Network Architecture

Isofold is designed to minimize surface area and enforce strict boundaries between components. Whether hosted or self-deployed, the network flow ensures:
  • End-to-end encryption
  • Clear ingress/egress boundaries
  • Optional VPC containment

Hosted Deployment

In hosted mode, Isofold runs on Fly.io edge infrastructure. 
┌────────────┐
│   Client   │
└────┬───────┘
     │ HTTPS
┌────▼───────┐
│ Isofold Edge Proxy │
└────┬───────┘
     │ Internal (TLS)
┌────▼────────────┐
│ Rewrite Engine  │
│ Cost Estimator  │
│ Verifier (opt)  │
└────┬────────────┘

┌────▼────────┐
│ Warehouse   │
│ (e.g. BQ)   │
└─────────────┘
  • All inbound connections are TLS-encrypted
  • Internal services are not exposed externally
  • Result data is never stored

Self-Hosted Deployment

In self-hosted mode, all traffic stays within your network perimeter: 
┌────────────┐
│   Client   │
└────┬───────┘

┌────▼────────────┐
│ Isofold Proxy   │
│ (in your VPC)   │
└────┬────────────┘

┌────▼────────┐
│ Warehouse   │
│ (Aurora, BQ)│
└─────────────┘
  • TLS is optional but recommended
  • No traffic exits your infrastructure
  • Logging and metrics are fully under your control

Perimeter Recommendations

To maximize security in any deployment:
  • Terminate TLS at the proxy or upstream load balancer
  • Deploy the proxy close to the warehouse (same region or VPC)
  • Use DNS-based routing to isolate team environments
  • Audit connections using your existing observability stack

Data Egress Considerations

  • BigQuery: Isofold calls Google APIs on your behalf. Use service account scoping and allowlisting.
  • Snowflake: Proxy acts as a passthrough; no state is stored.
  • Aurora: Use internal DNS routing and security groups to ensure isolation.
Looking for more on pricing and cost insights? Continue to Billing & Reports