This article explains how IONOS ensures the security of your data through encryption at rest and secure deletion practices.

Encryption at Rest

IONOS provides block storage encryption to help secure your data at rest. Encryption at rest refers to protecting data stored on physical storage devices. It ensures that data is encrypted when stored on disk and can only be accessed by authorized users with the correct encryption keys.

Encryption protects sensitive information from unauthorized access. It also reduces the risk of data leakage by ensuring that even if data is stolen, it remains encrypted and unusable without the appropriate keys.

IONOS implements encryption at rest for Block Storage at two levels:

• Logical Volume Encryption:

  • All logical block storage volumes created after the feature's availability are automatically encrypted.

  • The encryption method used is AES-XTS 256-bit.

  • Each block storage volume uses a unique encryption key, ensuring that others remain secure even if one volume's security is compromised.

  • These unique encryption keys are securely stored and remain inaccessible even to the root user, adding an extra layer of security.

• Optional Drive-Level Encryption:

  • This additional encryption is applied when the storage backend uses self-encrypting drives (SEDs).

  • Currently, SSD Premium and SSD Standard storage options benefit from this feature.

  • The drives employed by IONOS support AES-XTS 256-bit encryption, which is one of the strongest encryption standards available.

Encryption Key Management

The security of encryption keys is crucial to maintaining the overall security of your data. IONOS implements the following key management practices:

• Key Invisibility: Encryption keys are not visible on the storage server, preventing unauthorized access.

• Infrastructure-Bound Access: Drives and volumes can only be accessed within the IONOS infrastructure. This means that even if a drive was physically removed from the data center, it would remain inaccessible.

• Secure Passphrase Retrieval: The storage server requires a passphrase to access a drive or volume. This passphrase can only be retrieved through a secure process:

  • The request must be authenticated (proving the identity of the requester).

  • The request must be authorized (confirming the requester has the right to access).

  • The request must be encrypted (protecting the passphrase during transmission).

• Data Inaccessibility: The volumes and user data remain completely inaccessible without properly unlocking the drives or volumes using the correct passphrase.

Secure Deletion

Secure deletion ensures that it cannot be restored once data is deleted, even with access to the physical media.

To comprehend the secure deletion process, it's essential to understand the role of logical volume metadata:

• Information Repository: Metadata is a storage location for crucial block device information, including volume names, sizes, encryption methods, unique identifiers (UUIDs), and other relevant details.

• Block Mapping: Metadata functions as a block map, linking the logical volume to the underlying physical volumes (block devices).

When you initiate the deletion of a Block Storage volume, IONOS takes the following steps:

1. The volume is immediately flagged for deletion and inaccessible to all systems and users. The deletion can be deferred for up to 48 hours for security reasons.

2. IONOS guarantees that the metadata of the deleted volume is "zeroed out.":

• All metadata information is securely overwritten with zeros.

• The process effectively destroys the block mapping between the logical and physical volumes.

Without the block mapping provided by the metadata, retrieving user data for the specific volume becomes impossible. The metadata is a required component of the encryption key. Deleting the metadata effectively destroys the encryption key. With the encryption key destroyed, the encrypted user data can no longer be decrypted, even if it were to be recovered by any means.

Block Storage is a type of IT architecture in which data is stored as a file system. It provides endless possibilities for storing large amounts of information. It guarantees the safety of resource planning systems and provides instant access to the required amount of data without delay.

IONOS provides you with several ready-made public images that you can use immediately. You can also use your own images by uploading them via our FTP access. For more information, see Private Images. Your IONOS account supports many types of HDD images as well as ISO images from which you can install an operating system or software directly, using an emulated CD-ROM drive.

Storage types and options

The virtual storage devices you create in the DCD are provisioned and hosted in one of the IONOS physical data centers. Virtual storage devices are used in the same way as physical storage devices and can be configured and managed within the server's operating system.

A virtual storage device is equivalent to an iSCSI block device and behaves exactly like direct-attached storage. IONOS block storage is managed independently of servers. It is therefore easily scalable. You can assign a hard disk image to each storage device via DCD (or API). You can use one of the IONOS images, your own image, or a snapshot created with DCD (or API). You have a choice of hard disk drive (HDD) and solid-state drive (SSD) storage technologies while SSD is available in two different performance classes. For more information about setting up the storage, see Set Up Storage.

Up to 24 storage volumes can be connected to a Dedicated Core Server or a Cloud Cube (while the Cloud Cube already has one virtual storage device attached per default). You can use any mix of volume types if necessary.

IONOS Cloud provides HDD and SSD block storage in a double-redundant setup. Each virtual storage volume is replicated four times and stored on distributed physical devices within the selected data center location.

Availability Zones

Secure your data, enhance reliability, and set up high-availability scenarios by deploying your Dedicated Core Servers and storage devices across multiple Availability Zones.

Assigning different Availability Zones ensures that redundant modules reside on separate physical resources at IONOS. For example, a server or a storage device assigned to Availability Zone 1 resides on a different resource than a server or storage device assigned to Availability Zone 2.

For HDD and SSD Storage, you have the following Availability Zone options:

• Zone 1

• Zone 2

• Zone 3

• A - Auto (default; the system automatically assigns an Availability Zone upon provisioning)

Authentication

The first time you create a storage unit based on a public image, you must select at least one authentication method. Without authentication, the image on the storage unit cannot be provisioned. The authentication methods available depend on the IONOS operating system image you select.

Authentication methods depend on the operating system.

We recommend using both SSH and a password with IONOS Linux images. This will allow you to log in with the Remote Console. It is not possible to provision a storage unit with a Linux image without specifying a password or an SSH key.

Passwords: Provisioning a storage device with a Windows image is not possible without specifying a password. It must be between 8 and 50 characters long and may only consist of numbers (0 - 9) and letters (a-z, A - Z). For IONOS Linux images, you can specify a password along with SSH keys, so that you can also log in without the SSH, such as with the Remote Console. The password is set as the root or administrator password with corresponding permissions.

