KB0061791
Reversibility policy for the product Managed Dedicated Cloud - SecNumCloud
178 Views
14.08.2025 
Reversibility
Objective
This document is the reversibility policy of the Product Managed Dedicated Cloud - SecNumCloud covering the OVHcloud offer VMware on OVHcloud under SecNumCloud qualification.
This policy aims to implement the general reversibility principles and our compliance with the SWIPO IAAS Code of Conduct for cloud providers.
Features list
Features of the product line fall into three categories:
- Core features for which we guarantee migration capacity.
- OVHcloud implementations that require adaptation to a new migration environment.
- Specific features that cannot be guaranteed for migration as they are related to the OVHcloud environment or involve custom developments.
1. Core features
| Function | Description | Available formats | Migration model | Available documentation |
|---|---|---|---|---|
| Virtualisation | VM management via vSphere, vCenter, vMotion, and support for VMware standard formats | OVA, OVF | Inbound: - Subscription to a Private Cloud SecNumCloud project. - Order the appropriate number of hosts and datastores on the project to get a capacity comparable to that of the original infrastructure. -Migration of VMs, disks, snapshots using a specialized tool (Veeam, API, ...) or manually. - Use of the SecNumCloud zone's VPN Gateway or a custom VPN solution (e.g. NSX or virtual machine third party solution) to ensure data encryption when migrating from an external network. - Then enable VM encryption and vSAN Cluster datastores using the vNKP software brick or your own KMS (compatible with the KMIP protocol). - Use of the SPN (Secure Private Network) to connect SecNumCloud services inside a hosting site. - Use of the inter DC SPN solution to connect your qualified infrastructure hosted in other hosting sites covered by the SecNumCloud qualification at OVHcloud Outbound: - Planning the target environment capabilities compared to the original environment. Export VMs, disks manually or with specialized tools and reuse any VMware or compatible environment following standard formats. - Encrypted data migration scenario with vNKP: Set up an encrypted link between the OVHcloud hosting site and destination site. Export the vNKP key of the OVHcloud hosting environment. Import the vNKP key into the remote site’s vSphere environment. Cold-migration of data via a manual copy between the two sites, or hot-migration of data (via a failover mechanism) using a compatible third-party tool supported by the two providers. - Customer-specific KMS encrypted data scenario: Setting up an encrypted link between the OVHcloud hosting site and destination site. Configuration of your KMS on the remote site’s vSphere environment. Cold-migration of data via a manual copy between the two sites, or hot-migration of data (via a failover mechanism) using a compatible third-party tool supported by the two providers. | The documentation vSphere SecNumCloud applies as soon as the service is delivered, to secure the connection and an end-to-end data encryption. Following this, the documentation vSphere standard applies. Deploy an OVF Linux, Windows Server et Windows SQL Server Deploy a virtual machine with vSphere Create a cluster and activate EVC Virtual machine encryption interoperability Back up a vSphere Native Key Provider vNKP - Enabling virtual machine encryption |
| Virtual network management | Network configuration via NSX, VLAN management, routing, firewall, network security via API or UI | YAML, JSON, scripts | Inbound: definition of networks, VLAN, firewall rules Outbound: export of network configurations through the available VMWare APIs | Getting started with NSX |
| Dedicated storage (vSAN and/or NFS) | Use of dedicated vSAN and/or NFS datastores, snapshot and clone management. | NA | Inbound: add datastores, restore VMs and snapshots Outbound: export VMs and snapshots to compatible target storage. | Using VMware Hyperconvergence with vSAN |
2. OVHcloud Implementations
| Function | Description | Available formats | Migration model | Available documentation |
|---|---|---|---|---|
| VPN Gateway | An IPsec VPN gateway that connects external networks to the SecNumCloud infrastructure through an encrypted funnel | N/A | Inbound: subscription and use of the VPN Gateway service included in the qualified scope. Outbound: use of the vRack service included with other OVHcloud services, or take note of the network architecture, replicate it with VLANs and another encrypted tunnel. | Introduction to SecNumCloud Connectivity VPN-SPN concept overview |
| SPN | A private network that connects the resources and services available in the SecNumCloud infrastructure to one or more sites in the SecNumCloud zone. It can also be used to connect other OVHcloud services, or services hosted with a third party via the VPN Gateway. | N/A | Inbound: subscription to and use of the SPN service included in the qualified scope. Outbound: take note of the network architecture and replicate it with the concepts of subnets and routing. | SPN introduction and concepts SPN connector |
