changes (0-day mitigation)

  • Users and Groups

    • SSH keys

    • SSH access (who is allowed to log in via SSH)

    • sudo restrictions

    • dotfiles per user

  • Backup of all system-relevant files (see Backup)

  • VSHN Central Monitoring of relevant (defined by VSHN) aspects of the system (see Monitoring)

Maintenance

To ensure secure and stable systems VSHN performs weekly updates for all system packages and software. The regular maintenance window may be skipped or rescheduled due to external circumstances, such as conflicting public holidays. During maintenance windows, service downtimes may occur. The customer can choose from different maintenance windows. We only perform automated updates as part of the service for minor releases of the software. Major updates have to be requested by the customer via a change request.

In addition to regular maintenance VSHN also announces emergency maintenance windows to address severe vulnerabilities.

The maintenance process and possible maintenance windows are described in the VSHN Knowledge Base.

Backup

As the server including all managed services itself can be recreated from our Configuration Management we only backup folders where we expect customer data to be placed. The backup concept is currently based on burp with VSHN pre- and post-backup tools to ensure consistent backups of services.

  • The folders we backup are visible to the customer in our portal control.vshn.net Server Management.
    Should the customer need files backed up anywhere else on the server he needs to inform VSHN and request to add the files to the backup

  • All data is encrypted on the client and the encrypted data is then sent to the backup server

  • The data transport between the client and server is done over a TLS-encrypted connection

Further backup and restore documentation is available in the VSHN Knowledge Base.

Backup schedule & retention

The Backup runs daily. A fixed start time, multiple backup runs per day and shorter intervals are available as options.

By default, we have the following retention policy. Keep the last:

  • daily backups for 7 days

  • weekly backups for 4 weeks

This guarantees to keep 7 backups in a row, plus 4 on multiples of 7. The backup schedule & retention configuration is visible in the VSHN Configuration Management.

Backup location

In the default configuration, Managed Servers including all Managed Services are configured to backup to an off-site backup target, which is automatically selected by VSHN and can change at any time. By default, backup targets are in state-of-the-art Swiss data centers. Custom locations are available on request. 100 GB Backup Storage per customer is included.

Monitoring

All Managed Servers are automatically (see Configuration Management) part of the VSHN Central Monitoring system. Systems are monitored and metrics are collected 24/7. Depending on the Service Level Agreement (SLA) options, VSHN reacts to monitoring alerts 24/7 or at least during VSHN business hours. The list of monitored aspects of the Managed Server and Managed Services and the methods used are constantly changing to improve observability and proactive operations. Currently, the list notably includes:

  • Disk space and I/O performance metrics

  • CPU utilization and Linux load

  • Memory and swap space usage

  • Network utilization and out-of-memory killer

  • Reachability (server connected to our monitoring)

  • Puppet agent is running periodically and applying the catalog correctly

  • System time sync (NTP)

  • DNS resolving

  • Mount Point health

  • Mail sending queue

  • Maintenance aspects (reboot required, pending package updates, package pre-download)

  • Backup (running in the configured interval, error handling of last backup run)

  • Service-specific checks for all services running on the Managed Service
    By default, each Service is checked to be up and running. Service-specific monitoring is defined in individual service product definitions.

Setup

The base setup of all VSHN Managed Services is included in the monthly recurring fees during the minimum contract term and not billed separately. Any additional effort caused by the cloud provider or on-premises installations (e.g. no automated installation via API available, manual OS installation required, difficulties with network and firewalls, etc.) and any customization of the service will be invoiced.

  • If VSHN has access to the cloud provider console or API, VSHN creates new systems as needed (as ordered or within the project scope).

  • If VSHN has no access to create systems, the customer creates the systems according to the specs defined by VSHN. The customer gives root access to VSHN for initial configuration management takeover.

Support

VSHN Managed Services include the use of the VSHN Support organization which is available according to the chosen Service Level Agreement (SLA) options.

Incident Handling

  • Resolution of incidents not caused by the customer or a 3rd party is included and not billed

  • Resolution of incidents caused by the customer or 3rd party (e.g. cloud provider) are not included and usually billed

Support Requests

  • Occasional support questions regarding the Managed Service (up to 15min efforts each) are included and not billed

  • Occasional support requests regarding small (<15min effort each) and isolated changes (low risk, well-known or documented process) are included and not billed, this notably includes the following:

    • Adding and removing SSH/system users

    • Change of maintenance windows

    • Adjustment of monitoring thresholds

    • Change of local firewall rules, DNS resolvers, NTP servers and similar system options

  • All other support requests are not included and are usually fully billed

VSHN asses what low-risk, well-known or occasional means, should this be necessary - we favor a fair-play approach here.

Change requests

Changes are assessed by our Service Desk and/or the Customer Service Manager and the customer is informed of the estimated effort first. Changes are usually fully billed as long as not explicitly stated otherwise.

Pricing

VSHN Managed Services are billed as a monthly recurring fee as described in the Sales Order. No one-time cost for the base setup (exceptions see Setup).

The monthly fees do not include cloud provider resources (compute, traffic, backup, storage or similar).