Help Center← Back to Dashboard
Getting Started
What is Aithroyz?Quickstart: First EnvironmentCloud CredentialsPlans & Approvals
Environments
OverviewLifecycle PhasesTTL Auto-DestroyExtending TTLDestroying an Environment
Tools Reference
OverviewElastic Stack (SIEM)Wazuh (XDR)MITRE CalderaTheHive & DFIR-IRISVelociraptorOpenCTIGrafana + PrometheusShuffle SOARn8nUptime KumaLLM GatewayOpen WebUIFlowiseOpenClawOllamaQdrantLangfusePortainerGiteaSonarQubeCode ServerMattermostMinIOMetabaseHashiCorp VaultKeycloak SSONetBoxLocalStack
Access & Security
Google SSOTenant IsolationPasskeys & MFATeam Members
API & Integrations
API KeysMCP Tools (Clevername)Terraform ExportWebhooks & Callbacks
Stack Presets
SOC PlatformIR / DFIR LabThreat HuntingQuick Sandbox
Settings
Cloud KeysAPI KeysBillingAudit Log
Troubleshooting
Common IssuesDeployment FailuresDNS & ConnectivityTool Health Checks
Aithroyz Help
Help CenterAccess & SecurityTenant Isolation

Tenant Isolation

Every Aithroyz environment runs in its own dedicated VPC with isolated DNS, firewall rules, and compute. No shared infrastructure between tenants.

Tenant isolation is enforced at the infrastructure level — not just at the application level. Each environment gets its own GCP VPC, firewall, gateway VM, and Cloud DNS zone. There is no shared networking between environments.

Isolation layers

VPC
Each environment gets a dedicated Virtual Private Cloud. Internal tool IPs (10.0.0.x) are not routable outside the environment.
Firewall
Ingress is restricted to ports 443 and 80 only. Direct SSH is blocked — all tool access goes through the Caddy gateway.
DNS
Each tenant has a dedicated Cloud DNS zone: *.{slug}.ops.aithroyz.com. A records point to that environment's gateway IP only.
Auth
Google SSO cookie is scoped to *.ops.aithroyz.com. Email domain allowlists are enforced per-tenant at the gateway level.
Compute
All VMs run in your GCP project under your service account. No compute is shared with other Aithroyz users.

Network architecture

All inbound traffic enters through a single gateway VM running Caddy. Caddy handles TLS termination and reverse-proxies to internal tool containers on the private subnet. The gateway is the only VM with a public IP.

Internal tool addresses follow a fixed assignment: Elastic at 10.0.0.10, Wazuh at 10.0.0.11, Caldera at 10.0.0.12, and so on. These are only reachable from within the VPC.

ℹ
Aithroyz environments run in your GCP project using your service account credentials. Aithroyz never has standing access to your cloud resources — it only uses your credentials during provisioning.
Related Articles
Google SSORead article →DNS & ConnectivityRead article →Environments OverviewRead article →