Infrastructure configuration guide

Guide for securely configuring Alpacon in enterprise environments.

Firewall configuration

Server systems

Alpacon agents use outbound HTTPS/WSS connections. If you have whitelist-based firewall or proxy on server systems, you need to allow outbound connections to the following destinations.

DomainPurposeRequiredNotes
https://<workspace>.<region>.alpacon.ioCore featuresRequiredWorkspace name and region vary by setup
https://s3.*WebFTP uploads/downloadsOptionalOptional if not using WebFTP features

⚠️ Note: If you don’t allow these domains, you may not be able to use full Alpacon features. As domains are specific to your organization, there’s no security risk of connecting to third-party workspaces.

Using proxy systems (Optional)

Alpacon agents support proxy connections. If you configure HTTP_PROXY and HTTPS_PROXY environment variables, agents will use these to connect to backend systems.

export HTTP_PROXY=http://proxy.company.com:8080
export HTTPS_PROXY=http://proxy.company.com:8080

Client systems

Alpacon clients (Web/CLI) use outbound HTTPS/WSS connections. If you have whitelist-based firewall or proxy on client systems, allow outbound connections to:

DomainPurposeRequiredNotes
https://alpacon.ioCore featuresRequired
https://<workspace>.<region>.alpacon.ioCore featuresRequiredWorkspace name and region vary by setup
https://auth.alpacon.ioAuthenticationRequired
https://portal.alpacax.comProfileRequired
https://pay.alpacax.comPaymentOptionalOnly for billing managers
https://s3.*WebFTP uploads/downloadsOptionalOptional if not using WebFTP features

Security considerations

Transitioning from SSH to Alpacon

With Alpacon, you transition from perimeter-based port protection to zero-trust approach.

  1. Block SSH port

    • Block user access to port 22
    • Keep only emergency access
    • Simplify firewall configuration

  2. Restrict direct SSH access

    # /etc/ssh/sshd_config example
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication no  # For Alpacon-only systems
AllowUsers emergency-admin  # Allow only emergency accounts

  3. Remove VPN dependency

    • VPN access to internal network with unlimited server access is a security threat
    • Complex VPNs or jump hosts reduce visibility
    • Simplify access with Alpacon single platform

Security best practices

1. Principle of least privilege

  • Allow access only to necessary servers per user
  • Use group-based permission management
  • Regular permission reviews

2. Audit logging configuration

# Alpacon workspace settings
audit:
  retention: 90  # 90 days retention
  alert_on_privileged: true  # Alert on root access
  alert_on_sensitive_commands: true  # Alert on sensitive commands

3. Mandatory MFA

# Workspace security policy
security:
  mfa_required: true
  mfa_for_privileged: mandatory  # Required for root access
  allowed_mfa_methods:
    - hardware_key
    - biometric
    - otp

High availability configuration

Regional configuration

Alpacon supports global regions. Choose the nearest region to minimize latency.

RegionEndpointRecommended for
US1*.us1.alpacon.ioNorth America, South America, Europe
AP1*.ap1.alpacon.ioAsia-Pacific

Availability guarantee

  • Redundancy: All components redundant
  • Auto-failover: Automatic failover on failure
  • SLA: 99.9% availability guarantee

Disaster recovery

  1. Agent auto-reconnection

    • Automatic retry on network failure
    • Exponential backoff algorithm

  2. Session recovery

    • Automatic session recovery after disconnection
    • Reconnection possible within session timeout

Compliance

Regulatory compliance readiness

Alpacon follows industry-standard frameworks and best practices:

  • SOC 2 framework: We align with SOC 2 Type II security principles and are preparing for certification
  • ISO 27001 alignment: Security controls aligned with ISO 27001 standards
  • GDPR compliance: Data handling practices designed to support GDPR requirements (EU customers)
  • HIPAA readiness: Infrastructure designed with healthcare industry requirements in mind

Note: We are actively working toward obtaining SOC 2 Type II and other industry certifications. Updates on our certification status will be announced as they become available.

Data residency

  • Data stored only in selected region
  • Cross-region replication option
  • On-premises deployment option (Enterprise)

Troubleshooting

Connection issues

SymptomCauseSolution
Agent offlineFirewall blockingAllow outbound HTTPS/WSS
Intermittent disconnectionsProxy timeoutAdjust proxy keepalive settings
Slow responseRegion distanceChange to nearer region

Log checking

# Agent logs
sudo systemctl status alpamon.service
sudo less /var/log/alpamon/alpamon.log

Migration checklist

Checklist for transitioning from SSH to Alpacon:

  • Install Alpacon agent on all servers
  • Invite users to Alpacon workspace
  • Configure groups and permissions
  • Configure MFA policy
  • Update firewall rules
  • Block SSH port 22 (except emergency)
  • Configure audit logging
  • Establish backup and recovery procedures
  • Conduct team training