Project isolation
At Upsun, customer environments are strictly isolated from each other using namespaces, seccomp, and cgroups. Persistent data (uploaded files into mounts, database data, etc.) is stored on a region-wide storage layer. Data is stored redundantly and mounted into the environments on deployment.
Network is behind a firewall for incoming connections. Only a few ports are opened to incoming traffic: ???
There are no exceptions, so any incoming web service requests, ETL jobs, or otherwise need to transact over one of these protocols.
Outgoing TCP traffic isnβt behind a firewall, with the exception of port 25 which is blocked.
For containers to be allowed to connect to each other, the following requirements must be met:
- The containers must live in the same environment.
- You need to define an explicit relationship between the containers in your app configuration.