Secure Your Cluster

A newly-installed Hydrolix cluster comes with centralized user authentication and encrypted data at rest.

User Authentication and Authorization

Each Hydrolix cluster can be configured to use different access restrictions for your users. Access restrictions come in different forms:

Data in Transit


To retrieve data from cloud storage, Hydrolix clusters use token-based authentication over TLS. When data is loaded into memory in the Hydrolix cluster, access is restricted to the Virtual Private Cloud (VPC) of the Kubernetes deployment.

Hydrolix can enforce TLS communication between end users and your cluster. To enforce TLS between end users and your cluster, Enable TLS. When TLS is enabled, Hydrolix disables non-secure port access to endpoints, including ingest, the UI, and query.

If you wish to use a custom certificate, use this guide.

Network Access

When you create your Hydrolix cluster, you can select different load balancers. Hydrolix supports the following load balancers using the traefik_service_type variable:

public load balancerpublic_lbA load balancer using a routable public IP address.
private load balancerprivate_lbA load balancer using a private IP in the same subnet as the Kubernetes nodes.
cluster IPcluster_ipNo load balancer at all. You can only access your cluster from within your Kubernetes cluster.
node portnode_portA custom load balancer provided externally.

Depending on your usage and use case you might want a publicly addressable cluster or a private one.

Regardless of the load balancer, you can and should Configure IP Access.

Data at Rest

For AWS, Google Cloud, and Azure, Hydrolix uses cloud storage layers which encrypt data at rest by default. For more information, see the platform documentation:

Encrypting data at rest ensures that nobody can read your data in your storage layer except for you.

To connect to those storage layers, Hydrolix requires a service account or a secret key. Customers create and manage permissions for Hydrolix clusters in the cluster configuration file. Controlling access with a service account or service key ensures that only your Hydrolix cluster can access your storage layers.

Hydrolix clusters use a cache that stores metadata to disk. This cache is managed by your cloud storage layer provider, and thus is encrypted.