Security Architecture for PubSub+ Cloud

PubSub+ Cloud is highly available and secure as it follows the PubSub+ event broker security practices for a SaaS service. PubSub+ Cloud is designed with security in mind.

In PubSub+ Cloud, architecture is partially determined by the deployment options you choose, which specifies where your event brokers reside. These deployment-based architecture differences affect various aspects of security and can determine whether you (the customer) or Solace is responsible for certain security tasks in your deployment. To understand the security architecture, you should first understand the differences between the deployment options.

Deployment Options

The deployment options can be broken down to the ownership model that the customer chooses and its connectivity. For more information about deployment options and connectivity, see PubSub+ Cloud Deployment Ownership Models and PubSub+ Cloud Connectivity Requirements.

The following is a summary of the deployment ownership and connectivity options.

  • Ownership Model
    • The ownership model refers to the location of the region where the Mission Control Agent and software event brokers are installed. These are the variants of ownership:

      • Public Regions: Dedicated event broker services are deployed in Solace-controlled shared VPC/VNets on public cloud providers such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure.
      • Dedicated Regions: Dedicated event broker services are deployed in Solace-controlled VPC/VNets dedicated to the customer on public cloud providers such as AWS, GCP, and Azure.
      • Customer-Controlled Regions: Dedicated event broker services are deployed in a customer's on-premises or cloud-based Kubernetes cluster, such as OpenShift, Rancher (RKE1), Amazon (EKS), Azure (AKS, ARO), Google (GKE), Alibaba (ACK), Huawei (CCE), and more.
    • The ownership determines who is responsible for the security of the infrastructure and connectivity and is summarized as follows:
      • The infrastructure in Solace-controlled regions (Public Regions and Dedicated Regions) is secure by default for the customer because Solace manages the security for the infrastructure. The customer and Solace collaborate to ensure connectivity requirements are satisfied.
      • In Customer-Controlled Regions, the customer must manage the security for the infrastructure as well as the connectivity requirements.
  • Connectivity
    • The connectivity model refers to the network access and permissions that allow your Kubernetes cluster and event broker services to function correctly. The types of connectivity you need to consider in your deployment are:

      • Messaging Connectivity: The connectivity required for messaging traffic (between event broker services and from applications to event broker services).
      • Management Connectivity: The connectivity required for you to administer your event broker services using the Solace CLI, Broker Manager, or SEMP.
      • Operational Connectivity: The connectivity required to set up your Kubernetes cluster and launch event broker services.
    • Additional network configuration for Dedicated Regions is required for messaging clients to connect to the event broker services and the responsibility is related to the ownership model chosen as follows:
      • For deployments in Public Regions, the customer manages the access of client applications within a private network to the event broker services. The customer is required to set up the connectivity from the private IP addresses or hybrid configurations (e.g., permit external access to the public Internet or configure VPC/VNet peering).
      • For deployments in Dedicated Regions, the customer manages the access of client applications within a private network to the event broker services. Solace and the customer collaborate to ensure that the deployment matches the customer's messaging connectivity requirements. For example, if the customer has client applications that reside in a private network (i.e., private IP addresses within a VPC/VNet), Solace exchanges route information with the customer to set up VPC/VNet peering, AWS Transit Gateway, or set up connectivity in the Dedicated Region.
      • For deployments in Customer-Controlled Regions, the customer manages the connectivity and takes care of setting up the necessary configuration for connectivity from their client applications to their event broker services. (e.g., VPC/VNet peering, site-to-site VPN, AWS Direct Connect, Transit Gateway, loadbalancer, NAT configuration, etc.).

For more information about the security responsibilities of the customer and Solace based on the deployment model and ownership, see Customer Roles and Responsibilities for Security.

