Web Hosting Talk : Web Hosting Main Forums : Colocation and Data Centers : Colo newbie questions...

[remotebackup]

I'm looking at getting a Windows 2000 colo in order to run a remote backup service but am not a techie and don't really know what I should be looking for in a colo host.

What information do I need to get from them and what questions should I be asking before selecting a host?

Thanks in anticipation,
RB

[webworkz]

You need to ask the DC about:
a) Bandwidth carriers
b) Price [duh]
c) Cross-connect options [if not BGP]
d) SLA
e) UPS
f) Backup power
g) Any other contingency planning
h) Remote hands options
i) Facility security [entry systems, visitation requirements]
j) Visitation options [30 minutes notice, 24/7, 24/7/365, etc]
k) Network connection [100 Base-T, Gigabit, etc]
l) Connection type [switch port, most-likely]
m) Firewall options [unless you plan to do it yourself]
n) How they handle bandwidth if you get DDoS'd, root'd, etc.
o) Number of IP addresses
p) How they handle providing additional IP addresses

You need to come prepared with:
a) Size of the machine
b) Expected bandwidth requirements
c) Bandwidth type [burstable, incremental (capped), or transfer]
d) Power requirements


EDIT: Added more.

[remotebackup]

Wow, 7 minutes for a detailled response. Pretty impressive!

That's very helpful Justin but could I ask what sort of answers I should be expecting to these questions? Also, what's the difference between the different types of bandwidth?

Thanks,
RB

[webworkz]

Depending on the DC, they will offer;

Burstable: You can burst the pipe up-to XXX Mbps, and they will bill you on the 95th percentage.

Incremental/Capped: You purchase XXX Mbps of dedicated bandwidth.

Transfer: You are billed $X.XX per GB transferred, usually during a calendar month.



ANSWERS:
There are not really any "correct" answers, so I will give you my opinion here ... do not take these responses as fact or as required for a colo/DC operation.

a) Bandwidth carriers

Too many to list ... look out for Cogent though; very unreliable.

b) Price [duh]



c) Cross-connect options [if not BGP]

Typically, a BGP connection is better as you it is a multi-home of various carriers, where the AS is done in-house. This way, one carrier can go down, and you are still online.

d) SLA

99.9% or better is generally acceptable.


e) UPS

Depends greatly on the colo. Some DC's provide facility-wide UPS, some will provide it to you for a price, some will require you to bring your own. This depends on your preference. Personally, I would rather run on facility UPS. Then you don't have to worry about battery replacements, etc.

f) Backup power

Diesel generator, or propane generator, etc. They're all the same in my book. Some people will argue over propane being better, etc ... if the damn thing keeps the lights on when it goes out; it's doing its job.

g) Any other contingency planning

Fire suppression [CO2?], etc. Think about it this way ... if you were running multiple servers in your basement, what would you watch out for? Flood? Fire? Theft? [see security].

h) Remote hands options

If your machine is non-bootable, how is the DC going to handle your predicament? Free? Free for X hours? $XX.XX per hour? Drive by yourself and fix it? (just kidding on the last one)

i) Facility security [entry systems, visitation requirements]

You can never go wrong with a secure facility. Every building is different and the security analysis varies too far to really give you a good list of what to look for ... bars on external windows, magnetic locks, biometric hand scanners, keycard access, rectal ... errr ... I mean optical scanners, and so on.


j) Visitation options [30 minutes notice, 24/7, 24/7/365, etc]

-24/7/365 access is usually the best, if the DC is local to you. If not, this doesn't apply to you. Locality of the DC only applies if you need to frequently visit the machine on-site. If not, distance doesn't matter, and any good DC staff will be able to help you from a far [see remote hands].

k) Network connection [100 Base-T, Gigabit, etc]

100 Base-T or better network infrastructure. 10 Base-T isn't bad, but most DC's will have 100+.

l) Connection type [switch port, most-likely]

Switch port, unless you intend on buying space for your own networking equipment. Doesn't really apply to your situation, unless you want a hop with your name on it.

m) Firewall options [unless you plan to do it yourself]

Depends on you. Personally, I would firewall myself ... I'm a Unix guy, so I don't know what your options are on Windows. We run ipfw, iptables, and Fireboxes in our DC [note: none are Windows-based. ]

n) How they handle bandwidth if you get DDoS'd, root'd, etc.