| SPN Inter-DC | An encrypted link between two sites hosting the SecNumcloud infrastructure, enabling SPNs to be connected. | N/A | Incoming: subscription to and use of the Inter-DC SPN service included in the qualified scope. Outbound: configuration of IP routing between two sites hosting the SecNumcloud infrastructure outside of OVHcloud. | SPN InterDC option |
| Monitoring and supervision | VMware standard monitoring solution via vROps | Many formats supported by the platform(e.g JSON, Syslog, etc) | Inbound: vROps is included by default with every VMware Private cloud. Adaptation of Cloud dashboards and monitoring agents. Outbound: installation and configuration of vROps in a vSphere environment.Export metrics/logs and reconfigure the new environment | First connection on vROps |
| Managed Veeam backup | Backup as a service solution for VMs | VBK, VIB, VBM | Inbound: enable a Veeam backup option in the OVHcloud Control Panel. The import of external backups isn't possible Outbound: export primary data (excluding backed-ups data). Customers can export their primary data (excluding backed-up data) and configure a backup solution of their choice at the destination site. | Enable and use Veeam Managed Backup Move2Cloud - Migrating VMware Workloads to OVHcloud SecNumCloud with Veeam Replicationn |
| Zerto | Business continuity and disaster recovery platform. | N/A | Inbound: activation of the option in the OVHcloud Control Panel or directly in the provided Zerto Replication Interface. Outbound: export zerto VPG settings and import those settings in the new environment. | Setting up Zerto Virtual Replication for your DRP Migrate VMware workloads to OVHcloud SecNumCloud Hosted Private Cloud with Zerto Exporting Zerto VPG settings |
3. Specific features
| Function | Description | Available formats | Migration model | Available documentation |
|---|---|---|---|---|
| Anti-DDoS | Anti-DDoS is a set of equipment and means put in place to absorb denial-of-service attacks. It includes traffic analysis, “vacuuming” to a specialized network, and mitigation, powered by VAC technology developed by OVHcloud. | N/A | Inbound: The anti-DDoS system is a component of our infrastructure, enabled by default. No action is required. It is only enabled on public IPs and does not cover links to the OVHcloud Connect service. Outbound: Order and configure an anti-DDoS protection with the new hosting provider. | OVHcloud anti-DDoS Protection |
| OVHcloud Connect | A connectivity service, via points of presence (POPs), that connects a company network hosted outside (Tier site) to an infrastructure service provided by OVHcloud, through a private network and without passing through internet access. | N/A | Inbound: Once the service has been delivered, and after you have received the service key, configure it via the interface available in the OVHcloud Control Panel. Outbound: Use the network connection ports provided and OVHcloud POP or POP Provider to reproduce a new network architecture | OVHcloud Connect direct commissioning OVHcloud Connect Provider implementation |
| Advanced security for SDDC | Set of features enhancing security, such as the implementation of Zero Trust Security, MFA, IDS for vSphere access... | N/A | Inbound: These features are available by default on SecNumCloud-qualified infrastructure. Outbound: Order and configure the appropriate security features with the new provider. | SDDC Advanced Security Pack |
List of architectures
The product is based on a dedicated SecNumCloud-qualified VMware Software-Defined Data Center (SDDC) architecture, including vSphere, vCenter, NSX (SDN), vSAN (distributed storage), vROps (monitoring), and advanced security options (encryption, MFA, zero trust). Resources (compute, storage, network) are physically and logically isolated, with fine-grained rights management (IAM), multi-site support (SPN Inter-DC), and integration of private network services (SPN, VPN Gateway). The architecture is carried out in Datacentres based in France.
Partner Services
The OVHcloud partners concerned are listed in the OVHcloud partners directory under the "Data center expansion and Migration" keywords.
OVHcloud also has a dedicated service: OVHcloud Professional Services.
Cost and fees
No specific cancelation fees apply: deleting the service will stop the billing immediately. Migration features (VM export, disks, configuration) are included at no extra cost. The costs are related to the resource usage and options subscribed to (hosts, storage, VPN Gateway, etc.) during the commitment period.
Data retention after contract termination
After termination or deletion of the service, OVHcloud permanently deletes all data, VMs, snapshots and configurations by securely deleting the storage media. This deletion will be subject to 21 calendar days’ notice. It is imperative to export all necessary data before permanent deletion, as no post-removal recovery will be possible.
Dedicated Servers Reversibility Policy
609