Security Considerations

All PubSub+ Cloud deployments have well-defined architectures that share the same security considerations. The option you choose determines whether Solace or you (the customer) are responsible for managing different aspects of security. The PubSub+ Cloud security architecture considerations include:

  • Do the event broker services need to be publicly available from the Internet?
    • For non-public event broker services, Solace recommends that deployments are made in a Kubernetes cluster within an isolated Virtual Private Cloud or Virtual Network (VPC/VNet). These type of deployments are available in Dedicated Regions or Customer-Controlled Regions.
  • What is the connectivity model used to access event broker services? 
    • The messaging connectivity model that the customer chooses for client applications may influence the requirements for the Operational Connectivity (that is, the connectivity to the PubSub+ Home Cloud and the central monitoring service). Operational Connectivity to Home Cloud and the central monitoring service is a requirement for event broker services to function and is not optional. You can use either Public Regions, Dedicated Regions, or Customer-Controlled Regions.
    • Solace recommends that client applications connect using VPC/VNet peering or loadbalancer when using private IP addresses. It is possible to deploy event broker services in the same Kubernetes cluster alongside the client applications that use the event broker services. This configuration may be a preferred deployment option based on the customer's security requirements. This option is available only in Customer-Controlled Regions.

Security Architecture Overview

All supported deployment models permit PubSub+ Cloud to meet various security requirements.

In addition to the deployment model, another factor to consider as part of the customer's security planning is how client applications connect. There are two types of client applications:

  • publishers and subscriber applications that use event broker services for messaging and passing data; these applications often connect from another VPC/VNet or from public infrastructure
  • optionally, the customer can create management applications that manage the lifecycle of an event broker service; these applications are usually account specific

For more information about connectivity, see Client Application Connectivity and Security.

Regardless of the ownership model and connectivity options, each deployment uses a common set of components as shown in the following diagram:

Architecture diagram showing the PubSub+ Cloud components described in the following text.

Component Description

Home Cloud Region

Solace has regional site for the PubSub+ Home Cloud. The Home Cloud regions do not share infrastructure, data, or any other system, account, or user information with each other.

Home Cloud

The PubSub+ Home Cloud is a collection of microservices that provides the control plane for deployments of PubSub+ Cloud.

Cloud Console

The PubSub+ Cloud Consoleis a web-based user-interface that gives customers access to PubSub+ Cloud functionality.

Deployment Region

The region where the Mission Control Agent and software event brokers are installed based on the ownership model. The regions include:

  • Public Regions
  • Dedicated Regions
  • Customer-Controlled Regions

Mission Control Agent

The Mission Control Agent is a microservice that is required to deploy and manage event broker services.

Event Management Agent

The Event Management Agent is an optional component required to discover runtime data and configure event brokers using Event Portal.

Event Broker Services

Event brokers provide the data path to allow applications to communicate in real time. An event broker service in PubSub+ Cloud is either a standalone software event broker or a high-availability group of three software event brokers.

Central Monitoring Service

The central monitoring service collects monitoring data (statistics/metrics) and logs from event broker services and stores the information. Operational monitoring metrics, statistics, and logs are centrally monitored from the Home Cloud. The central monitoring service is provided by Datadog. Datadog agents are configured for each event broker service to send monitoring data and logs to the central monitoring service.

Client Applications

A client application can be a program, process, microservice, IoT device, integration component or other runnable consumer, producer, or processor that subscribes to or publishes events through an event broker. Applications may reside on the public Internet or in a customer-controlled region.

Management Data

Management data is sent between the Mission Control Agent, Home Cloud, and event broker services. Management data includes configuration information for event broker services and metadata that is sent back to Solace through secure ports.

Messaging Data

Messaging data, which includes payloads of event messages, refers to the information sent between event broker services and the publishing and subscribing client applications.

Monitoring Data

Monitoring data includes statistics and event broker logs that are sent to the central monitoring service through secure ports.

For more information about each of the components as they relate to security, see the following sections:

Security Architecture for Public Regions

In Public Regions, the event broker services are deployed in a publicly accessible, shared region that is controlled and managed by Solace. Client applications access the event broker services over the public Internet. Solace manages the infrastructure, and always uses the most recent security practices.