This really applies to 95th percentile billing. If your machine gets DDoS'd, or turned into a Zombie, are you going to get billed for it?

For DDoS, you should expect to hear no.
For Zombie, it depends. If you didn't properly secure your machine, this is not the DC's problem, and you will be billed ... depends on your colo though.

o) Number of IP addresses

However many you need, so long as they are justified [see next answer].

p) How they handle providing additional IP addresses

If you can justify them, you should be able to get as many as you need. Be wary of providers that want you to pay for IP's ... I don't think there are that many left out there, although.

Now, when I say this; I don't mean for IP assignment. If you need the DC staff to add the IP to your server configuration, then you may or may not get billed for it.



.... And I'm done typing.

[remotebackup]

Thanks Justin, that's brilliant. Ever considered publishing it as a Colo 101?

I'm certainly in a better position now to start approaching hosts. I should have mentioned that I'm actually looking in New Zealand, not in the US, so there aren't quite as many to choose from. Have looked at a few and can't get over the difference in costs, from approx US$50 a month including 5GB traffic to almost $500 a month!

RB

[rusko]

let me contribute my perspective on this (aka voice of reason =).

Quote:

Originally posted by webworkz

ANSWERS:
There are not really any "correct" answers, so I will give you my opinion here ... do not take these responses as fact or as required for a colo/DC operation.

a) Bandwidth carriers

Too many to list ... look out for Cogent though; very unreliable.

cogent, unlike a lot of other carriers, has a next generation network with a whole bunch of sexy kit running it (cisco has a large stake in cogent). their problem is not reliability per se, but rather horrible peering and roundabout routing (so they can get your traffic to a peering point that will take it). there are a lot of prividers that are equally bad, even though they charge more.

please note that this applies to carrier dcs or providers that offer bandwidth+colo space packages in carrier neutral facilities.

Quote:

c) Cross-connect options [if not BGP]

Typically, a BGP connection is better as you it is a multi-home of various carriers, where the AS is done in-house. This way, one carrier can go down, and you are still online.

if you are a small client, you want your bgp to be managed for you. thus going with a tier 2 priovider that does that well is a good choice generally. see internap, mzima etc.

Quote:

d) SLA

99.9% or better is generally acceptable.

SLAs are pointless - you lose much more money than they would ever compensate you with in case of downtime. what you care about is redundancy (redundant routers, diverse fiber paths yadda yadda ) and a *proven track record* of uptime.

Quote:

e) UPS

Depends greatly on the colo. Some DC's provide facility-wide UPS, some will provide it to you for a price, some will require you to bring your own. This depends on your preference. Personally, I would rather run on facility UPS. Then you don't have to worry about battery replacements, etc.

a facility that does not offer UPS for space smaller than a private cage is not worthy of your attention, imho.

Quote:

f) Backup power

Diesel generator, or propane generator, etc. They're all the same in my book. Some people will argue over propane being better, etc ... if the damn thing keeps the lights on when it goes out; it's doing its job.

make sure that they actually control the generators. if they do not, make sure that those that do care about power uptime. see ezzi for an example of this.

Quote:

j) Visitation options [30 minutes notice, 24/7, 24/7/365, etc]

-24/7/365 access is usually the best, if the DC is local to you. If not, this doesn't apply to you. Locality of the DC only applies if you need to frequently visit the machine on-site. If not, distance doesn't matter, and any good DC staff will be able to help you from a far [see remote hands].

imho, unless you have a very very responsive provider, you want the facility to be local.