SSH (Secure Shell): To use SSH, you must have an SSH key pair consisting of public and private keys. The private key is installed on the client (the computer you use to access the server), and the public key is installed on the (virtual) instance (the server you wish to access). The IONOS SSH feature requires that you have a valid SSH public/private key pair and that the private key is installed as appropriate for your local operating system.

If you set an invalid or incorrect SSH key, it must be corrected on the side of the virtual machine.

Only contract owners, administrators, and users with valid access rights can view, use, or edit resources in a VDC. These access rights are assigned to groups and are inherited by group members.

Set access rights and ownership

A resource creator, by default, is the owner of the resource and can specify access rights to it. The Security tab of the respective resource displays its ownership details. The following table displays the access rights necessary to access and use a resource:

Set restrictions using 2-factor authentication

In addition to enabling access to a resource, you can also activate the 2-factor authentication for your data centers and snapshots. Only users authorized with the 2-factor authentication can access the data centers and snapshots and unauthorized users cannot view or access the resources, even if they belong to an authorized group.

Depending on their role, users can set access rights at the resource level and via the User Manager.

Manage access rights at the resource level

To manage access rights at the resource level, follow these steps:

1. Log in to the DCD with your username and password.

2. Open the data center:

   • Images: Menu > Resource Manager > Image Manager > Image.

   • Snapshots: Menu > Resource Manager > Image Manager > Snapshot.

   • IP addresses: Menu > Resource Manager > IP Manager.

   • Kubernetes Cluster: Menu > Resource Manager > Kubernetes Manager.

3. Select the required resource in the Resources tab.

4. Select Security > Visible to Groups.

5. From the + Add Group drop-down list, select the required groups to enable access.

6. Select Read to allow users to see and use the resource. However, they cannot modify the respective resource.

7. (Optional) Select further permissions (Edit, Share). You may only share those permissions that you have.

Set access rights via the User Manager

Contract owners and administrators can set the access rights and also limit who else can access a resource by defining its permissions in the User Manager.

To set access rights via the User Manager, follow these steps:

1. Log in to the DCD with your username and password.

2. Go to the Menu > Management > Users & Groups.

3. Select the required resource in the Resources tab.

4. Select the Visible to Groups tab.

5. From the + Add Group list, add the required groups to enable access.

6. (Optional) Select Edit to enable write access or Share to enable resource sharing.

Assigning resources to a group

To assign resources to a group, follow these steps:

1. Log in to the DCD with your username and password.

2. Go to the Menu > Management > Users & Groups.

3. Select the required group in the Groups tab.

4. Select the Resources of Group tab.

5. Select the required resource by clicking on + Grant Access. This enables read access to the selected resource.

6. (Optional) Select Edit to enable write access or Share to enable resource sharing.

For more information about creating and managing the groups, see Manage User Access.

Overview

VirtIO provides an efficient abstraction for hypervisors and a common set of IO virtualization drivers. It was chosen to be the main platform for IO virtualization in KVM. Currently, the following four drivers are available:

• Balloon - The balloon driver affects the memory management of the guest OS.

• VIOSERIAL - The serial driver affects single serial device limitation within KVM.

• NetKVM - The network driver affects Ethernet network adapters.

• VIOSTOR - The block driver affects SCSI-based controllers.

Windows-based systems require VirtIO drivers primarily to recognize the VirtIO (SCSI) controller and network adapter presented by the IONOS KVM-based hypervisor. This can be accomplished in a variety of ways depending on the state of the virtual machine.

IONOS provides pre-configured Windows Server images that already contain the required VirtIO drivers and the optimal network adapter configuration. Additionally, a VirtIO ISO to simplify the driver installation process for Windows 2008 R2, Windows 2012 & Windows 2012 R2 systems is also available. This ISO can be found in the CD-ROM drop-down menu under IONOS Images which can be used for new Windows installations (only required for customer-provided images), as well as Windows images that have been migrated from other environments. Example: via VMDK upload.

Install Windows VirtIO drivers

To install Windows VirtIO drivers, follow these steps:

1. Add a CD-ROM drive.

2. Log in to the DCD with your username and password, and follow these instructions: a. In the Workspace, select the required server. b. In the Inspector pane, select the Storage tab. c. Click CD-ROM to add a CD-ROM drive. d. In the dialog box, enter the following:

   • Choose an IONOS Image with drivers (windows-VirtIO-driver-<version>.iso).

   • Select the Boot from Device checkbox.

   • Confirm your action by clicking Create CD-ROM Drive.

   e. Provision your changes. f. Connect to the server using the Remote Console. The installation menu opens. g. Follow the options provided by the installation menu. h. Remove the CD-ROM drive as soon as the menu asks you to do so, and shut down the VM. i. In the DCD, specify from which storage to boot. j. Restart the server using the DCD. k. Provision your changes. l. Connect to the server again using the Remote Console to make further changes.

3. Set optimal values: For an optimal configuration, apply the following settings:

   • MTU:

     • Internal network interface: 1500 MTU

     • External network interface: 1500 MTU

   • Offloading for Receive (RX) and Transmit (TX):

     • Offload Tx IP checksum: Enabled

     • Offload Tx LSO: Enabled

     • Offload Tx TCP checksum: Enabled

     • Fix IP checksum on LSO: Enabled

     • Hardware checksum: Enabled

4. Disable TCP Offloading/Chimney:

   • Default: netsh int tcp set global chimney=disabled

   • Everything:

   Copy

   rss=disabled
   chimney=disabled
   congestionprovider=none
   netdma=disabled dca=disabled
   ecncapability=disabled
   timestamps=enabled

   • Alternatively, modify the Windows registry:

   Copy

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
   "EnableTCPA"=dword:00000000
   "EnableRSS"=dword:00000000
   "EnableTCPChimney"=dword:00000000

