Internet on Demand (IO-D)

Internet On-Demand allows customers to extend internet connectivity to their existing sites on the Console Connect platform. Learn more about Internet On-Demand in the Service Specification.

How do I create an IO-D service?

To create an Internet On-Demand service in Console Connect, follow the instructions in our how-to video:

Can I create an IO-D service using a private ASN?

Yes if you don’t have a public ASN.

Can I create an IO-D service using static routes?

Not at the moment. This feature is on our roadmap.

How do I disable or delete an IO-D service?

This feature is not yet available. In the meantime, please contact [email protected] to disable or delete a connection.

Burstable Billing

What is Burstable Billing?

Burstable billing is a method of measuring bandwidth based on peak use. It also allows usage to exceed a specified threshold for brief periods of time without the financial penalty of purchasing a higher committed data rate (CDR). Console Connect currently only offers a 95th Percentile Burstable Billing calculation. To be eligible for Burstable Billing on Internet on Demand, you must order a service with a CDR which is 10% or greater of the total port capacity (i.e. A 1 Gbps Port will require a 100 Mbps CDR)

What is the 95th Percentile?

The 95th percentile is a widely used mathematical calculation to evaluate the regular and sustained use of a network connection.

Bandwidth is measured from the switch or router and recorded in a log file. At the end of the month, the samples are sorted from highest to lowest, and the top 5% (which equal to approximately 36 hours of a 30-day billing cycle) of data is thrown away. The next highest measurement becomes the billable use for the entire month.

Based on this model, the top 36 hours (top 5% of 720 hours) of peak traffic is not taken into account when billed for an entire month. Bandwidth could be used at a higher rate for up to 72 min a day with no financial penalty.

How and when will I be charged?

Burstable Billing is only available for customers who are paying for their Internet on Demand service via Invoice. Charged for the Committed Data Rate will be invoiced on the first day of each month as per usual. Burstable Billing charges will be invoiced monthly in arrears.

IO-D Routing

Customer IP Prefix Policy

Customers with their own IP address ranges are subject to the PCCW Global Customer IP Prefix Policy, which requires that as-set and route objects are created in approved IRR databases for all customer (including downstream) prefixes. The policy also recommends the use of RPKI ROAs.
Read the Customer IP Prefix Policy.

What if I have my own ASN and my prefixes are registered in an IRR?

Once your order is received and provisioned, it may take up to an hour for your prefixes to appear in our systems. This will depend largely on when you registered your route object(s) in the approved IRR database(s). Note that you must advertise a /24 subnet or larger.

What if I have my own ASN and I bought IP address space from PCCW Global?

Adding or updating ASN or AS-SET is only supported by the backend.

To add or update ASN or AS-SET, contact [email protected].

What is a default route?

What you are choosing here is between receiving the full internet routing table, which is approximately 850 thousand routes / prefixes or receiving one route, that is the default route ( Usually if you have a smaller router, and you are buying Internet On-Demand from Console Connect, you will want to leave this option as is, as getting the default route from us will be the easiest option in terms of configuration. If however you are a network engineer and want to set routes, communities and other bgp attributes, you will definitely want to disable this option to get the full internet routing table.

IO-D value-added services

Anti-DDoS Service (ADD)

DDoS (Distributed Denial of Service) attacks have become a great security threat, especially to customers who operate popular websites or do business via the internet.

PCCW Global offers its anti-DDoS service in two packages, On-Demand and Hybrid. In the On-Demand package, we monitor your internet traffic utilization at your CE router for possible DDoS attacks. When a DDoS attack is detected, all traffic destined for the victim Ip will be manually rerouted to an intelligent filtering device. The attack traffic will be filtered out and legitimate traffic sent onwards to your network.

In the Hybrid package, an Intrusion Prevention System (IPS) is provided and installed in your premises. The IPS will monitor all internet traffic for possible DDoS attacks. When a DDoS attack is detected, the IPS will perform auto-mitigation on suspicious traffic. If the traffic volume is so large that the internet link is saturated, the DDoS attack traffic will be routed (upon Customer approval) to our Premium Scrubbing Center for traffic mitigation.

An online Anti-DDoS Customer Portal allows you to view the above processes online.

Note: Anti-DDoS is not available for pure IPv6 connections. For dual-stack connections, Anti-DDoS is available for only the IPv4 portion.

Managed Router Service (MRS)

Many customers prefer to outsource the provisioning and management of their Customer Edge (CE) routers, which connect to the PCCW Global network.

PCCW Global MRS provides different service packages from pure CE router management to a full ‘one stop shop’ service, including CE router rental, maintenance and management for all Internet on Demand customers.

Managed Firewall

From installation, operation, upgrade, and maintenance, to parts and end-of-life/end-of-support process monitoring, PCCW Global’s Managed Firewall Service takes the overhead out of regular configuration and maintenance tasks that can be tedious and time-consuming.

We support offerings from the leading firewall vendor Fortinet. Combined with our Threat Intelligence and Management Service, organisations get a reporting dashboard and firewall configuration system, along with professional services for firewall management, security monitoring and incident reporting.

Looking Glass

A web-based Looking Glass site is available for potential customers who want to examine the PCCW Global IP Network (AS3491) and its performance to and from the internet.

The site is equipped with tools that enable customers to perform “ping” or “traceroute” from:

  • Any AS3491 PoP to another AS3491 PoP.
  • Any AS3491 PoP to any internet destination in the form of an IP address or domain name.

The PCCW Global Looking Glass can be found here.

Speed Test

Speedtest servers are set up in selected PCCW Global PoPs to allow customers to test the download and upload performance of their Internet on Demand connections. Contact us to find out more.

DNS Resolvers

PCCW Global maintains the following distributed name servers for customers to perform domain name resolution.

Note: PCCW Global name servers are deployed by region, not by country, and may not comply with the legal restrictions of individual jurisdictions or countries within a region. For this reason, the most common setup is to use country-based open resolvers like Google’s or Cloudflare’s A more complete listing of open resolvers can be found here.

Asia (IPv4)
Americas (IPv4)
Europe (IPv4):
All regions (IPv6)


Oblivious DNS Over HTTPS

Traditionally, DNS lookups are sent to resolvers in plain text, which can leave end users vulnerable to eavesdropping and person-in-the-middle attacks. DNS-over-HTTPS (DoH), addresses this issue by sending lookups over an encrypted HTTPS connection between the end host (stub resolver) and the recursive resolver. Using DoH improves privacy by preventing your queries being seen by someone lurking on public WiFi or personal information related to your browsing behaviour being gathered and/or sold.
Oblivious DNS over HTTPS (ODoH) is a new proposed standard that separates user IP addresses from queries so that no single entity can see both at the same time, as illustrated below.


Configure your web browser to use DoH using the following instructions:

Microsoft Edge
On the edge://settings/privacy page, select Use secure DNS to specify how to lookup the network address for websites.

Google Chrome
Select Use secure DNS on the chrome://settings/security page.

Follow the instructions provided here.

Here are the answers Mozilla gave to some frequently asked questions about DoH.