Compartmentalization
AVH employs compartmentalization across customer domains, devices, projects, and users
Domain Compartmentalization
Companies are logically compartmentalized according to their unique domains.
Tenants and Devices
Tenants and devices share the same physical machines and management services on the physical machines, but those management services enforce access controls. The virtual devices are virtual machines segregated onto dedicated CPU cores at the EL2 level. Command and control network communication between different nodes is uniquely authenticated and encrypted by TLS.
Additionally, only network access necessary for the functioning of the system is permitted. Compute nodes are only given access to information necessary to run the virtual devices that are assigned to them.
Project Compartmentalization
Further compartmentalization can be achieved with Projects for Enterprise customers.
Project networks are completely segregated. They’re implemented as network namespaces within each compute node. The links between project networks spanning multiple compute nodes are protected with a VPN connection that is encrypted with a unique per-project key generated on project creation.
User Compartmentalization in External VPNs
External VPNs to the client are also encrypted with a unique per-project key generated on project creation. Each VPN client (e.g. user) has their own unique certificate and key.
There’s a per-project key such that without it, TLS negotiation cannot even start. These external VPNs are run from one of the compute nodes and go directly and only to the project network namespaces.