Cage / Cabinet¶
Service ownership
Owner: dc-operations (colo-pm@clouddigit.ai) — Status: GA — Last audited: 2026-05-11
Dedicated, lockable cages for multi-rack deployments — when you need physical isolation beyond a single locked rack.
What it is¶
A floor-bolted mesh-walled enclosure containing one or more racks (typically 4 / 8 / 16) with a single locked door. Tenant-only access; no other customer staff (Cloud Digit ops staff still have escorted access for facility events).
When to pick a cage¶
- Multi-rack production with strict physical separation
- Regulated FI with audit-mandated isolation
- Customer wants their own under-floor cabling, ground reference, or specialised intra-cage infrastructure
- HSM / payment-card scope where shared-floor walking is a finding
Sizes¶
| Footprint | Racks supported | Floor area |
|---|---|---|
| Small cage | 4 racks | ~10 m² |
| Medium cage | 8 racks | ~20 m² |
| Large cage | 16 racks | ~40 m² |
| Custom | 16+ | Per design |
What's included¶
- Mesh enclosure with single locked door
- Ceiling closure (top mesh)
- Customer-only key/badge
- Optional internal CCTV (your camera, your viewing — ours doesn't see in)
- Cable tray, fibre and copper paths from cage to cross-connect MMR
Pricing¶
Cage-month flat rate by size + per-rack-month + power. 1- and 3-year commitments standard. See Pricing.
Related¶
Operate this service¶
A locked, customer-dedicated cage or cabinet inside a Cloud Digit DC — physical isolation beyond a per-rack lock.
When a cage is required¶
- Compliance mandate for "physical separation" (some bank, gov, defense contracts)
- Customer wants their own security camera / access log feed
- Multi-rack deployment with cross-rack cabling that needs containment
- High-value gear requiring extra physical security
IAM¶
| Role | Can do |
|---|---|
cage.viewer | View cage details, environmentals |
cage.dc-visitor | Physical access (badge-issued, biometric) |
cage.admin | Manage IAM bindings, security configuration |
Cage access is logged per entry with biometric + badge + photo. Available to auditors.
Sizing¶
| Size | Capacity | Use |
|---|---|---|
| Single cabinet | 1 rack equivalent | Small-footprint with cage iso |
| 2-rack cage | 2 racks | Standard |
| 4-rack cage | 4 racks | Larger production |
| 10-rack cage | 10 racks | Major footprint |
| Custom | 10+ racks | Quote-based |
Cage size includes cold-aisle containment, dedicated PDUs, and optional separate UPS feed.
Security features¶
- Mantrap entry (1-person-at-a-time)
- Biometric (palm or fingerprint) at cage door
- Camera feeds (customer-viewable on request)
- Tamper sensors on cage walls (alerts on unauthorized intrusion attempts)
Compliance¶
Cage attestation report quarterly: - Access events - Tamper events (always 0) - Environmental compliance - Cage IAM membership audit
Related¶
Metrics¶
Per cage (in addition to per-rack metrics):
| Metric | Healthy | Alert |
|---|---|---|
colo.cage.access_events_24h | matches scheduled visits | unexpected entries |
colo.cage.tamper_alerts_24h | 0 | > 0 |
colo.cage.power_kw | < contract | > 90% |
colo.cage.upstream_uplinks_state | all up | any down (redundancy) |
Access scheduling¶
bash cd colo cage visit schedule \ --cage cage-acme-bd-dha-1-001 \ --visitor jane@acme.com \ --start "2026-05-15T10:00:00+06:00" \ --duration 4h \ --purpose "quarterly hardware refresh"
Visit requires: - Pre-registration ≥ 24 h in advance - Visitor's cage.dc-visitor role active - KYC verification on file
Day-of: visitor presents at reception, biometric verification, escorted to cage.
Self-managed network¶
Customer-managed networking inside the cage. CD provides: - Uplinks (2× 25GbE or 100GbE LACP) - BGP peering port (for BYOIP) - Cross-connect ports to other CD customers in the same DC
You manage routers/switches inside the cage.
Camera feeds¶
Optional add-on: live + recorded camera feeds inside your cage, viewable via:
bash cd colo cage camera live --cage <id>
Recordings retained 90 days. For audit, request a specific time-range download.
Service requests¶
For inside-cage smart-hands work, file a request with security clearance:
bash cd colo smart-hands request --cage <id> --task "swap PSU on server-04" --priority normal
CD smart-hands enter the cage with customer authorization for each visit.
Related¶
Tamper alert¶
colo.cage.tamper_alerts_24h > 0:
- CD security notified immediately
- Camera footage reviewed
- Customer security contact notified
- Joint investigation; documented in incident report
Most tamper alerts are false positives (cleaning crew bumped the cage). Real ones are very rare in Tier-III DCs.
Biometric not recognized¶
Visitor arrives but biometric fails: - Old enrollment (re-enroll at badge office; takes 10 min) - Finger/palm injury → use backup biometric (palm if fingerprint enrolled, vice versa) - System glitch → manual override by DC security manager with photo ID
Access scheduled but visitor refused entry¶
| Cause | Resolution |
|---|---|
| Visit not in system (typo in name) | Update via admin |
| KYC expired | Re-verify (15 min at badge office) |
| Customer revoked role mid-visit | Customer admin re-issues role |
| Beyond scheduled time window | Reschedule |
Uplink loss¶
Cage has redundant uplinks but lost one: - Customer-side TOR switch port — your repair - CD spine port — CD repair (open ticket) - Cable fault — CD smart-hands replaces
Traffic continues on the surviving leg; bandwidth halved.
Cage at capacity¶
You're growing and the cage is full: - Adjacent cage available? Expand into it (cross-cage cabling) - Move to a larger cage in a different DC row - Switch to multi-cage deployment with cross-connects
CD plans expansion in 4-8 week lead time.
Audit log shows unauthorized access attempt¶
Someone tried to enter the cage and was refused: - Typically a wrong-cage mistake (visitor for cage-A wandered to cage-B) - Sometimes a security probe — investigate seriously
Camera feed unavailable¶
Camera-feed add-on customers occasionally see "feed unavailable": - Customer-portal session expired - Local network blocks WebRTC - Camera offline (rare; CD repairs)
For audit-grade access, request a recording (durable; no portal dependency).