Infrastructure Architecture
How your services are protected and accessible
Siovos deploys a secure-by-default infrastructure. Here's how it works.
Overview#
Secure VPN Access#
All your services are accessible only through the VPN. No service is publicly exposed on the internet.
What this means for you:
- Your services are not visible on the internet
- Only people with a VPN profile can access them
- Traffic is encrypted end-to-end
To add access for your team, see VPN Client Management.
Automatic HTTPS Certificates#
Every service has a valid HTTPS certificate, automatically generated and renewed by a private certificate authority.
- No manual SSL configuration
- Automatic renewal
- No browser warnings (after installing the root certificate)
See Certificate Management for details.
Private DNS#
Your services are accessible via simple names instead of IP addresses:
| Service | URL |
|---|---|
| Rancher | https://rancher.{suffix} |
| Harbor | https://registry.{suffix} |
| Grafana | https://grafana.{suffix} |
| Mailpit | https://mailpit.{suffix} |
The DNS suffix (.internal by default) is configurable during deployment.
See Private DNS for details.
Traffic Routing#
A reverse proxy automatically routes HTTPS traffic to the right service based on the domain name. You don't need to configure anything - every deployed service is immediately accessible via its internal URL.
See Ingress and Routing for details.
Kubernetes#
All services run on K3s, a lightweight but fully-featured Kubernetes distribution. This lets you:
- Deploy your own applications easily
- Benefit from automatic scaling
- Use the Kubernetes ecosystem
You can manage the cluster through Rancher (web interface) or via command line with kubectl.
Monitoring#
Team and Business plans include a monitoring stack:
- Automatic metrics collection from all services
- Pre-configured dashboards and visualizations
- Alerts on cluster, node, and pod status
Access dashboards at https://grafana.{suffix}. See Monitoring for details.
Firewall#
Siovos automatically configures your server's firewall. Only the bare minimum is open - everything else is accessible only through the VPN.
Summary#
- Secure - VPN access required, nothing publicly exposed
- Encrypted - HTTPS everywhere with automatic certificates
- Simple - Private DNS with easy-to-remember names
- Flexible - Kubernetes to deploy whatever you need