Enterprise Cloud Infrastructure.
Managed for You.

Compute Spec Tiers

All nodes include IPMI/iDRAC out-of-band management. Redundant power supplies (2x 800W+). ECC RAM standard on all tiers.

Network Specifications

Standard: 2x 10GbE bonded (LACP) per node. Optional: 2x 25GbE bonded. Management NIC: 1x 1GbE dedicated to IPMI/iDRAC. Top-of-rack switches: 10/25GbE with VLAN trunking (802.1Q). Uplink to spine: 40GbE or 100GbE.

All inter-node traffic is on a dedicated storage VLAN separate from VM traffic. Zero Trust gateway sits on its own management VLAN.

Workload Sizing Exercise

Matrix IT conducts a structured sizing call covering: total vCPU required (with typical 4:1 overcommit ratio), total RAM (no overcommit recommended), storage IOPS profile (OLTP vs bulk), and peak vs average workload patterns.

Output: a recommended node count and tier, a monthly cost proposal, and a 12-month capacity growth projection.

Hardware Lead Times

Total: typically 3–5 weeks from contract to go-live for hosted model.

Physical Isolation Details

Each customer account is mapped to dedicated physical compute nodes. CloudStack is configured to restrict VM placement to those specific hosts using host tags. Your VMs cannot be scheduled to another customer’s hardware under any circumstances — including live migration.

Multi-Customer Separation

Separate customers run on separate physical nodes. Network separation is enforced at the physical switch layer using separate VLAN ranges per customer. Storage pools are separate LUNs or separate NFS exports. There is no software-only separation boundary between customers.

Pricing Structure

Pricing is per physical node per month. Includes: all hardware costs, CloudStack license (open-source, no fee), Zero Trust gateway, NOC monitoring, hypervisor management, backup snapshots to secondary storage (not Wasabi), and support.

Add-ons priced separately: Wasabi S3 offsite archiving, additional public IP addresses, extended snapshot retention beyond 4 weeks.

Hosted vs BYOH Financial Comparison

Minimum BYOH Hardware Requirements

Supported Hardware Vendors

Dell: PowerEdge R630, R640, R650, R730, R740, R750 and newer. iDRAC 7+ required.

HP/HPE: ProLiant DL360, DL380, DL560 Gen9+. iLO 4+ required.

Lenovo: ThinkSystem SR530, SR630, SR650.

Supermicro: Any 1U/2U with IPMI 2.0, VT-x/AMD-V, and adequate RAM.

Custom builds: Whitebox servers accepted if they meet minimum specs and have IPMI 2.0 out-of-band management.

Hardware Audit Checklist

Before deploying CloudStack, Matrix IT conducts a remote hardware audit covering: BIOS version & settings (VT-x/AMD-V enabled, Secure Boot compatibility), IPMI/iDRAC firmware version, current OS/hypervisor state, RAID controller config, NIC driver compatibility, available disk capacity, and network switch VLAN capability.

Installation Timeline (BYOH)

• Remote hardware audit via IPMI (Day 1, ~2 hours)
• Firmware updates, BIOS config, RAID setup (Day 1–2)
• KVM/VMware/XCP-ng hypervisor install (Day 2–3)
• CloudStack management server deployment (Day 3)
• Zone/Pod/Cluster/VLAN configuration (Day 4)
• Zero Trust gateway + AppGate entitlements (Day 5)
• Customer walkthrough & go-live (Day 5–7)

KVM Installation on Bare Metal

Ubuntu 22.04 LTS server as the hypervisor OS. Packages installed: qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils. KVM kernel module loaded. libvirtd service enabled. CloudStack agent installed alongside.

Kernel version: Ubuntu 22.04 ships with 5.15 HWE kernel — full KVM support, IOMMU for GPU passthrough if required.

Integrating with Existing VMware

If you have existing VMware vSphere, CloudStack can be pointed at your vCenter. Existing VMs remain under vCenter control. CloudStack manages new VM deployments via the vSphere API. Mixed management is stable but requires careful Zone design to avoid conflicts.

Migration path: run CloudStack + vSphere in parallel, migrate VMs gradually to KVM, decommission vSphere licensing once done.

Exit Process

If you choose to leave Tier1cloud: 30-day notice period. Matrix IT exports all VM configurations and data. CloudStack management server is shut down and removed. Hypervisor can be wiped or left in place (your choice). Zero Trust gateway and AppGate entitlements are decommissioned. You retain full ownership and access to your hardware.

