Viewable by the world


Pointing IPs and CNAMEs outside LBL space (in the cloud) can help Berkeley Lab projects make the best use of external resources. However, there are risks associated with making outside systems appear to be within LBL control.


All externally facing CNAMEs and other IP records must be approved and must have short TTLs (30 minutes / 1800 seconds) to facilitate redirection in the event of a security issue.

Category 1:
Approved by LBLnet

  1. Points to any LBL domain name (,, etc)
  2. Points to any UC campus (,, etc)
  3. Points to another national laboratory (e.g., etc)
  4. Requested by an IT Division Service Owner for a pilot or production service approved by management (e.g. Cloudflare, Sectigo, etc)
  5. Points to the LBL controlled hosting environments at ghs.googlehosted.com1,, or

    Note:  The LBL controlled hosting environments at contains these subdomains as of August 2020: als, ameriflux, berkeleylab, biosciences, biosciences2, climatemulti, csarea2, eesa2, ehsd, esd, etalbl, intranet4lbnl, jbei, jgi, lbldedicated, lblcs, lblabf, lbldedicated, lbldir, lbldir2, lblensci, lblfluxnet, lblfoundry, lblinternal, lbleta, lbleta2 lblinternal, lblmain, lblopenid, lblops, lblops2, lblops3, lblops4, lblsci, lblsci2, lblstatic, lblvhosts, lblwww2, msdiv, physci, physci2, tough, uho, wwwdev

1The domain is different from and is considered Category2.

Category 2:
Approved by Cyber Security

Anything that does not fall into Category 1.

Cloudflare is required for Category 2 web servers. Cyber Security will work with the requester to determine the appropriate risk and additional. 

If you are the requester, please fill our our "Cloud Hosting Request Form" form based on Cloud Services - Cyber Controls.

  • No labels