Skip to Main Content
Skip to Navigation
Accessibility Statement
Home Technology Cloud Public cloud 101

Public cloud hosting 101

Use this guide to learn about public cloud hosting in the B.C. government and determine if it’s the right option for your product or service.

Last updated on

What is public cloud hosting

Public cloud hosting lets you rent computer power to process data and run applications. Instead of paying for unused capacity, you only pay for what you use. You access these resources online through a third-party provider, making it a flexible and cost-effective option if your resource needs fluctuate throughout the year.   

In the B.C. government, the Office of the Chief Information Officer (OCIO) Public Cloud team manages public cloud hosting. They can help you get started.  

Why you should use the public cloud service

The public cloud service gives you faster, easier access to public cloud environments through the B.C. government’s secure landing zones.  

Instead of every team managing its own procurement, security and onboarding process, this service offers a clear, supported path to adoption. It includes built-in security guardrails that align with B.C. government standards. This saves you significant time and effort.  

The public cloud service provides: 

  • A centralized, supported environment. Leverage the expertise of public cloud and security specialists who maintain the OCIO-managed landing zones and provide ongoing governance, security scanning and monitoring. Your team will also have access to faster incident response times and one-on-one advisory services through Enterprise Support Services in Amazon Web Services (AWS) and Azure 
  • Flexibility and rapid scalability. Our public cloud environments are designed to handle unpredictable load demands. This gives you the flexibility to scale your applications without resource limits of traditional hosting
  • Simplified procurement. Avoid the need to procure individual public service provider contracts. Our service can help streamline this process so you can focus on delivering value quickly through your applications 

Get access to Enterprise Support

Your team will have access to enterprise-level support in AWS and Azure through the public cloud service. You can troubleshoot issues like application crashes and get expert advice to design your application using the latest best practices.  

With Enterprise Support, your team will receive:  

  • Guaranteed response times and priority incident support 
  • Access to one-o-one specialist advisory services to guide your implementation  
  • Access to cloud training resources  

Learn more about what Enterprise Support and other available support options. 

Security

The public cloud service provides secure public cloud environments for ministry teams. Our landing zones guardrails follow OCIO security policies and best practices. This includes the Canadian Centre for Cyber Security standards.  

Our cloud security and privacy specialists collaborate with your ministry security teams to help navigate security and compliance requirements for your specific project.  

When you use our landing zones, you gain access to OCIO security scans and tools that detect threats and alert the right people when action is needed to protect applications from malicious actors. That includes integrating with the B.C. government single sign-on (SSO) service, which allows you to access public cloud services using your IDIR. 

When you onboard through our service, your projects are placed in secure B.C. government landing zones. Our team maintains these zones, monitors security, addresses alerts and conducts ongoing security and privacy assessments (STRA, PIA) to reduce administrative burden. 

You’ll still need to complete your own compliance assessments for your unique project. Connect with our security and privacy teams at cloud.securityprivacy@gov.bc.ca to help with resources and related assessments.  

Visit the security and privacy section to find detailed steps and resources for your project.

Procurement

We simplify onboarding and automatically provision all the resources you need to work with public cloud service providers. We follow B.C. government procurement processes to procure public cloud services and make them available to you. We also simplify contract administration and billing processes so you can focus on your work. 
 
By using the existing landing zones, your team avoids many of the administrative steps when procuring software or services within the B.C. government.  

Service providers

The B.C. government has 2 secure and compliant OCIO-managed hosting environments: AWS and Azure landing zones. Our public cloud services include security measures and tools to protect your applications and data.  

Both AWS and Azure landing zones meet the Government of Canada’s Protected B Medium Integrity Medium Availability (PBMM) security category and comply with Security Control Profile for Cloud-based GC Services. They also meet B.C. government Protected B security classification. 

Service availability

Only cloud service provider services available in the Canada regions can be used in B.C. government landing zones. Services outside this region are restricted. If you need an exception, submit a support ticket with our team.

To find services available in AWS or Azure landing zones, visit their regional product list and select a “Canada” region.  