Hardware Refresh Under BYOH

When you purchase new servers to replace aging hardware, Matrix IT provisions them in parallel with the existing cluster. VMs are live-migrated to new hosts. Old hosts are decommissioned from CloudStack. The CloudStack platform continues running throughout — no downtime for guests.

BYOH Hardware in a Third-Party DC

You ship your hardware to the colo facility. Matrix IT coordinates with the colo for rack space, power, and cross-connect. We manage the hardware remotely via IPMI once it’s racked. Same BYOH onboarding process applies. You pay the colo directly for rack space — Matrix IT manages the software platform.

Matrix IT Hardware in Your Chosen Colo

Matrix IT procures and ships hardware to a colo of your choice. You pay Matrix IT a single monthly invoice covering hardware rental + management + colo costs. Best of both worlds: dedicated hardware in a premium DC without any capital expenditure or colo contract management.

Canadian Colo Partners

Cologix: Montreal (MTL1, MTL2), Toronto (TOR1, TOR2), Vancouver. Strong carrier ecosystem, 24/7 hands & feet.

eStruxture: Montreal, Calgary. Modern facilities, excellent power redundancy.

151 Front: Toronto. Premium carrier hotel, extensive cross-connect options.

Rogers Datacentres: Toronto, Brampton. Good for Rogers network customers.

Power Requirements

Standard 1U/2U server: 200–400W. Full 42U rack of servers: 5–15 kW typical. Matrix IT recommends specifying A+B power circuits (dual PDU) for redundancy. Most Canadian colo partners provide 2N or N+1 power at the rack level for an additional fee.

IPMI/iDRAC Remote Access

All colo hardware must have dedicated IPMI/iDRAC/iLO access on a separate management VLAN. This allows Matrix IT engineers to: power cycle servers, access console remotely, monitor hardware health (temperature, fans, PSU), and perform OS reinstalls without visiting the DC. Colo facilities provide IPMI KVM-over-IP switches as a service if hardware doesn’t have native IPMI.

Hands & Feet at the DC

Day-to-day operations require zero physical DC visits thanks to IPMI and Zero Trust management. Physical access is only needed for: hardware failures (failed drive, failed PSU), initial rack & cable, and decommissioning. Most Canadian colo partners offer 24/7 remote hands services for ~$150–$250/hour if same-day physical work is required.

Cross-Connects

A cross-connect is a direct fibre or copper connection within the colo facility between your cage and a carrier’s PoP. Used to connect to: your internet provider, MPLS network, BGP peers, or cloud on-ramps (AWS Direct Connect, Azure ExpressRoute). Matrix IT can procure and manage cross-connects as part of the colo management service.

Zero Trust in Colo Environments

Matrix IT engineers access all colo hardware via Zero Trust tunnels — no site-to-site VPN to the colo is needed. The Zero Trust gateway runs on a VM within the colo cluster. AppGate entitlements grant engineers access to specific servers for specific tasks. All access is logged and auditable.

Service Offerings (VM Sizes)

Resource Quota Management

The CTO account sets global quotas: max vCPUs, max RAM, max number of VMs, max public IPs, and max storage per account/team. Sub-accounts (teams) inherit limits but cannot exceed the parent account’s quota. Quota increase requests are submitted via the CloudStack portal and approved by the CTO account.

VLAN Isolation Deep Dive

Each CloudStack network (team network) is backed by a dedicated 802.1Q VLAN tag. VLANs are automatically provisioned by CloudStack on the virtual switch (Linux bridge or OVS). Traffic from VLAN 100 cannot reach VLAN 200 unless a firewall rule or VPC ACL explicitly permits it. Default: all inter-VLAN traffic is blocked.

Firewall Rules

CloudStack’s virtual router enforces stateful firewall rules. Default policy: all inbound traffic is denied. Outbound (egress) is permitted by default. Teams can add inbound rules for specific ports (e.g., TCP/22 for SSH) scoped to specific source CIDR blocks. Rules are applied at the virtual router level, not the VM level.

Snapshot Retention Policy

Volume Management Operations

Attach: A data volume can be attached to a running VM. The VM sees it as a new block device. No restart required.

Detach: Detach a volume from one VM and attach it to another. Useful for moving data between VMs.