1. Set correct values for any network adapter automatically by executing the Get-NetAdapter command via PowerShell. The following output is displayed: a. In the Name field, use the output value instead of Ethernet. b. Create a new file from the File > New menu in the PowerShell ISE. c. Copy and paste the following code and remember to update $name ="Ethernet" appropriately:

   Copy

   Clear-Host
   $name ="Ethernet"
   Set-NetAdapterAdvancedProperty-name $name -RegistryKeyword "MTU" -Registryvalue 1500
   Set-NetAdapterAdvancedProperty -name $name -RegistryKeyword "*rss" -Registryvalue 0
   Set-NetAdapterAdvancedProperty -name $name -RegistryKeyword"*TCPChecksumOffloadIPv4" -Registryvalue 0
   Set-NetAdapterAdvancedProperty -name $name -RegistryKeyword "*UDPChecksumOffloadIPv4" -Registryvalue 0
   netsh interface tcp set global chimney=disabled
   netsh interface tcp set global autotuninglevel=normal
   netsh interface tcp set global netdma=disabled
   netsh interface tcp set global dca=disabled
   netsh interface tcp set global ecncapability=disabled
   netsh interface tcp set global timestamps=enabled
   Get-NetAdapterAdvancedProperty
   netsh int tcp show global

   d. Click File > Execute. e. Verify the settings. f. Restart the VM.

6. Activate TCP/IP auto-tuning. It ensures optimal data transfer between the client and the server by monitoring network traffic and automatically adjusting the Receive Window Size. You must permanently activate the option for optimal performance.

• Execute the netsh interface tcp set global autotuninglevel=normal command to activate TCP/IP auto-tuning.

• Execute the netsh interface tcp show global command to check the current setting.

HDD storage

The following performance and configuration limits apply per HDD volume. The performance of HDD storage is static and independent of its volume size.

HDD storage performance

• Read/write speed, sequential: 200 Mb/s at 1 MB block size

• Read/write speed, full random:

  • Regular: 1,100 IOPS at 4 kB block size

  • Burst: 2,500 IOPS at 4 kB block size

HDD storage limits

• Minimum Size per Volume: 1 GB

• Maximum Size per Volume: 4 TB

Larger volumes can be made available on request. For more information, contact IONOS Cloud Support.

SSD storage

SSD storage volumes are available in two performance classes - SSD Premium and SSD Standard. The performance of SSD storage depends on the volume size. Find the respective performance and configuration limits listed below.

SSD storage performance

The performance of SSD storage is directly related to the volume size. To get the full benefits of high-speed SSDs, we recommend that you book SSD storage units of at least 100 GB. You can use smaller volumes for your VDC, but performance will be suboptimal, compared to that of the larger units. When storage units are configured in DCD, expected performance is predicted based on the volume size (Inspector > Settings). For storage volumes of more than 600 GB the performance is capped at the maximum as specified in the documentation above.

Limitations

IONOS is focused on ensuring the uninterrupted and cost-efficient operation of your services. This is why we offer a selection of tested operating systems for immediate use in your virtual cloud instances. To ensure uninterrupted, secure, and stable performance, all operating systems, regardless of their source, should meet the following requirements:

• VirtIO drivers are essential for the operation of virtual network cards.

• The following are the recommended drivers for the operation of virtual storage:

  • VirtIO (maximum performance)

  • IDE (for vStorage, an alternative connection by IDE is available, but it will not deliver the potential performance offered by IONOS).

  • QXL drivers are required to use the Remote Console.

• We guarantee operation for the selected operating system as long as vendor or upstream support is available.

• In general, all current Linux distributions and their derivatives are supported.

• Microsoft Windows Server versions are also supported as long as vendor support is available.

The older an OS version, the greater the risk of performance and stability losses. It is recommended that you always switch to the current versions well before the manufacturer's support for your old version expires. This will greatly improve your operating system's security and functionality.

When operating software appliances, it is recommended that you use the images that have been specially prepared for the KVM hypervisor.

If you are using special software appliances or operating systems that are not listed here, contact IONOS Cloud Support. We would be happy to explore the possibility of using such systems within the IONOS Enterprise Cloud and advise you on the best possible implementation.

IONOS as a leading public cloud service provider recognizes the crucial role of adaptability and security in today's ever-evolving market. Red Hat Enterprise Linux (RHEL) stands out for its robust security features and unwavering reliability, making it ideal for hybrid and multi-cloud environments. With RHEL, seamless workload migration, simplified management, and enhanced visibility pave the way for smooth transitions from development to production across public, private, and hybrid cloud landscapes. This combination of flexibility and reliability empowers our customers to uphold existing skills, standards, and best practices while efficiently deploying applications for your customers both in the cloud and on-premises.

The existing pricing model for RHEL in public cloud settings was initially established in 2011. Since then, cloud adoption has accelerated, and the pricing structure, based on the size of the cloud instance, has remained unchanged. To accommodate the evolution of cloud services and their varying instance sizes, Red Hat has embarked on a modernization journey, transitioning from the dated two-tiered pricing system ("small" and "large") to a more flexible and modular approach.

In response to the expanding array of flexible instance sizes offered by cloud providers, the new RHEL pricing model now scales based on vCPU or Core count, aligning with the prevalent pricing model for cloud Virtual Machines (VMs) and software. This strategic shift aims to better address the diverse requirements of partners and customers operating in the public cloud arena. At the core of this transformation is a commitment to enhancing the user experience and optimizing pricing structures in line with industry trends and customer needs.

This documentation guides you through the changes and ensures a seamless transition. Subsequent topics will delve deeper into the specifics of the subscription model alterations.

What are the details of the subscription model change?

The previous pricing structure featured a two-tiered system that categorized VMs as either "small" or "large" based on the number of cores, or vCPUs, with fixed prices assigned to each category regardless of the VM's actual size. The duration of VM allocation determined subscription fees, as the number of cores or vCPUs did not influence the pricing, resulting in a capped cost for RHEL subscriptions.