What to consider before hosting on the public cloud

Any B.C. government ministry team can use the OCIO public cloud hosting environments. If your team has less experience, you may require additional support. 

Choose a B.C. government landing zone if you want to:  

  • Build and deploy a new web or mobile application  
  • Migrate an existing cloud native application to the public cloud 
  • Store, manage and analyze data  
  • Set up backup and data recovery  
  • Track analytics 
  • Use Artificial Intelligence (AI) models available in the Azure and AWS ecosystem 

Skills and training

Your team should be familiar with your chosen public cloud provider or be ready to learn. 

During your onboarding, we provide: 

  • Training on how to work with the B.C. government-imposed guardrails within public cloud landing zones 
  • Documentation and resources 
  • Sample applications that you can leverage in your projects  
  • External training resources 

Application requirements

If you’re planning to build or host an application in the public cloud, you must be able to show that your proposed application is suitable to run in a public cloud environment.

Your application is considered suitable if: 

  • You plan to build it using cloud-native architecture and technology stacks 
  • You have endorsement from your ministry’s Information Management Branch (IMB), including the architecture team, to host your application in the public cloud 
  • You have approval from your Ministry Information Security Officer (MISO) to host your application in the public cloud 

In alignment with our Digital Code of Practice and our alignment to the principles of Open Government, code should default to being stored in the open bcgov GitHub organization whenever possible.

Your security responsibilities

To protect sensitive information and support the responsible cloud usage, you must: 

Data sensitivity levels

You can host data up to and including Protected B data in the public cloud. Protected C data cannot be hosted in the public cloud. Storing sensitive personal information may be subject to additional restrictions or require additional assessments, so always reach out to your MPO when including personal information. 

B.C. government guardrails

We apply security guardrails to public cloud serve providers to help teams meet the Canadian Centre for Cyber Security (CCCS) guidelines. These guardrails support Protected B, Medium Integrity, Medium Availability (PBMM) standards, which are the baseline requirements set by the Government of Canada for Protected B compliance. 

We provide access to nearly the full catalog of services from cloud service providers. These guardrails help ensure that services are used in alignment with B.C. government security and privacy requirements.  

While these guardrails protect your workloads and applications, security and compliance follow a shared responsibility model. Our team maintains compliance, privacy and security at the landing zones level, while your team is responsible for securing your specific application use case.  

Some unique cases may require exemptions. You can find more guidance on handling these situations in our AWS and Azure technical documentation. 

Support and community

We offer different support options for your team. It includes support for administrative and operational needs, onboarding and billing processes. We also provide guidelines to request help from your cloud service provider’s Enterprise Support. 

The OCIO is developing the Multi-Cloud Connectivity Service that will let B.C. ministry teams create a direct, secure and low-latency connection between B.C. government data centres and the public cloud. This service will roll out in phases to ministry teams through fiscal year 2025/26.  

Once the service becomes available, we’ll share more information at our public cloud community updates.

Limitations

Consider these limitations before using a B.C. government landing zone: 

  • Network access. Currently there is limited connection between B.C. government data centres and the OCIO public cloud landing zones. As a result, hosting hybrid applications with components hosted in the public cloud and in the B.C. government’s on-premises data centres requires additional research and requirements gathering with your architecture advisors  
  • Service availability. In compliance with the B.C. government’s security and privacy standards, you can only access services within the B.C. government landing zone that are available in the cloud service provider’s Canada regions 

Costs and billing

Find out how much it will cost to host your application in the public cloud. 

Estimate your costs

Public cloud costs depend on the services used. Use the AWS Pricing Calculator or Azure Pricing Calculator to estimate expenses. 

