Environment segmentation

Owned by Adaptavist ScriptRunner for Confluence Cloud
Dec 10, 2020
1 min read

Tidepool implements virtual resource separation for all environments and uses a zero-trust network model for all kubernetes resources. All internal connectivity is authenticated and authorized

Search this space

Tidepool uses the AWS Virtual Private Cloud (VPC) service to segment data and resource access. The VPC service provides resource separation and isolation so that events in one VPC (essentially a virtual data center) can not affect any resources in a separate VPC. Tidepool environments are all separated by role and data sensitivity and access is explicitly defined in policy.

Network segmentation is performed using the following AWS services defined per VPC environment:

  • Security Groups and Network ACL’s

    • Security Groups and Network ACL’s defined in AWS perform basic firewall and routing services for all hosts. Tidepool uses a deny-by-default policy.

  • NAT Gateways

    • provide connectivity to the internet while masking internal networks

    • no Tidepool instances receive traffic from the internet directly, all traffic is proxied via application layer gateways managed by AWS

  • IAM Role based access controls

    • Access to resources from inside a VPC and between instances is defined by RBAC and assigned programmatically per service, instance or role

  • Virtual Private Cloud (VPC) Peering

    • A network service connection between two VPCs that allows them to route traffic privately and without sending it over the internet. Tidepool specifically uses VPC Peering to connect the Tidepool application running in our own environment securely to our managed databases running in MongoDB Atlas.

 

The content of the Tidepool Technical Documentation is licensed under a Creative Commons CC0 1.0 Universal (CC0 1.0) Public Domain Dedication.