Resize: Expand a volume without VM downtime. The guest OS sees the larger block device and can extend the filesystem.

CloudMonkey CLI Examples

# Install
pip install cloudmonkey

# Configure
cloudmonkey set url http://cs-mgmt:8080/client/api
cloudmonkey set apikey <your-api-key>
cloudmonkey set secretkey <your-secret-key>

# List service offerings
cloudmonkey list serviceofferings

# Deploy a VM
cloudmonkey deploy virtualmachine   --serviceofferingid <id>   --templateid <id>   --zoneid <id>   --networkids <id>   --displayname dev-server-01

# List VMs
cloudmonkey list virtualmachines   --listall false --state Running

Terraform Provider Example

terraform {
  required_providers {
    cloudstack = {
      source  = "cloudstack/cloudstack"
      version = "~> 0.4"
    }
  }
}

provider "cloudstack" {
  api_url    = "http://cs-mgmt:8080/client/api"
  api_key    = var.cs_api_key
  secret_key = var.cs_secret_key
}

resource "cloudstack_instance" "dev_server" {
  name             = "dev-server-01"
  service_offering = "Medium"
  template         = "Ubuntu-2204-LTS"
  zone             = "zone-01"
  network_id       = cloudstack_network.team_a.id
  expunge          = true
}

resource "cloudstack_network" "team_a" {
  name             = "team-alpha-net"
  cidr             = "10.10.100.0/24"
  network_offering = "DefaultIsolatedNetworkOfferingWithSourceNatService"
  zone             = "zone-01"
}

AppGate SDP vs Traditional VPN

Onboarding a New User (AppGate)

• Matrix IT creates user account in AppGate controller
• Entitlements assigned: user → specific VLANs / VM IP ranges
• User receives onboarding email with client download link
• User installs AppGate client (Windows/macOS/Linux)
• User authenticates: SSO or username+password + MFA
• User sees only entitled resources in client — done

MFA Options

TOTP: Time-based OTP (Google Authenticator, Authy, 1Password). Standard recommendation for most users.

Hardware key: FIDO2/WebAuthn (YubiKey, Google Titan). Phishing-resistant. Recommended for privileged access (CTO, Matrix IT engineers).

SAML/SSO: Integrate with Okta, Azure AD, Google Workspace, or any SAML 2.0 IdP. MFA enforced at the IdP level. Best for organisations with existing SSO infrastructure.

Session Policies

Idle timeout: Configurable per user group (default: 30 minutes idle disconnects session). Re-authentication required to reconnect.

Session duration limit: Configurable max session length (e.g., 8 hours). After expiry, user must re-authenticate.

Re-auth triggers: Sensitive resources (e.g., production databases) can require re-authentication even during an active session.

VLAN Isolation Architecture

Each team is assigned a dedicated VLAN ID (e.g., Team A = VLAN 100, Team B = VLAN 200). VMs within a team share a /24 subnet on their VLAN. Traffic between VLANs is blocked at the virtual router (default deny). AppGate micro-tunnels terminate at the team’s VLAN gateway, not the VM directly.

Guest VM Invisibility

Without an AppGate entitlement, a VM’s IP is not reachable from outside its VLAN. The VM does not respond to pings, port scans, or any network probes from outside its VLAN boundary. This is enforced at the virtual router and physical switch layers — not just by firewall rules. There is no way to discover a VM’s IP without valid entitlement.

Audit Log Fields

Compliance Reporting

AppGate logs are exported to the Matrix IT SIEM. Customers can request access reports via the Matrix IT portal. Report filters: by user, by VM/VLAN, by date range, by protocol. Formats: CSV, PDF. Retention: 90 days default, 12 months available for PIPEDA / SOC 2 compliance.

Supported Guest Operating Systems

Patching Schedule Details

Monthly window: Second Tuesday of each month (following Microsoft Patch Tuesday pattern). Maintenance window: 10 PM–2 AM local time. VMs are live-migrated during host patching — guest OS experiences no downtime.

Emergency CVE patches: Critical vulnerabilities (CVSS 9.0+) patched within 24 hours of public disclosure. Customer notification sent before and after.

Live Migration Details

CloudStack live migration uses KVM virsh migrate or VMware vMotion. The VM’s memory state is copied to the destination host while the VM runs. Switchover takes 1–3 seconds. Network connections (TCP) remain open through the migration. Users on Zero Trust sessions experience no interruption.