Quote:

k) Network connection [100 Base-T, Gigabit, etc]

100 Base-T or better network infrastructure. 10 Base-T isn't bad, but most DC's will have 100+.

again, applies to carrier dcs only. if they cant give you an FE handoff, dont touch them.

Quote:

l) Connection type [switch port, most-likely]

Switch port, unless you intend on buying space for your own networking equipment. Doesn't really apply to your situation, unless you want a hop with your name on it.

doesnt matter. you are going to get a port on a device they use for customer aggregation anyway, unless you get fiber to your m20 of course =]

Quote:

m) Firewall options [unless you plan to do it yourself]

Depends on you. Personally, I would firewall myself ... I'm a Unix guy, so I don't know what your options are on Windows. We run ipfw, iptables, and Fireboxes in our DC [note: none are Windows-based. ]

dcs usually wont provide custom config'ed firewalls. smaller providers may. i would only care that they are able to filter ddos/malicious traffic upstream for you.

Quote:

n) How they handle bandwidth if you get DDoS'd, root'd, etc.

This really applies to 95th percentile billing. If your machine gets DDoS'd, or turned into a Zombie, are you going to get billed for it?

For DDoS, you should expect to hear no.
For Zombie, it depends. If you didn't properly secure your machine, this is not the DC's problem, and you will be billed ... depends on your colo though.

strongly disagree. if you get ddosed, its your fault. the provider doesnt have to pay for it, unless they can handle sinking the traffic. comnpromised machine - completely your fault. your machine generating or attracting traffic - pay for it. (disclaimer: we do colo, so i am biased =). any breaks they give you on that are at their discretion and not to be expected or demanded of them.

Quote:

p) How they handle providing additional IP addresses

If you can justify them, you should be able to get as many as you need. Be wary of providers that want you to pay for IP's ... I don't think there are that many left out there, although.

ip management takes up resources. you have to pay ARIN for allocations. there is a good reason companies charge for this. if you dont pay for this upfront, you will pay for it in hidden costs. with that said, if you need a boatload of ips, go with a place that doesnt charge (duh)

paul

[remotebackup]

Thanks Paul. Interesting to get a colo hosts perspective.

I follow most of what you say but what is an FE handoff? What can I do to prevent / minimise the effect of being ddosed?

RB

[Razer]

A FE handoff, shortform for Fast Ethernet 100 Base-T handoff.

[rusko]

Quote:

Originally posted by remotebackup
Thanks Paul. Interesting to get a colo hosts perspective.

I follow most of what you say but what is an FE handoff? What can I do to prevent / minimise the effect of being ddosed?

RB

you cant prevent it, there will always be nasty people with too much time on their hands out there. a good way to minimize your exposure is not to run high risk services such as irc, shell hosting and hosting of highly controversial materials. beyond that, it is usually a bad idea to get into squabbles on irc, dare a script kiddie to 'hax0r' you or pronounce 'i 0wn teh net' in a script kiddie forum. in short: dont tick stupid people off, dont do business with high risk demographics and dont host the kkk.

paul

[webworkz]

Now for the good ol' agree vs. disagree game.


Just a note to anyone reading this, DC = Data Center.

Quote:

Originally posted by rusko

Quote:

cogent, unlike a lot of other carriers, has a next generation network with a whole bunch of sexy kit running it (cisco has a large stake in cogent). their problem is not reliability per se, but rather horrible peering and roundabout routing (so they can get your traffic to a peering point that will take it). there are a lot of prividers that are equally bad, even though they charge more.

please note that this applies to carrier dcs or providers that offer bandwidth+colo space packages in carrier neutral facilities.

Disagree. I've seen Cogent lines that go down several hours per week. They have a reliability issue as well as their horrible routing and peering.

Quote:

if you are a small client, you want your bgp to be managed for you. thus going with a tier 2 priovider that does that well is a good choice generally. see internap, mzima etc.

Agreed.

