Secure Your Cluster
A newly-installed Hydrolix cluster comes with centralized user authentication and encrypted data at rest.
User Authentication and Authorization
Each Hydrolix cluster can be configured to use different access restrictions for your users. Access restrictions come in different forms:
- IP allow-lists
- User Authentication
- Role-Based Access Control (RBAC) to configure per-user authorization to projects and tables.
Data in Transit
TLS
To retrieve data from cloud storage, Hydrolix clusters use token-based authentication over TLS. When data is loaded into memory in the Hydrolix cluster, access is restricted to the Virtual Private Cloud (VPC) of the Kubernetes deployment.
Hydrolix can enforce TLS communication between end users and your cluster. To enforce TLS between end users and your cluster, Enable TLS. When TLS is enabled, Hydrolix disables non-secure port access to endpoints, including ingest, the UI, and query.
If you wish to use a custom certificate, use this guide.
Network Access
When you create your Hydrolix cluster, you can select different load balancers. Hydrolix supports the following load balancers using the traefik_service_type variable:
| Name | identifier | Behavior |
|---|---|---|
| public load balancer | public_lb | A load balancer using a routable public IP address. |
| private load balancer | private_lb | A load balancer using a private IP in the same subnet as the Kubernetes nodes. |
| cluster IP | cluster_ip | No load balancer at all. You can only access your cluster from within your Kubernetes cluster. |
| node port | node_port | A custom load balancer provided externally. |
Depending on your usage and use case you might want a publicly addressable cluster or a private one.
Regardless of the load balancer, you can and should Configure IP Access.
Data at Rest
For AWS, Google Cloud, and Azure, Hydrolix uses cloud storage layers which encrypt data at rest by default. For more information, see the platform documentation:
Encrypting data at rest ensures that nobody can read your data in your storage layer except for you.
To connect to those storage layers, Hydrolix requires a service account or a secret key. Customers create and manage permissions for Hydrolix clusters in the cluster configuration file. Controlling access with a service account or service key ensures that only your Hydrolix cluster can access your storage layers.
Hydrolix clusters use a cache that stores metadata to disk. This cache is managed by your cloud storage layer provider, and thus is encrypted.
Updated 3 months ago