The event broker services are deployed to shared Kubernetes clusters per region (Google Cloud Platform) or shared VPCs/VNets per region (AWS or Azure), depending on the cloud provider chosen.

The Public Region deployment is best suited for environments where client applications access services from the public Internet. These can also include client applications from within a customer network, but in this situation, the customer must manage the access to applications from their own private network to the Internet.

In the following diagram, the red box shows the customer's security architecture responsibilities:

Architecture diagram highlighting client applications within the public Internet or a customer-controlled region.

For a summary of the security responsibilities, see Customer Roles and Responsibilities for Security.

Security Architecture for Dedicated Regions

In deployments in Dedicated Regions, Solace also manages the infrastructure using the most recent security practices. Solace ensures that the configuration of the Kubernetes cluster is secure and that your client applications have connectivity.

In this option, the event broker services are run within infrastructure that is dedicated to the customer; usually event broker services are not publicly accessible from the Internet. Client applications access the event broker service from another private network, which is customer-controlled.

This option is ideal when client applications do not access the event broker services from the public Internet. Client applications can connect using VPC/VNet peering technology. It is also possible to configure this option to use a hybrid connectivity model.

In the following diagram, the red box shows the customer's security architecture responsibilities:

Architecture diagram highlighting client applications within a customer-controlled region.

For a summary of the security responsibilities, see Customer Roles and Responsibilities for Security.

Security Architecture for Customer-Controlled Regions

In Customer-Controlled Regions, the customer deploys the event broker services to a dedicated private network, which the customer controls. A Customer-Controlled Region gives the customer the most control over security, network configuration, and segregation to deploy event broker services and configure their infrastructure. The customer also controls the Kubernetes cluster (which can be either on-premises or in the cloud) and all aspects of the VPC/VNet where the Kubernetes cluster resides.

In summary, deployments of event broker services on Customer-Controlled Regions require that the customer considers the following as part of their security planning:

  • The requirements for the event broker services, such as whether the deployment requires user accounts that are configured with the required permissions to run and operate correctly. The customer may need to coordinate with their internal infrastructure and security teams to properly set up the user accounts.
  • The Mission Control Agent is provided with account permissions to manage event broker services in the customer's Kubernetes cluster. Solace recommends that a very limited set of permissions are assigned account for the Mission Control Agent to limit the risks and the vectors of attack. For more information about the Mission Control Agent, see Mission Control Agent.
  • Metrics and monitoring data is vital for the PubSub+ Cloud solution to work; it ensures that the event broker services are operating correctly. This system-level data identifies the event broker services so that Solace can properly monitor it as a SaaS. Solace doesn't and cannot access the contents of the messages (data) transported on the customer's network. For PubSub+ Cloud to function correctly, the customer must permit outgoing monitoring traffic from their VPC/VNet.

With deployments in Customer-Controlled Regions, the customer manages all aspects of the deployment configuration, connectivity, and security. For details, see Kubernetes in Customer-Controlled Regions .

Kubernetes in Customer-Controlled Regions

For deployments in Customer-Controlled Regions, Solace supports the following Kubernetes implementations:

  • On-premises:
  • In the cloud:
    • Amazon Elastic Kubernetes Service (EKS)
    • Azure Kubernetes Service (AKS)
    • Azure Red Hat OpenShift (ARO)
    • Google Kubernetes Engine (GKE)
    • Alibaba Cloud Container Service for Kubernetes (ACK)
    • Huawei Cloud Container Engine (CCE)

In these deployments the customer controls the management of the resources, configuring the networking, and overall security of the Kubernetes cluster. The customer can coordinate with Solace to deploy PubSub+ Cloud.

Prior to working with Solace, the security and permissions in the customer's Kubernetes cluster should be defined and implemented before the installing PubSub+ Cloud.

In the following diagram, the red box shows the customer's security architecture responsibilities:

Architecture diagram highlighting the Mission Control Agent, event broker services, and client applications within a customer-controlled region.

For a summary of the security responsibilities, see Customer Roles and Responsibilities for Security.