In the new subscription model, while retaining a similar approach, VM size becomes a key factor in determining subscription costs, making the pricing model more modular. Unlike before, the cost of a subscription will no longer be capped. The revamped model introduces a three-tier pricing system that classifies VMs as "small," "medium," or "large," based on the number of cores, or vCPUs. Each category is associated with a price per vCPU or core rather than per VM. This results in a calculation that multiplies the price by the size category and the number of vCPUs or cores, and the duration of VM allocation.

How are the new RHEL subscription fees calculated?

As previously mentioned, Red Hat has introduced a pricing mechanism that adjusts according to the number of vCPUs or cores allocated to a VM. Consequently, the subscription price now directly correlates with the resources utilized. The new three-tier pricing model offers discounts per vCPU or cores for larger instances.

The updated pricing structure brings about two notable outcomes. In particular, subscription fees for smaller instances can decrease as charges are based on consumed resources rather than a fixed rate. On the contrary, pricing now scales without any limitations, potentially leading to significant costs, especially for larger instances.

For detailed insights and cost estimations, the table below represents various configuration examples and cost calculations in Euro (€). Calculations are done on a monthly basis (30 days = 720 hours). Please ensure to confirm pricing details specific to your currency by referencing the updated price list corresponding to your regional IONOS entity.

Which services are affected by the RHEL subscription model change?

IONOS offers RHEL versions 8 and 9 as public images across all locations, with the new subscription structure applying to both versions.

These public images are compatible with IONOS Compute Engine featuring dedicated cores and vCPUs, as well as IONOS Cubes with exposed vCPUs. The updated subscription model is standardized across all types of compute resources, whether dedicated cores or vCPUs, aligning with the pricing outlined in the current price lists.

Additionally, IONOS maintains a Red Hat Update Infrastructure (RHUI) to facilitate update and patch requests for RHEL workloads deployed within the IONOS Public Cloud. The use of the IONOS RHUI service for update management remains complimentary and will continue to be offered without any additional charges.

When does the new RHEL subscription model become effective?

Red Hat has provided a transition window for partners to adjust to the new subscription model. IONOS has opted to implement the transition to the updated subscription model by August 1, 2024. Until July 31, 2024, the existing subscription model and prices will continue to apply to all provisioned workloads.

Which steps do you need to take to address your RHEL workloads?

No action is needed on your part concerning your RHEL workloads. The transition to the new RHEL subscription model is a commercial adjustment, handled seamlessly by IONOS through our billing services.

Your RHEL workloads will operate without disruption. There is no requirement for you or IONOS to make any modifications to your VM settings or infrastructure setup in response to the subscription model change. No alterations to deployment scripts or automation processes are necessary. You can continue to utilize IONOS services for deploying and managing your workloads as usual.

What are the options to manage RHEL subscription costs?

With the removal of cost caps in the new subscription model, factoring in the actual VM size becomes crucial, recommending a deeper dive into infrastructure planning to explore avenues for enhanced cost efficiency.

With the evolving subscription structure where costs may vary based on VM size, we recommend an evaluation of your VM sizing strategy to drive optimal cost-effectiveness. Highlighted by the illustrative calculations in the above table, smaller instances stand to gain advantages from this updated model, offering fairness by accommodating individual sizing requirements and favoring compact deployments.

One strategy to optimize expenses involves distributing workloads across multiple smaller VMs rather than consolidating them into a few large deployments.

While this approach suits many scenarios, it may not align with all workloads. Consider evaluating if instance performance optimization is feasible. For instance, transitioning from a Compute Engine based on vCPUs to one based on Dedicated Cores can offer dedicated power to workloads, potentially leading to reduced number of dedicated cores requirements and subsequently lowering subscription costs.

IONOS provides a variety of operating system block storage images and different versions of it that are ready to be used on any block storage type.

All images get updated frequently to include the latest updates, patches, and security fixes. IONOS will not inform about image updates separately. Once a new patch or update is provided, a new image is built and provided while the previous version is removed from the software catalog. The currently available version number is displayed in the image name that you can retrieve from the image selection within the block storage selection.

For more information about using public images for your Block Storage, see Set Up a Block Storage.

Available operating system images

The following list provides an overview of the operating systems and their corresponding distributions supplied by IONOS.

Open Source Linux

• Alma Linux

• CentOS Linux (deprecation announced for June, 30th 2024)

• Debian Linux

• Rocky Linux

• Ubuntu Linux

Enterprise Linux

• Red Hat Enterprise Linux. For more information, see Red Hat Enterprise Linux.

Microsoft Server

• Microsoft Windows Server

IONOS is a certified partner of Red Hat and is entitled to offer and operate Red Hat Enterprise Linux (RHEL) within the IONOS public cloud.

Compatible versions

Currently, the entitlement is valid for RHEL 8 and RHEL 9 public images that IONOS provides.

Red Hat subscription

Currently, IONOS does not provide any Bring-Your-Own-Subscription (BYOS) option for subscription-based operating systems like Red Hat Enterprise Linux. You still need an IONOS subscription if you want to use your images. IONOS will charge you each time a Virtual Machine (VM) boots from the private RHEL image. For more information about the charges, see Block Storage FAQs.

Please ensure not to subscribe to or unsubscribe from sources of third-party subscription services to avoid duplicate charges for your Red Hat VM deployment. The subscription fee also includes access to the IONOS Red Hat Update Infrastructure (RHUI) instance.

IONOS Red Hat Update Infrastructure (RHUI)

IONOS operates its own instance of a Red Hat Update Infrastructure (RHUI). It is accessible by all public IONOS IP addresses. IONOS public RHEL images are preconfigured to access the IONOS RHUI setup as long as the VM has access to the internet.

With the entitlement, RHUI enables IONOS to provide the following services to end-users with an RHEL deployment:

• Mirror repositories hosted by Red Hat.

• Provide repositories with custom content supplied by IONOS.

• Publish content to VMs running RHEL workloads.

