What kinds of isolation can Enclave provide?

Multitenancy is a key property of most cloud computing service models, which makes isolation a critical component of most cloud computing security models.

Enclave customers often need to explain to their own customers what kinds of isolation they provide, and what kinds of isolation are possible on the Enclave platform.

The Reference Architecture Diagram helps illustrate some of the following concepts.

Infrastructure

All Enclave resources are deployed using Amazon Web Services. AWS operates and secures the physical data centers that produce the underlying compute, storage, and networking functionality needed to run your Apps and Databases.

Network/Stack

An Enclave each Stack is an AWS Virtual Private Cloud provisioned with EC2, ELB, and EBS assets and Enclave platform software.

When you provision a Dedicated Stack on Enclave, you receive your own VPC, meaning you receive your own private and public subnets, isolated from other Enclave customers..

You can provide further network level isolation between your own Apps and Databases by provisioning Additional Dedicated Stacks.

Host

The Enclave layers where you Apps and Databases run are backed by AWS EC2 instances, or hosts.

Each host is deployed in a single VPC. On a Dedicated Stack, this means you are the only Enclave customer using those EC2 virtual servers.

In a Dedicated Stack, these EC2 instances are AWS Dedicated Instances, meaning Aptible is the sole tenant of the underlying hardware. The AWS hypervisor enforces isolation between EC2 hosts running on the same underlying hardware.

Within a Stack, the EC2 hosts are organized into Enclave services layers. Each EC2 instance belongs to only one layer, isolating against failures in other layers:

  • App Layer: Runs your app containers, terminates SSL.
  • Database Layer: Runs your database containers.
  • Bastion Layer: Provides backend SSH access to your Stack, builds your Docker images.

Because Enclave may occasionally need to rotate or deprovision hosts in your Stack to avoid disruptions in service, we do not expose the ability for you to select which specific hosts in your Stack will perform a given workload.

Environment

Enclave Environments are used for access control.

Each environment runs on a specific Stack. Each Stack can support multiple Environments. Note that when you use Environments to separate Apps or Databases, those resources will share networks and underlying hosts if they are on the same Stack.

You can use separate Environments to isolate access to specific Apps or Databases to specific members of your organization.

Container

Enclave uses Docker to build and run your App and Database Containers.

Each container is a lightweight virtual machine that isolates Linux processes running on the same underlying host. Containers are generally isolated from each other, but are the weakest level of isolation.

You can provide container-level isolation between your own customers by provisioning their resources as separate Apps and Databases.