Skip to content

Enclave architecture ‚Äč

The Enclave platform is made up of three parts, built on top of Nebula.

1. Enclave management console or the EMC is the central control for the whole system. In the EMC, you configure your enclaves (microsegments), manage how machines (or users) will authenticate, and alter any configuration.

2. Agents are the end users of an enclave. An agent is the installed bundle that you place on all nodes that you want to manage in the EMC. The two agent types function similarly in that the agent manages the permissions of external agents.

  • User agents are ephemeral, or temporary. A user connects to the network does work, then disconnects from the network. This is a similar process to how you would access infrastructure through a VPN. The user agent handles all the authentication processing which includes MFA.
  • Node agents are designed to have permanent connections. An example of this is a web server. A user would need to always be able to access the web server.

3. Beacons provide resolution between nodes. Nebula, the underlying microsegmentation technology, works by creating an overlay network (a network that is not routable from the internet). Beacons exist to translate the overlay IP space to the physical IP space. You can consider them similar to DNS. DNS maps urls to IP addresses. A beacon maps an overlay IP to a physical IP. Beacons do their best to support direct connections between nodes, but if a direct connection is not possible, the beacon can also act as a relay, passing traffic between nodes. Beacons can be either managed by a client or hosted by SideChannel.