Select an RHEL image

An RHEL image supplied by IONOS can be selected and configured like any other Linux-based public image. You can define the root password and specify SSH keys during provisioning. For more information about how to use RHEL images for your Block Storage, see Set Up a Block Storage.

Access internet

You can access the internet using one of the following options when the VM contains a network interface:

• that is connected to a public LAN. The network interface has a public IP address. If you have a firewall configured, you may need to allow access to the subscription endpoint and service port.

• that is connected to a private LAN which is capable of accessing a Managed NAT Gateway. The NAT Gateway must be configured to access the public internet endpoint of the subscription service.

• that is connected to a private LAN containing other VMs that could act as a proxy to the public internet. Connectivity must be configured manually via the routing settings within the VM.

Access information for the IONOS RHUI service

This section is in creation and IONOS apologizes for any inconvenience this may cause. Please contact the IONOS Cloud Support for any information.

You can migrate your images into the IONOS cloud infrastructure by uploading them via the FTP. For more information, see Block Storage FAQs. Your IONOS account supports many types of block storage images as well as ISO images, using an emulated CD-Rom drive, from which you can install an operating system or software directly.

Image types

The following image types are supported; hence, you can upload any of these:

FTP access endpoints

The list below contains the FTP access endpoints for corresponding locations:

Alternatively, you can also find the FTP addresses on the DCD. To retrieve the details, log in to the DCD with your credentials, and click:

• Menu > Help (Question Mark icon) > FTP Image Upload

• Menu > Management > Images & Snapshots > FTP Upload Image

License

Currently, IONOS does not support the Bring-Your-Own-License (BYOL) option for license or subscription based operating systems like Microsoft Windows Server or Red Hat Enterprise Linux. If you want to use one of these two options for private images, IONOS will still grant you the license and charge you when a virtual machine boots from the private image.

Private image authentication

Private images inherit the same authentication defined during their creation. Therefore, the option to set an administrator password or apply an SSH key is not displayed when using a private image.

You can create snapshots from provisioned block storage volumes only. It includes the authentication you specified during the creation of the snapshot. IONOS does not modify snapshots at any time. If you want to change the authentication configurations, we recommend doing it before reusing the snapshot on a new block storage device.

Upload an image via the FTP

IONOS offers you FTP access to each data center location so you can upload your own images. Access to images is location-specific, meaning if you have uploaded an image from location A, it can be accessed only from that specific location. You can also set access rights to only allow authorized users to access and use them. Only images and snapshots to which you have access are displayed.

To upload an image, follow these steps:

1. Log in to the DCD with your username and password.

2. Go to either of the following:

   • Menu > Help (Question Mark icon) > FTP Image Upload.

   • Menu > Management > Images & Snapshots > FTP Upload Image.

1. Set up a connection from your computer to the IONOS FTP server. You can use an FTP client such as FileZilla or tools from your operating system to establish a connection. Enter the following details:

   • Protocol: Select FTP - File Transfer Protocol from the drop-down list.

   • Host: Paste the appropriate FTP server address to the corresponding IONOS data center location. For example, ftp-txl.ionos.com for Berlin.

   • Encryption: Select Require explicit FTP over TLS to establish a connection. Upon selecting this option, the FTP client connects securely to the data center location using port 21, which is the default.

   • Port: By default, the client-to-server connection is established over port 21 for the specified encryption.

   • User: Enter your IONOS username to establish a secure client-to-server connection.

   • Password: Enter your IONOS password to authenticate your credentials in order to establish a client-to-server connection.

2. Upload the image.

3. The image is changed to a RAW format after upload. As a result, dynamic HDD images are always used at their maximum size. A dynamic image, for example, whose file size is 3 GB but which comes from a 50 GB hard disk, will be a 50 GB image again after conversion to the IONOS format. The conversion process generally takes a few minutes based on the size of your image.

Alternatively, you can also use the IonosCTL CLI to upload images directly from the command line to the FTP server using the FTP over TLS (FTPS) setting. Note that the option can be used only if 2-Factor Authentication is disabled for your IONOS account.

Establish an FTP connection to upload images via the Windows Explorer

In Windows 10, you can upload an image, without additional software. To establish an FTP connection, follow these steps:

1. Open Windows Explorer.

2. Select Add a network location from the context menu.

3. Enter the IONOS FTP address as the location of the website. Example: ftps://ftps-fkb.ionos.com. An image is only available at the location where it was uploaded.

4. Select Log on anonymously in the next dialog box that appears.

5. Enter a name for the connection in the following dialog box. The name will later be visible in Windows Explorer. Example: upload_fkb.

6. Click Finish to confirm your action.

Upload your image through the established FTP connection

1. Open the FTP access on your local computer.

2. In the login dialog box, enter the credentials of your IONOS account.

3. Copy the image from your local computer and paste it to a folder in the data center. The image type must be, either HDD or iso.

Access and manage a private image

After completing the upload and conversion process, you can manage your uploaded images via the DCD.

To access and manage your images, follow these steps:

1. Log in to the DCD with your username and password.

2. Go to the Menu > Management > Images & Snapshots.

3. Modify the following details, if necessary:

   • Name: Rename the image, if required.

   • Live Vertical Scaling: Enable this option if your image supports live vertical scaling, so that the Virtual Machine (VM) boots from this image.

   • License Type: Specify the license type of the image that will be propagated to the VM when booting from this image.

Delete a private image

You can delete your private image if you no longer need it, thus saving resources.

To delete an image, follow these steps:

1. Log in to the DCD with your username and password.

2. Go to the Menu > Management > Images & Snapshots.

3. Open the Image tab and select the private image you would like to delete.

4. Click Delete.

5. In the dialog that appears, confirm your action by entering your password and clicking OK.

Overview

Snapshots are images generated from any block storage that have already been provisioned. You can use snapshots on any block storage type, regardless of the storage type from which the snapshot was created.

You can also use snapshots for other storages. This feature is useful, for example, if you want to quickly roll out multiple Virtual Machines (VMs) with the same or similar configuration or when you need a recovery point.