Anti-Affinity Groups

Create an anti-affinity group in CloudStack and add your primary + replica VMs to it. CloudStack ensures these VMs are always scheduled on different physical hosts. If a host fails, only one VM in the anti-affinity group is affected. Critical for: database primary/replica pairs, application server clusters, active/standby setups.

Metrics Collected by NOC

Escalation Path

• Automated alert triggered (threshold breach)
• Automated remediation attempted (restart service, live-migrate VM)
• NOC engineer receives alert if auto-remediation fails (5 minutes)
• NOC engineer investigates and resolves or escalates (P1: 15 min, P2: 1 hour)
• On-call senior engineer paged for P1 unresolved after 30 minutes
• Customer notified with status update and resolution ETA

Full Snapshot Retention Table

Restore Procedure

Submit restore request via Matrix IT portal or support@matrixit.net. Specify: VM name, restore point (time/date or snapshot ID), restore type (full VM or specific volume). Matrix IT engineer restores to a test VM first, customer confirms data integrity, then production restore is completed.

Typical turnaround: 15–30 minutes for recent snapshots, 60–90 minutes for older off-cluster snapshots from Wasabi.

Hardware Management by Matrix IT

Matrix IT manages the following hardware components across all three models (Hosted/BYOH/Colo): BIOS/firmware updates, RAID controller management, NIC firmware, IPMI/iDRAC configuration, temperature and fan monitoring, PSU health monitoring, and physical hardware replacement coordination (for hosted and colo models).

Patching Policy

CloudStack: Major version upgrades tested in staging, applied during quarterly maintenance window. Minor and patch releases applied monthly.

Hypervisor: Security patches monthly. Kernel updates quarterly. Live migration used to apply patches without guest downtime.

Security CVEs: CVSS 9.0+ critical vulnerabilities patched within 24 hours. Customer notified before and after.

Guest OS Patching (Customer Responsibility)

Matrix IT manages the hypervisor and CloudStack layers only. Guest OS patching (apt upgrade, yum update, Windows Update) is the customer’s responsibility. Matrix IT NOC monitors VM ping uptime but does not patch guest OS unless contracted separately as an add-on managed service.

Data Ownership & Portability

All data within customer VMs belongs to the customer. Matrix IT engineers have no access to VM contents by default. For support purposes, read access can be granted temporarily. On exit, customers can: export VM disk images (QCOW2/VMDK), use CloudStack’s built-in volume export, or transfer via SFTP to any destination. No data is retained by Matrix IT after contract termination.

Change Management Process

For infrastructure changes (new VLAN, firewall rule change, storage pool expansion): customer submits request via Matrix IT portal with business justification. Matrix IT reviews impact, provides implementation plan and timeline. Customer approves. Change executed in maintenance window (or immediately for P1/urgent requests). Post-change validation and customer sign-off.

Capacity Planning

Matrix IT provides monthly capacity reports showing: CPU utilisation trends, RAM utilisation trends, storage pool usage and growth rate, snapshot storage consumption, and projected time-to-full at current growth rate. When utilisation exceeds 70% of any resource, Matrix IT proactively recommends expansion options before performance is impacted.

On-Prem to Cloud Migration Checklist

• Inventory all on-prem VMs: CPU, RAM, storage, OS, application
• Identify workload dependencies and migration order
• Hardware model decision (Hosted / BYOH / Colo)
• Network design: VLAN map, firewall rules, public IP requirements
• CloudStack environment built and tested
• VMs migrated in waves (lowest criticality first)
• Zero Trust entitlements set up and tested in parallel with VPN
• VPN decommissioned, on-prem hardware powered off

Week 1: Discovery Detail

Day 1–2: Kickoff call with CTO and IT leads. Review current infrastructure (server list, network diagram, storage). Identify compliance requirements (PIPEDA, SOC 2, etc.).

Day 3–4: Workload profiling. Identify CPU/RAM peaks. Storage IOPS requirements. Network bandwidth. Identify any workloads incompatible with virtualisation.

Day 5: Hardware model recommendation. VLAN and network design proposal. Initial cost estimate. Go/no-go decision for Tier1cloud engagement.

