Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.isofold.com/llms.txt

Use this file to discover all available pages before exploring further.

Network Architecture

Isofold is designed to minimize surface area and enforce strict boundaries between components. Whether hosted or self-deployed, the network flow ensures:
  • End-to-end encryption
  • Clear ingress/egress boundaries
  • Optional VPC containment

Hosted Deployment

In hosted mode, Isofold runs on Fly.io edge infrastructure. 
┌────────────┐
│   Client   │
└────┬───────┘
     │ HTTPS
┌────▼───────┐
│ Isofold Edge Proxy │
└────┬───────┘
     │ Internal (TLS)
┌────▼────────────┐
│ Rewrite Engine  │
│ Cost Estimator  │
│ Verifier (opt)  │
└────┬────────────┘

┌────▼────────┐
│ Warehouse   │
│ (e.g. BQ)   │
└─────────────┘
  • All inbound connections are TLS-encrypted
  • Internal services are not exposed externally
  • Result data is never stored

Self-Hosted Deployment

In self-hosted mode, all traffic stays within your network perimeter: 
┌────────────┐
│   Client   │
└────┬───────┘

┌────▼────────────┐
│ Isofold Proxy   │
│ (in your VPC)   │
└────┬────────────┘

┌────▼────────┐
│ Warehouse   │
│ (Aurora, BQ)│
└─────────────┘
  • TLS is optional but recommended
  • No traffic exits your infrastructure
  • Logging and metrics are fully under your control

Perimeter Recommendations

To maximize security in any deployment:
  • Terminate TLS at the proxy or upstream load balancer
  • Deploy the proxy close to the warehouse (same region or VPC)
  • Use DNS-based routing to isolate team environments
  • Audit connections using your existing observability stack

Data Egress Considerations

  • BigQuery: Isofold calls Google APIs on your behalf. Use service account scoping and allowlisting.
  • Snowflake: Proxy acts as a passthrough; no state is stored.
  • Aurora: Use internal DNS routing and security groups to ensure isolation.
Looking for more on pricing and cost insights? Continue to Billing & Reports