AWS costs

  • Hosting a project set in the AWS landing zone costs about $50 USD per account, per month 
  • A project set can include 1 to 4 accounts. A project set with 4 accounts will cost about $200 USD per month 
  • This baseline costs only covers account operations and does not include additional cloud services or resources 
  • A 6% overhead charge applies to all ministry applications in the landing zone 

Azure costs

  • The Azure landing zone does not have a baseline cost to run project sets 
  • A 6% overhead charge applies to all ministry applications in the landing zone 

Overhead charge details  

The 6% overhead charge covers the costs of operating the landing zones:  

  • AWS. Covers B.C.’s use of the Government of Canada Brokering Agreement for accessing AWS services  
  • Azure. Covers the OCIO’s cost of operating the Azure landing zone 

The overhead charge cost doesn’t appear in the pricing calculators from AWS or Azure.  

Enterprise Support costs

The Enterprise Support is billed at 10% of your quarterly cloud spend. This applies to all cloud landing zone clients and is proportional to your usage of the platform.  

Paying your bill

We handle billing for all teams using OCIO-managed cloud services in AWS and Azure.  

You have access to an online dashboard where you can track your application’s costs in real time. It is your responsibility to monitor costs and adjust your usage up or down based on your needs and budget. 

We also provide you with: 

  • Weekly reports. Every week, we email you a consumption report outlining your cloud usage and associated costs 
  • Quarterly invoices. Every 3 months, we send an invoice via Journal Voucher (JV) covering your cloud usage and the 6% overhead charge 

Budget alerts

When you submit a provisioning request, you can set budget alerts for your application. We’ll notify you by email when your project spend reaches 50%, 80%, and 100% of the projected budget. 

Billing dashboards

To help you monitor your cloud usage and costs, we provide access to billing dashboards for AWS and Azure. These dashboards allow you to track usage, generate billing reports and analyse cost trends in real time.  

You can use it to view your usage, build billing reports, usage reports and view trends:

If you have questions about public cloud hosting costs and billing, or if you believe there is an error in an invoice, submit a support ticket

Product team requirements 

Funding 

Your team must have a budget to support applications and data throughout their lifecycle in the public cloud. This budget must be confirmed during onboarding.  

Team roles 

A well-functioning product team should include:  

  • Product Owner (PO) 
  • DevOps Lead or Technical Lead (TL) 
  • Developers 

Product Owner 

You mustbe able to identify a permanent government employee on your team to be the Product Owner (PO) for the applications and data you host in the public cloud. 

The PO is: 

  • Responsible for your public cloud products throughout their entire lifetime in the public cloud 
  • Accountable for ensuring that the team keeps your product code, libraries and supporting tools functional, current and secure. This includes responding to any changes in the public cloud service that may affect the performance of your applications or data 

DevOps Lead or Technical Lead  

You should have at least one person on your team with DevOps skills when you start working in the public cloud. The DevOps or Technical Lead (TL) is responsible for ensuring that your application is designed for resiliency and high availability and has monitoring and alerting functionality. 

Developers 

Most product teams need at least one developer to effectively make use of public cloud services. You should also consider your team’s level of expertise working with different public cloud service providers. For example, developers with prior experience working in AWS will be much more comfortable working in the B.C. government AWS landing zone than developers with no AWS experience. 
 

Account closure and project set deletion

Only a Product Owner (PO) or Technical Lead (TL) can request to close an account and delete a project set.  

How to delete your project  

  1. Log in to the Platform Product Registry as the PO or TL  
  2. Select the “Public Cloud Products” section tab 
  3. Choose the project set you want to delete 
  4. Click the delete icon in the top right corner. A warning message will appear. Enter the license plate and PO’s email address 
  5. Review the important information and confirm deletion 

What to expect 

It’s important to consider the following: 

  • Processing time. The deletion process may take up to 5 business days to process 
  • Post closure period. After deletion, the account enters post-closure status for 90 days, as per the cloud service provider policy 
  • Ongoing charges. During this 90-day period, you may still receive weekly billing emails and incur charges 
  • Final invoice. After 90 days, you’ll no longer get weekly notifications, but you can expect a final quarterly bill for any closed project sets within that quarter 
  • Monthly deletion limits. Some cloud service providers limit the number of projects we can close each month. If the quota is exceeded for the current month, your deletion request may be queued until the next month, and charges will continue during that time 

You can follow up about the status of your project deletion and account closure request by submitting a support ticket.