You can create snapshots from provisioned Hard Disk Drive (HDD) and Solid-State Drive (SSD) storages, regardless of the underlying storage type (HDD or SSD). After creation, a snapshot utilizes the complete HDD storage space assigned to your IONOS account. Therefore, ensure that you have enough HDD quotas available before you create a snapshot.

A snapshot covers the entire capacity of the block storage device. It will also contain the volume part with no data written to it. For example, if you have a block storage with a volume of 100GiB containing 10GiB of data written to it and the remaining volume is empty, the snapshot will still be for the entire 100GiB volume. Consequently, a new block storage volume must at least be the same size as the snapshot. If the new block storage volume is large, you may need to extend the partition manually after booting the VMs and mounting the respective volume to the VM.

Snapshots are not incremental. Each snapshot is a separate instance representing the state of the source block storage device during the snapshot creation.

Snapshots can be shared with groups so that the users in that specific group can receive access to the snapshot. However, snapshots are limited to use only at the data center location where they were originally created. They can be utilized in several Virtual Data Centers (VDCs) as long as they operate at the exact data center location as the snapshot creation.

Snapshots have no usage quota and can be used as often as you want. Furthermore, snapshots do not have a retention period; hence, they are not deleted automatically.

Prerequisite

Only contract administrators, owners, and users with the Create Snapshot permission can create a snapshot. Ensure that you have the necessary permission and sufficient memory available.

Snapshot authentication

You can create snapshots from provisioned block storage volumes only. It includes the authentication you specified during the creation of the snapshot. IONOS does not modify snapshots at any time. If you want to change the authentication configurations, we recommend doing it before reusing the snapshot on a new block storage device.

Create a Snapshot

You can create snapshots from any provisioned block storage, regardless of the underlying storage type. After creation, a snapshot utilizes the complete HDD storage space assigned to your IONOS account. Therefore, ensure that you have enough HDD quotas available before you create a snapshot.

The VM can be switched on or off when creating a snapshot. If you want to ensure that data that is still in the RAM of the VM is included in the snapshot, it is recommended that you synchronize the data (with sync under Linux) or shut down the guest operating system (with shutdown -h now under Linux) before creating the snapshot.

To create a snapshot, follow these steps:

1. Open the required data center.

2. (Optional) Shut down the server. Creating a snapshot while the server is running takes longer.

3. Open the context menu of the storage element and select Create Snapshot.

4. (Optional) Change the name and the description of the snapshot.

5. Click Create Snapshot to start the process.

Delete a Snapshot

If you no longer need a snapshot and want to save your resources, you can delete it. You cannot restore a snapshot after it is deleted.

To delete a snapshot, follow these steps:

1. Log in to the DCD with your username and password.

2. Go to Menu > Management > Images & Snapshots.

3. Open the Snapshots tab and select the snapshot you would like to delete.

4. Click Delete.

5. In the dialog that appears, confirm your action by entering your password and clicking OK.

Which virtualization technology does IONOS use?

IONOS systems are built on Kernel-based Virtual Machine (KVM) hypervisor and libvirt virtualization management. We have adapted both of these components to our requirements and optimized them for the delivery of diverse cloud services, with a special focus on security and guest isolation.

Which images can I import?

Some software images are only designed for certain virtualization systems. Without VirtlO drivers, VM will not work properly with the hypervisor. You can set the storage bus type to IDE temporarily to install the VirtlO drivers.

How do I install VirtIO drivers for Windows?

For a Windows VM to work properly with our hypervisor, VirtI/O drivers are required.

• Install Windows using the original IDE driver

  You can now install the VirtIO drivers from the ISO provided by IONOS.

• Add a CD-ROM drive to your server

• Select the windows-virtio-driver.iso ISO

• Boot from the selected ISO to start the automatic installation tool

  You can now switch to VirtIO.

For more information, see Install Windows VirtIO drivers.

Can I run a virtualization platform on a Dedicated Core Server?

Our hypervisor informs the guest operating system that it is located in a virtualized environment. Some virtualized systems do not support virtualized environments and cannot be executed on an IONOS Dedicated Core Server. We generally do not recommend using your virtualization technology in virtual hosts.

How do I upload my images with FTP?

You can upload your images to the FTP server in your region. The available regions are:

The DCD also lists the FTP addresses on the following pages:

• Menu > Help (Question Mark icon) > FTP Image Upload.

• Menu > Management > Images & Snapshots > FTP Upload Image. For more information, see Private Images.

Why I cannot select the images I uploaded?

Your own images are only available in the region where you uploaded them. Accordingly, only images located in the same region as the virtual data center are available for selection in a virtual data center. For example, if you upload an image to the FTP server in Frankfurt, you can only use that image in a virtual data center in Frankfurt.

Can I use an encrypted connection for FTP uploads?

We strongly recommend that you select FTPS (File Transfer Protocol with Transport Layer Security) as the transfer protocol. This can easily be done using "FileZilla", for example. Simple FTP works as well, but your access data is transmitted in plain text.

Why are image files in the FTP account 0 bytes in size?

After a file has been uploaded to the FTP server, it is protected from deletion, converted, and then made available as an image. When this process is finished, the file size is reduced to 0 bytes to save space but left on the FTP server. This is to prevent a file with the same name from being uploaded again and interfering with the processing of existing images. If an image is no longer needed, contact IONOS Cloud Suppport.

How do I delete snapshots?

Snapshots that you no longer need can be deleted in the Image Manager.

For more information, see Delete a snapshot.

Which images support Live Vertical Scaling (LVS)?

Live Vertical Scaling is supported by all our images. Please note that the Windows OS only allows CPU core scaling.

Can I connect one storage device to multiple servers?

It is not possible to connect multiple servers to one storage device, but you can connect multiple servers in a network without performance loss.

Which image types are supported?