Zone / Pod / Cluster Hierarchy

Zone: Represents a data centre or availability zone. All storage, networking, and compute in a Zone are independent. Multiple Zones can be federated.

Pod: A layer-2 network domain within a Zone (e.g., a row of racks). Pods have their own IP address space.

Cluster: A group of homogeneous hypervisor hosts within a Pod. Live migration is possible within a Cluster. A Cluster must run only one hypervisor type (KVM, VMware, or XCP-ng).

Host: Individual physical server running the hypervisor. The unit of compute in CloudStack.

Failure Isolation at Each Layer

KVM Hypervisor Details

Matrix IT installs Ubuntu 22.04 LTS as the base OS for KVM hosts. Kernel: 5.15 HWE with full KVM/QEMU support. libvirt: 8.x for VM lifecycle management. CloudStack KVM agent: installed alongside, communicates with management server.

Performance characteristics: near-native CPU performance (hardware virtualisation), NVMe storage passed through with minimal overhead, 10GbE network with virtio-net drivers. Recommended for most workloads.

VMware vSphere Integration

CloudStack integrates with VMware vSphere 6.7 and 7.x via vCenter API. CloudStack manages VM lifecycle through vCenter — no CloudStack agent installed on ESXi hosts. Existing VMs managed by vCenter continue running normally.

Recommended migration path: run KVM cluster in parallel, migrate VMs to KVM with cloudstack-migrate tooling, decommission VMware licensing once complete.

VPC Architecture in CloudStack

A CloudStack VPC provides an isolated virtual network with multiple tiers (subnets). Example 3-tier app: Web tier (10.10.1.0/24), App tier (10.10.2.0/24), DB tier (10.10.3.0/24). ACL rules control traffic between tiers (e.g., web can reach app, app can reach DB, DB cannot reach web).

VPC also supports site-to-site IPSec VPN back to on-premise. Useful during migration phase.

CloudStack Virtual Router

The Virtual Router is a small Linux-based VM automatically deployed by CloudStack for each network/VPC. It provides: DHCP server, DNS resolver, NAT (SNAT), port-forwarding, stateful firewall, and load balancer (HAProxy). No customer configuration required — CloudStack manages it entirely.

Deploy VM via REST API

GET /client/api
  ?command=deployVirtualMachine
  &serviceofferingid=<svc-id>
  &templateid=<tmpl-id>
  &zoneid=<zone-id>
  &networkids=<net-id>
  &displayname=dev-server-01
  &apiKey=<key>
  &signature=<hmac-sha1>

Response:
{
  "deployvirtualmachineresponse": {
    "id": "12345",
    "jobid": "abcdef"
  }
}

Terraform CloudStack Example

resource "cloudstack_network" "team_a" {
  name             = "team-alpha"
  cidr             = "10.10.100.0/24"
  network_offering = "DefaultIsolatedNetworkOfferingWithSourceNatService"
  zone             = data.cloudstack_zone.primary.name
}

resource "cloudstack_instance" "web_server" {
  count            = 3
  name             = "web-${count.index + 1}"
  service_offering = "Medium"
  template         = "Ubuntu-2204"
  zone             = data.cloudstack_zone.primary.name
  network_id       = cloudstack_network.team_a.id
  expunge          = true
}

VM Launch Wizard Steps

• Click “Add Instance” in CloudStack dashboard
• Select Zone (data centre region)
• Select Template (Ubuntu 22.04, RHEL 9, Windows, etc.)
• Select Service Offering (Small, Medium, Large, Custom)
• Select Network (your team VLAN or create new)
• Set display name and optional user data / SSH key
• Click “Launch VM” — provisioning begins immediately
• VM appears as “Running” in dashboard within 2–4 minutes

CloudStack Dashboard

The dashboard shows: all VMs and their state (Running/Stopped/Error), IP addresses (private and public NAT if assigned), console access button, CPU/RAM allocation summary, storage volume list, network (VLAN) overview, and snapshot history.

Quick actions from dashboard: start/stop/restart VM, take snapshot, attach/detach volume, open VNC console, view console log.

Standard Template Catalogue

Creating a Custom Template

1. Deploy a VM and configure it as your golden image. 2. Stop the VM. 3. In CloudStack dashboard: select the VM → Actions → “Create Template from Volume”. 4. Give it a name and description. 5. Template appears in your account’s template library. Only visible to users in your account. Deploy new VMs from it just like a standard template.