Quote:

SLAs are pointless - you lose much more money than they would ever compensate you with in case of downtime. what you care about is redundancy (redundant routers, diverse fiber paths yadda yadda ) and a *proven track record* of uptime.

Disagree. SLA's are only useful to get a written record of service level agreement on the books. If the DC fails to meet the SLA, or it's required ramifications, you have an easy way to get out of your contract if you feel the need to do so.

In other words; SLA's guarantee the customer the ability to haul-ass if the DC does not meet their expectations. Other than that, yes; it's useless.

Quote:

a facility that does not offer UPS for space smaller than a private cage is not worthy of your attention, imho.

Agreed. Facility-wide UPS is required. I was stating all possibilities to him. Then, he can decide what his requirements are.

Quote:

make sure that they actually control the generators. if they do not, make sure that those that do care about power uptime. see ezzi for an example of this.

Haha... agreed. "Well, the reason your server is still down is because our guys aren't back from the rental place. For what? Oh, they went there to pickup the generators."

Quote:

imho, unless you have a very very responsive provider, you want the facility to be local.

Agreed, but most [reputable] colo providers are extremely responsive. ALWAYS make sure you are buying from the DC. I don't have anything against resellers [yes, I do].

Think of it this way.
Your server has a problem ---> You call reseller and explain problem ---> Reseller calls DC and asks them to check ---> DC calls back reseller ---> Reseller calls you back

Or...
Your server has a problem ---> You call DC ---> DC checks problem and lets you know what's going on.


Which one looks better? Sorry resellers, but unless you can be on-site, you're useless during any sort of non-bootable scenario.

Quote:

again, applies to carrier dcs only. if they cant give you an FE handoff, dont touch them.

Agreed. There's nothing to disagree with here.

Quote:

doesnt matter. you are going to get a port on a device they use for customer aggregation anyway, unless you get fiber to your m20 of course =]

Don't really disagree/agree with this one. Some colo's like to have their own router to give their name on a hop, etc... this questions is mostly for cosmetic reasons.

Quote:

dcs usually wont provide custom config'ed firewalls. smaller providers may. i would only care that they are able to filter ddos/malicious traffic upstream for you.

Agree, but it doesn't hurt to ask; especially if you don't know how to run your own firewall. [By the way; iptables all the way. ]

Quote:

strongly disagree. if you get ddosed, its your fault. the provider doesnt have to pay for it, unless they can handle sinking the traffic. comnpromised machine - completely your fault. your machine generating or attracting traffic - pay for it. (disclaimer: we do colo, so i am biased =). any breaks they give you on that are at their discretion and not to be expected or demanded of them.

I call your strongly disagree, and I will strongly disagree right back, kind of. DDoS does depend on the service, but keep in mind that there are many cases where the customer has done nothing wrong.

We've had dedicated server customers get DDoS'd because they ran .il web sites. I'm not billing a customer just because someone in Pakistan doesn't like the fact that he is hosting domains with the Israeli extension.

Now, if you're running IRC, shell, etc. ... that is a very different story. The original poster is only using the machine as a backup server. If it gets DDoS'd [unless he talked trash in #wannabe-hackers], it's probably not his fault.

Quote:

ip management takes up resources. you have to pay ARIN for allocations. there is a good reason companies charge for this. if you dont pay for this upfront, you will pay for it in hidden costs. with that said, if you need a boatload of ips, go with a place that doesnt charge (duh)

I agree and disagree with this. It's the provider's choice of billing, so I really can't dispute it either way.

[webworkz]

Quote:

Originally posted by remotebackup
Thanks Justin, that's brilliant. Ever considered publishing it as a Colo 101?

Nah. It has horrible formatting, several incorrect spellings, and some of the most horrible grammar I have ever seen.

[remotebackup]

Thanks guys, this is really useful. There's still a few things I don't fully understand. like BGP, FE handoffs and firewalls. If the host can't provide a firewall I wouldn't have a clue how to configure one. I take it that software firewalls aren't an option? Hadn't thought of buying the hardware from the DC. Does it make a difference that I wouldn't be dealing with the DC directly but through a smaller provider that has rackspace in the DC? (Is this a Tier 2 provider?)

