Skip to main content

Internal Architecture

Architecture Overview

This page provides a technical overview of the OBLV Deploy architecture, detailing the system's components and their interactions. In addition, the internal enclave architecture is also described.

Architecture Diagram

The following diagram presents an overview of the OBLV Deploy architecture.

OBLV Deploy Architecture

The sections below describe the function and interaction of the components displayed in the above diagram.

Client Machine

The client machine is the point of interaction for users with the OBLV Deploy system, consisting of:

  • Client App: Any user interface which interacts with the OBLV Deploy system.
  • OBLV CLI: A command-line tool to improve the interactions and communication with the OBLV Deploy infrastructure.

Auth Server

The Auth server is responsible for authenticating requests to the enclave, ensuring secure access and operation. Any authentication server can be used for this, provided there is an appropriate authentication plugin running within the enclave. By default, this is an OAuth server.

EC2 Instances

EC2 instances run the computing workloads, with each instance containing the following:

  • Enclave: The secure computational environment to process sensitive data and execute proprietary code.
  • Bootscript: A script that initialises the enclave environment on instance startup and configures the parent EC2 to act as a proxy for the enclave.
  • VSock: A mechanism for secure, hypervisor-mediated communication between the enclave and the EC2 instance.

The EC2 instance is pre-configured as an OBLV Deploy AMI, obtained from the AWS Marketplace, which includes services designed to run within the enclaves and the necessary bootstrapping scripts.

Depending on your settings, the Kubernetes controller can start more than one EC2 instance to ensure your system will support the demand.

OTel Collector

The OTel collector gathers telemetry data from the enclaves, including metrics, logs, and traces, from the enclaves. This information is transferred to the configured client backend systems for processing, like Prometheus, Loki, and Jaeger for further analysis.

Key Management Service (KMS)

The AWS KMS can optionally handle cryptographic keys, providing services such as secure SSL certificate management including certificate decryption within the enclaves, establishing secure communication with clients and key provisioning based on the enclaves' attestation. KMS Guide page shows the users can leverage AWS KMS within OBLV Deploy.

Kubernetes Controller

The Kubernetes controller monitors resource utilisation, using predefined metrics such as memory usage, to scale the number of EC2 instances as needed. Additionally, it orchestrates the deployment of these instances according to the specifications provided in the manifests of the deployment, ensuring they are configured with the necessary dependencies, replicas, and networking components. This orchestration includes:

  • Provisioning of EC2 instances: Automated creation and configuration of EC2 instances as according to the AMI specifications.
  • Load Balancer and Proxy Configuration: Setting up networking components to ensure efficient distribution of traffic and service discovery.

Dashboard

Optional dashboard solutions, like Grafana, provide a visualisation solution for monitoring the system's operations, providing insights into the performance, and status of the deployments through an interactive dashboard.

Enclave Close-up

The enclave is part of the OBLV Deploy overall architecture. The enclave is composed of four main components:

  • Proxy: The initial layer of interaction within the enclave, operating as the gateway through which all external requests are received and directed to the appropriate services.
  • OBLV Internal Services (Default plugins): OBLV Deploy services that ensure the optimal and secure operation of your application.
  • External User-Defined Plugins: Optional plugins to customise and extend the functionality of enclave services. These are optional plugins offered by OBLV Deploy or custom plugins built and integrated by users. These can include:
    • Logging Service: This is an optional plugin you can integrate into the enclave to improve the logging capabilities. The Fluent-bit plugin is an example of an option you can use.
    • Telemetry Service: Another optional plugin that you can use to capture and analyse the telemetry data.
  • Client App: The client application. An enclave can have one or more client applications running. All external interactions of these services are managed by the OBLV Internal Services.

The following image presents an overview of the internal enclave when using the OBLV Deploy.

Enclave Close Up

In addition to the enclave components described above, the diagram also presents the interaction with the KMS. The communication between the enclave and the KMS is a critical aspect of the enclave's operation, ensuring that sensitive data and operations within the enclave remain secure through robust encryption and decryption protocols.

Optional Plugins (External User-Defined Services)

Users have the flexibility to incorporate optional plugins to customise and extend the functionality of enclave services. External plugins, also known as User-Defined Plugins, allow users to develop custom plugins or integrate third-party services to meet specific requirements and enhance the capabilities of enclave deployments.

Optional Plugin Types

The following are the main optional plugin types:

  • Authentication Plugin: Focused on OAuth protocol support, ensuring secure user authentication following industry standards.
  • Logging Plugin: Handles the recording of operational data, with adaptability to interface with various logging systems.
  • Telemetry Plugin: Specialised in collecting and processing telemetry data, enhancing system monitoring and analysis capabilities.
  • Proxy Service Plugin: This enables users to set up proxy services for various purposes, including traffic routing, load balancing, and more.
  • Network Interceptor: Allows you to manage and filter all outbound network connections from your system, with access to all outbound traffic.
  • Monitors/Intrusion Detection: Provides access to metrics, system stats, and anomalies similar to logging.

Custom Plugins

OBLV Deploy boasts a unique feature that simplifies the process of designing, building, and testing custom plugins. Whether the plugins are created by our team or our clients, the platform facilitates an effortless integration process, enabling users to expand the platform's functionalities according to their specific needs.

What's Next?