External CNAME Requirements
Pointing IPs and CNAMEs outside LBL space (in the cloud) can help Berkeley Lab projects make the best use of external resources. However, there are risks associated with making outside systems appear to be within LBL control.
All externally facing CNAMEs and other IP records must be approved and must have short TTLs (30 minutes) to facilitate redirection in the event of a security issue.
Approved by LBLnet (LBLnet notifies Cyber Security)
- Points to any LBL domain name (NERSC, es.net, jgi, etc)
- Points to any UC campus *.berkeley.edu, *.ucdavis.edu
- Points to another national laboratory
- Points to the LBNL controlled hosting environments at ghs.googlehosted.com or wpengine.com
- Requested by an IT Division Service Owner for a pilot or production service approved by management (e.g. Google, Zimride, Status, etc)
Approved by Cyber Security
Anything that does not fall into Category 1.
Cyber Security will work with the requester to determine the appropriate risk and controls per.
If you are the requester, please fill our our "Cloud Hosting Request Form" form based on Cloud Services - Cyber Controls.