Manage approved locations for machine groups

This topic provides information about the approved locations for machine groups in CloudLink Center.

It is sometimes necessary to limit data access by location. Data sovereignty regulations might mandate that machines containing specific data only reside and run in specific locations or data centers.

CloudLink can validate that a machine is running in an approved VMware vCenter, Microsoft Azure subscription, Microsoft Azure Stack subscription, or Amazon Web Services location. Each approved location is given a unique name, which allows approved locations to be reused across machine groups. For example, you can create an approved location named “US Datacenter” and select it as an approved location for multiple machine groups. An approved location is created using specific locations from a cloud provider. For example, the VMware vCenter provider allows data centers, clusters, ESXi hosts, or vCenter folders to be specified as an approved location.

When a machine starts up, its location is checked against a list of approved locations for its machine group. If a machine group has no assigned approved locations, then no check is performed. A machine is allowed to start if it belongs to an approved location for its machine group and all key release policies are met. For more information, see CloudLink key release policies.

If a machine starts up and it is not located in an approved location for the machine group, CloudLink Center can automatically power off the machine after a specified duration, or leave the machine powered on.

The location of a machine is periodically checked while it is running to ensure it has not been moved. A machine is powered off if its location has changed and it is no longer running in an approved location. Machines may also power off if you change the approved locations in CloudLink Center. This shutdown limits data exposure in an unapproved location. All power off requests is recorded as a security event that includes information about how long the machine may have been running in the unapproved location.

Approved locations are also checked when a machine registers with CloudLink Center. Registration is unsuccessful if the location of a machine is not approved for use within the machine group.