Hierarchy of Cloud Integration Needs
At the most basic level, the foundation service provides you with an account or project in one of the 3 public cloud providers with integration to the campus. With this account, you’re free to use the provider services with limited exceptions. You also are responsible for maintaining appropriate security and operational controls for the applications you place in that account.
- Purchasing: Standard Contracts will be established with the 3 major cloud providers (and perhaps others later) that provide for support and some level of discounting based on the overall University usage.
- Billing: Research Computing will make sure your bill gets charged to your speedtype and that you have access to the billing information in order to analyze the costs of your public cloud infrastructure.
- Login/Authentication: You will be able to use Identikey to log in to the cloud console and command line tools. To the extent possible you will be able to manage your own access groups through Grouper.
- Networking: Research Computing will establish VPN or other network links that allow public cloud resources to be treated as though they were behind the border firewall and to access on-campus resources.
- Security Controls: Basic security policies will be implemented in the account to assist you in complying with University security policy. These provide an initial starting point for implementing security controls. If you choose to disable or alter this initial setup, you will be responsible for implementing the control in another way.
We expect to provide these baselines across a few different dimensions (these are just examples) - at this point this is a bit of a straw man and we expect this to be refined as we progress in building out this service.
| Public Cloud | Data Classification/Type | Networking Configuration |
|---|---|---|
| AWS | Public | Cloud Only |
| Azure | High Impact | Campus Only |
| GCP | Public | Hybrid (Internet facing,but with backend access to campus behind the border firewall) |
Requesting Service
New AWS Accounts: Requests for new accounts can be submitted to rc-help@colorado.edu
At this time OIT is not providing Azure subscriptions or GCP projects but those are on the roadmap and we will update as we're able.
Steps in the New account process
- Establish an estimated spend and period of use (often 1 year) - this can be done based on a project budget or based on an initial architecture - Cloud Broker team can help with this estimate as needed
- Vendor quote obtained based on estimate
- PO request submitted
- Account created and foundational baseline deployed
- Handoff of administrative logins to the account to the customer (includes admin rights to a Grouper access group for adding others as needed)
- PO created and associated with the account
- Scheduled Cost summary emails created for the customer
Decommission AWS Account - Requests to decommision accounts can be submitted to rc-help@colorado.edu