IONOS Cloud allows the customer to upload their own images to the infrastructure via upload servers. This procedure is to be completed individually for each data center location. IONOS Cloud optionally offers transmission with secure transport (TLS). The uploading of HDD and CD-ROM/DVD-ROM images is supported. Specifically, the uploading of images in the following formats is supported:

CD-ROM / DVD-ROM:

• *.iso ISO 9660 image file

HDD Images:

• *.vmdk vmware HDD images

• *.vhd, *.vhdx HyperV HDD images

• *.cow, *.qcow, *.qcow2 Qemu HDD images

• *.raw binary HDD image

• *.vpc VirtualPC HDD image

• *.vdi VirtualBox HDD image

How do I change the Availability Zone of a storage device?

Once a storage device is provisioned, it is not possible to change its Availability Zone. You could, however, create a snapshot and then use it to provision a storage device with a new Availability Zone.

For more information, see Availability Zones.

Does IONOS support RHEL images? What are the charges?

Yes, IONOS is authorized to provide and operate Red Hat Enterprise Linux within the IONOS public cloud infrastructure.

As this is a paid Linux distribution, IONOS charges a certain fee for the usage of IONOS RHEL images. The following table lists the charges.

With IONOS Cloud Block Storage, you can quickly provision Dedicated Core Servers, vCPU Servers, Cloud Cubes, and other Infrastructure-as-a-Service IaaS offerings. Refer to our user guides and FAQs to support your hosting needs.

Block Storage also supports images and snapshots. Images are further classified into public and private images. IONOS contains a collection of different types of public images that can be instantly used or you can also upload your private images via the File Transfer Protocol (FTP). You can also create snapshots of provisioned block storages and in turn, use them for storage purposes.

Product Overview

Get an overview of Block Storage, supported storage types, and images and snapshots.

Recommended How-Tos

Get started with Block Storage via the DCD.

Developer Tools

Get started with Block Storage via the tools.

Frequently Asked Questions

Overview

Cloud-init is a software package that automates the initialization of servers during system boot. When you deploy a new Linux server from an image, cloud-init gives you the option to set default user data.

User data must be written in shell scripts or cloud-config directives using YAML syntax. You can modify IONOS cloud-init's behavior via user-data. You can pass the user data in various formats to the IONOS cloud-init at launch time. Typically, this happens as a template, a parameter in the CLI, etc. This method is highly compatible across platforms and fully secure.

Compatibility: This service is supported on all public IONOS Cloud Linux distributions. You may submit user data through the DCD or via Cloud API. Existing cloud-init configurations from other providers are compatible with IONOS Cloud.

Limitations: Cloud-init is available on all public Linux images supplied by IONOS Cloud. If you wish to use your own Linux image, please make sure that it is cloud-init supported first. Otherwise, there is no guarantee that the package will function as intended. Windows images are currently out of scope; adding them may be considered at a later stage.

Provisioning: Cloud-init can only be set at initial provisioning. It cannot be applied to instances that have already been provisioned. Settings cannot be changed once provisioned.

Laptops: When using a laptop, scroll down the properties panel of the block storage volume that you want to create and configure, as additional fields are not immediately visible on a small screen. Clout-Init may only become visible when an supported image has been selected.

Supported user data formats

The following table demonstrates the use of cloud-config and user-data scripts. However, the cloud-init package supports a variety of formats.

Configuring user data via the DCD

1. Log in to the DCD with your username and password.

2. In the Workspace, create a new virtual instance and attach any storage device to it.

3. Select the storage device and from the Inspector pane associate an Image with it.

   • To associate a private image, select Own Images from the drop-down list.

   • To associate a public image, select IONOS Images from the drop-down list. Once you choose an image, additional fields will appear in the Inspector pane.

1. Enter a Password. It is required for Remote Console access. You may change it later.

2. (Optional) Upload a new SSH key or use an existing file. SSH Keys can also be injected as user data utilizing cloud-init.

3. (Optional) Add a specific key to the Ad-hoc SSH Key field.

4. Select No configuration for Cloud-Init user data and the Cloud-Init User Data window appears.

5. Enter your User Data either using a bash script or a cloud-config file with a YAML syntax. For sample scripts, see Use shell scripts, Use cloud-config directives, and Configure user data via API.

1. To complete setup, return to the Inspector pane and click Provision Changes.

Use shell scripts

Using shell scripts is an easy way to bootstrap a server. The code creates, installs, and configures our CentOS web server in the following example. It also rewrites the default index.html file.

#!/bin/bash
# Use this for your user data (script from top to bottom)
# install httpd (Linux 2 version)
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello World from $(hostname -f)</h1>" > /var/www/html/index.html

To test if the cloud-init bootstrapped your VM successfully, you can open the corresponding IP address in your browser. You will be greeted with a “Hello World” message from your web server.

Use cloud-config directives

You can also bootstrap cloud-init images using cloud-config directives. The cloud-init website outlines all the supported modules and provides examples of basic directives.

Example 1: Create a swap partition

The following script is an example of how to create a swap partition with second block storage using a YAML script:

#cloud-config
fs_setup:
  - label: mylabel
    device: /dev/vda
    filesystem: ext4
  - label: swap
    device: /dev/vdb
    filesystem: swap
mounts:
- [ /dev/vda, /, ext4, defaults, 0, 0 ]
- [ /dev/vdb, none, swap, sw, 0, 0 ]

Example 2: Resize the file system

The following script is an example of how to resize your file system according to the chosen size of the block storage. It will also create a user with an SSH key using a cloud-config YAML script:

#cloud-config
resize_rootfs: True
users:
  - name: pb-user
    gecos: Demo User
    sudo: ALL=(ALL) NOPASSWD:ALL
    groups: users, admin
    ssh_import_id: None
    lock_passwd: true
    ssh_authorized_keys:
      - ssh-rsa AAAA...

Output log files

The cloud-init output log file (/var/log/cloud-init-output.log) captures console output. Depending on the default configuration for logging, a second log file exists within /var/log/cloud-init.log. This provides a comprehensive record based on the user data.