Despite not fully understanding all the ins and outs, I've put together a list of questions to send to potential providers. Does this list make sense or is it obvious that I'm a novice and don't know what I'm talking about? Please feel free to amend and ad anything I've left off. I'm not too bother about IP addresses as I only need one.

Thanks,
RB

1. What is your network conenction? e.g., 10 Base-T, 100 Base-T. Do you provide a FE handoff?

2. Any limitations on traffic - National/International/Outbound/Inbound? [This probably only applies to New Zealand]

3. What's bandwidth do you provide? Is it burstable, incremental (capped), or transfer?

4. What bandwidth carriers and cross connections do you use and what redundancy is provided?

5. Do you have an SLA? What is your SLA uptime and actual uptime?

6. What redundancy do you offer, e.g., redundant routers, diverse fibre paths, etc?

7. Does the data centre provide facility wide UPS? If not, what UPS protection do you provide?

8. Does the data centre have backup power generators?

9. What other protection does the data centre have, e.g., fire, flood, earthquake, etc.

10. What security does the data centre provide.

11. Do you provide remote switched power supply? If not do you charge for reboots and how long does it take?

12. Do you provide hardware firewalls? Do you filter ddos/malicious traffic upstream? If not, do I get charged for excess traffic?

13. What access do I have to the server? If supervised, do you charge?

14. Do you provide server brackets and network cable?

15. What is the server setup cost?

16. Can you provide onsite/offsite backup or daily/weekly tape rotation? What are the costs?

17. Do you provide server monitoring?

18. Do you provide server stats?

19. Does the data centre have a web site?

20. Can you provide the server hardware?

[webworkz]

That list looks good, with the following exceptions:

Don't ask about FE handoffs though. This refers to the actual network connection. Just make sure it is 100 Base-T.

As for providing the server hardware; unless they also sell hardware, they may think you simply want a dedicated. If they sell [note: not rent] hardware, this is fine. Otherwise, buy your hardware elsewhere, from a reputable supplier.


As for BGP, it's a lot to explain, so I would suggest a google search. A good link, although extremely "high-brow" as far as terminology;

http://www.cisco.com/univercd/cc/td/...to_doc/bgp.htm


Here's a good article, actually called "Introduction to Border Gateway Protocol"...

http://www.academ.com/nanog/feb1997/BGPTutorial/


As for firewall, a software-based one will work fine for you. Your best bet would be to pay someone to configure it on your machine, if you are unfamiliar with how to run a firewall. Again, I know jack-sh** about Windows, so I can't be of assistance here. Perhaps a post in the "Technical and Security Forum" regarding the best Windows software-based firewalls is in order?

[remotebackup]

Thanks Justin, have removed the reference to FE handoff.

Thought you suggested earlier buying the hardware from the DC to cut out the reseller in the event of hardware problems? I guess if they don't do hardware sales then I would have no option but to buy elsewhere.

I'm happy enough to set up a software firewall like ZoneAlarm as I've been using this quite happily for a couple of years. I just didn't think it would offer enough protection against a ddos or malicious attack.

Thanks again,
RB

[webworkz]

Quote:

Originally posted by remotebackup
Thanks Justin, have removed the reference to FE handoff.

Thought you suggested earlier buying the hardware from the DC to cut out the reseller in the event of hardware problems? I guess if they don't do hardware sales then I would have no option but to buy elsewhere.

I'm happy enough to set up a software firewall like ZoneAlarm as I've been using this quite happily for a couple of years. I just didn't think it would offer enough protection against a ddos or malicious attack.

Thanks again,
RB

I suggested you buy your colo space directly from the data center, rather than from a reseller.

As for ZoneAlarm; the firewall is only going to handle port blocking [filtering]. It can't help you in the event of a DDoS, as that data has already made it all the way to your machine.