Automatic ZT Entitlement Flow

• User deploys VM in CloudStack portal
• VM assigned to team VLAN (e.g., VLAN 100, 10.10.100.x)
• CloudStack webhook notifies AppGate controller of new VM
• AppGate creates entitlement: team members → new VM IP
• AppGate pushes entitlement update to all team members’ clients
• Team members can SSH to new VM immediately via ZT tunnel

Browser-Based VNC Console

The CloudStack portal includes an embedded VNC console. Click “Console” on any VM and a VNC session opens in your browser via WebSocket. The VNC traffic is proxied through the CloudStack management server — no direct VNC port exposed to the internet. Works for: initial OS setup, emergency recovery, debugging boot issues, accessing VMs that don’t have SSH enabled yet.

Team VLAN Architecture

Each team gets a dedicated /24 subnet on its own VLAN. Example: Team Alpha = VLAN 100, 10.10.100.0/24. Team Beta = VLAN 200, 10.10.200.0/24. All VMs deployed to Team Alpha’s network land in 10.10.100.x. The virtual router for each VLAN provides DHCP and DNS. AppGate entitlements grant access to the entire /24 or specific IPs within it.

Quota Management Details

The CTO account in CloudStack sets resource limits for each sub-account (team): maximum VMs, maximum vCPUs, maximum RAM, maximum primary storage (GB), maximum secondary storage, maximum public IP addresses.

When a team hits their quota, the portal shows a “quota exceeded” error on deploy. Team lead submits quota increase request. CTO approves in the portal. Increase takes effect immediately.

IOPS Tiers

Thin vs Thick Provisioning

Thin: Space is allocated on-demand as data is written. A 100 GB thin volume uses only the space actually written. Allows over-provisioning (e.g., 200 GB of thin volumes on a 150 GB pool). Risk: pool can fill if all thin volumes are written to simultaneously. CloudStack alerts at 80% pool usage.

Thick: All space is pre-allocated immediately. No over-provisioning. Predictable performance. Recommended for production databases and latency-sensitive workloads.

Template Storage in CloudStack

VM templates are stored on secondary storage (NFS export) in each Zone. When a new Zone is added, templates are replicated from the primary secondary store. When a VM is deployed, CloudStack copies the template to the primary storage pool of the target host (if not already cached), then creates the VM disk as a copy-on-write clone of the template. Fast and storage-efficient.

Snapshot Storage Details

Snapshots are stored on secondary storage (NFS). Each snapshot is a point-in-time copy of a VM’s disk. Recent snapshots (hourly, daily) remain on-cluster for fast restore. Weekly and monthly snapshots are exported to Wasabi S3 for offsite durability. S3 objects are encrypted at rest with AES-256. Transfer to S3 is encrypted via TLS.

Wasabi S3 Pricing

Wasabi charges ~$8.99 USD / TB / month (approximately $12–13 CAD/TB/month at current exchange). No egress fees. No API fees. Minimum storage: 1 TB, 30-day minimum retention. Wasabi’s Canadian region (ca-central-1) stores all data in Canada. 11 nines (99.999999999%) durability.

For comparison: AWS S3 Standard = $23 USD/TB/month + $90 USD/TB egress. Wasabi is ~60% cheaper with no egress costs.

S3 Compatibility Details

Wasabi implements the AWS S3 API. Compatible clients include: AWS CLI (aws s3 --endpoint-url https://s3.ca-central-1.wasabisys.com), rclone, Cyberduck, Duplicati, Veeam, and any S3-compatible backup software. Applications using the AWS SDK for S3 require only a change to the endpoint URL.

Online Volume Resize

In CloudStack portal: select the volume → Resize Volume → enter new size (must be larger) → confirm. The block device expands immediately. On Linux guests: sudo growpart /dev/vdb 1 && sudo resize2fs /dev/vdb1 (ext4) or sudo xfs_growfs /mountpoint (XFS). On Windows: Disk Management → Extend Volume. No VM restart required.

Shared (Multi-Attach) Volumes

Available for read-write-many use cases with clustered file systems (GlusterFS, OCFS2, GFS2). A shared volume can be attached to multiple VMs simultaneously. Each VM sees the same block device. The application or cluster filesystem is responsible for coordinating writes to prevent corruption. Contact Matrix IT to provision a shared storage pool for multi-attach volumes.