Configure user data via API

The cloud API offers increased convenience if you want to automate the provisioning and configuration of cloud instances. Enter the following details:

• Name: Enter the userData.

• Type: Enter the type in the form of a string.

• Description: The cloud-init configuration for the volume as base64 encoded string. The property is immutable and is only allowed to be set on a new volume creation. It is mandatory to provide either public image or imageAliasthat has cloud-init compatibility in conjunction with this property.

Cloud-init is configured on the volume resource for cloud API V6 or later versions. For more information, see CLOUD API (6.0).

Curl example

The following script is an example of how to configure userData using curl:

curl --include \
     --request POST \
     --user '<user:password>' \
     --header "Content-Type: application/json" \
     --data-binary '{
         "properties": {
             "name": "Server-01",
             "ram": 2048,
             "cores": 1,
             "availabilityZone": "ZONE_1",
             "cpuFamily": "INTEL_SKYLAKE"
         },
         "entities": {
             "volumes": {
                 "items": [ {
                    "properties": {
                      "size": 10,
                      "type": "HDD",
                      "name": "Server-01_HDD",
                      "image": "bf4d1400-b48d-11eb-b9b3-d2869b2d44d9",
                      "imagePassword": "<pAsSW0rD>",
                      "sshKeys": ["<ssh_key>"],
                      "userData": "I2Nsb3VkLWNvbmZpZwoKcGFja2FnZXM6CiAgLSBodHRwZAogIC0gZmlyZXdhbGxkCgpydW5jbWQ6CiAgLSAvYmluL3N5c3RlbWN0bCBlbmFibGUgaHR0cGQKICAtIC9iaW4vc3lzdGVtY3RsIHN0YXJ0IGh0dHBkCiAgLSAvYmluL2ZpcmV3YWxsLW9mZmxpbmUtY21kIC0tYWRkLXBvcnQ9ODAvdGNwCiAgLSAvYmluL3N5c3RlbWN0bCBlbmFibGUgZmlyZXdhbGxkCiAgLSAvYmluL3N5c3RlbWN0bCBzdGFydCBmaXJld2FsbGQKICAtIGxvYWRrZXlzIGRlCgp3cml0ZV9maWxlczoKLSBjb250ZW50OiB8CiAgICA8IURPQ1RZUEUgaHRtbD4KICAgIDxodG1sPgogICAgICA8aGVhZD4KICAgICAgPC9oZWFkPgogICAgICA8Ym9keT4KICAgICAgICA8cD5XZWxjb21lIHRvIHlvdXIgbmV3IHdlYiBzZXJ2ZXIuPC9wPgogICAgICA8L2JvZHk+CiAgICA8L2h0bWw+CiAgcGF0aDogL3Zhci93d3cvaHRtbC9pbmRleC5odG1sCgpmaW5hbF9tZXNzYWdlOiAiVGhlIHN5c3RlbSBpcyBmaW5hbGx5IHVwLCBhZnRlciAkVVBUSU1FIHNlY29uZHMiCg=="
                    }
                 } ]
             },
             "nics": {
                 "items": [ {
                    "properties": {
                      "name": "NIC001",
                      "dhcp": true,
                      "lan": 1
                      }
                    } ]
             }
        }
        }' \
 https://api.ionos.com/cloudapi/v6/datacenters/<datacenter_id>/servers

Data is stored in blocks of equal sizes in the IONOS cloud known as Block Storage. It provides endless possibilities to store large amounts of data. It ensures the safety of resource planning systems and offers prompt and instant access to the necessary quantity of data.

Prerequisites

Make sure you have the appropriate privileges. Only contract owners, administrators, or users with the Create Data Center privilege can set up a Virtual Data Center (VDC). Other user types have read-only access and cannot provision changes.

Recommended How-Tos

IONOS offers a wide range of readily available public images that you can use instantly. In addition, you can also use your private images by uploading them into the IONOS Cloud infrastructure via the File Transfer Protocol (FTP). Your IONOS account supports numerous block storage and ISO image types using an emulated CD-ROM drive, from which you can install an operating system or software directly.

Furthermore, you can create snapshots of provisioned block storage. Each snapshot is a separate instance, representing the state of the source block storage device while capturing the snapshot.

For Linux images, IONOS supports Cloud-Init to automate software package installations and instance configurations.

Recommended How-Tos

Get started with images and snapshots via the DCD.

Storage space is added to your by using storage elements in your . Storage name, availability zone, size, OS image, and boot options are configurable for each element.

Add Storage to a Server or a Cube

1. Drag a storage element ( or ) from the Palette onto a Server or a Cube in the Workspace to connect them together. The highlighted VM will expand with a storage section.

2. Click the Unnamed HDD Storage to highlight the storage section. You can now see new options in the Inspector on the right.

Configure Storage

1. Enter a name that is unique within your VDC.

Authentication

1. Set the root or administrator password for your server according to the guidelines. This is recommended for both operating system types

3. Copy and paste the public part of your SSH key into this field.

4. Select the storage volume from which the server is to boot by clicking on BOOT or Make Boot Device.

Alternative Mode

• When adding a storage element using the Inspector, select the appropriate check box in the Add Storage dialog box. If you wish to boot from the network, set this on the server: Server in the Workspace > Inspector > Storage.

• (Optional) Add and configure further storage elements.

• (Optional) Make further changes to your data center.

• Provision your changes.

Add a CD-ROM drive

To assign an image and specify a boot device, you need to add and configure a storage element.

• Click on CD-ROM to add a CD-ROM drive so that you can use ISO images to install and configure an operating system from scratch.

• Set up a network by connecting the server to other elements, such as an internet access element or other servers through their NICs.

• Provision your changes.

Delete Storage

When you no longer need snapshots or images, you should remove them from your cloud infrastructure to avoid unnecessary costs. For backup purposes, you can create a snapshot before deleting it.

1. In the Workspace, select the storage device you wish to delete.

2. Open the context menu of the element and select Delete.

3. (Optional) Select the element and press the DEL key.

4. Provision your changes.