Infrastructure configuration guide
Guide for securely configuring Alpacon in enterprise environments.
Firewall configuration
Server systems
Alpacon agents use outbound HTTPS/WSS connections. If you have whitelist-based firewall or proxy on server systems, you need to allow outbound connections to the following destinations.
| Domain | Purpose | Required | Notes |
|---|---|---|---|
https://<workspace>.<region>.alpacon.io | Core features | Required | Workspace name and region vary by setup |
https://s3.* | WebFTP uploads/downloads | Optional | Optional if not using WebFTP features |
⚠️ Note: If you don’t allow these domains, you may not be able to use full Alpacon features. As domains are specific to your organization, there’s no security risk of connecting to third-party workspaces.
Using proxy systems (Optional)
Alpacon agents support proxy connections. If you configure HTTP_PROXY and HTTPS_PROXY environment variables, agents will use these to connect to backend systems.
export HTTP_PROXY=http://proxy.company.com:8080
export HTTPS_PROXY=http://proxy.company.com:8080Client systems
Alpacon clients (Web/CLI) use outbound HTTPS/WSS connections. If you have whitelist-based firewall or proxy on client systems, allow outbound connections to:
| Domain | Purpose | Required | Notes |
|---|---|---|---|
https://alpacon.io | Core features | Required | |
https://<workspace>.<region>.alpacon.io | Core features | Required | Workspace name and region vary by setup |
https://auth.alpacon.io | Authentication | Required | |
https://portal.alpacax.com | Profile | Required | |
https://pay.alpacax.com | Payment | Optional | Only for billing managers |
https://s3.* | WebFTP uploads/downloads | Optional | Optional if not using WebFTP features |
Security considerations
Transitioning from SSH to Alpacon
With Alpacon, you transition from perimeter-based port protection to zero-trust approach.
Recommended actions
-
Block SSH port
- Block user access to port 22
- Keep only emergency access
- Simplify firewall configuration
-
Restrict direct SSH access
# /etc/ssh/sshd_config example PermitRootLogin no PasswordAuthentication no PubkeyAuthentication no # For Alpacon-only systems AllowUsers emergency-admin # Allow only emergency accounts -
Remove VPN dependency
- VPN access to internal network with unlimited server access is a security threat
- Complex VPNs or jump hosts reduce visibility
- Simplify access with Alpacon single platform
Security best practices
1. Principle of least privilege
- Allow access only to necessary servers per user
- Use group-based permission management
- Regular permission reviews
2. Audit logging configuration
Configure audit logging in your workspace settings:
- Go to Settings → Preferences
- Set log retention period (default: 90 days)
- Configure alert notifications for privileged operations
3. Mandatory MFA
Configure MFA policies in your workspace settings:
- Go to Settings → Security
- Enable Enforce MFA for all users
- Select allowed MFA methods (hardware key, biometric, OTP)
- Set MFA retention time for session duration
High availability configuration
Regional configuration
Alpacon supports global regions. Choose the nearest region to minimize latency.
| Region | Endpoint | Recommended for |
|---|---|---|
| US1 | *.us1.alpacon.io | North America, South America, Europe |
| AP1 | *.ap1.alpacon.io | Asia-Pacific |
Availability guarantee
- Redundancy: All components redundant
- Auto-failover: Automatic failover on failure
- SLA: 99.9% availability guarantee
Disaster recovery
-
Agent auto-reconnection
- Automatic retry on network failure
- Exponential backoff algorithm
-
Session recovery
- Automatic session recovery after disconnection
- Reconnection possible within session timeout
Compliance
Regulatory compliance readiness
Alpacon follows industry-standard frameworks and best practices:
- SOC 2 framework: We align with SOC 2 Type II security principles and are preparing for certification
- ISO 27001 alignment: Security controls aligned with ISO 27001 standards
- GDPR compliance: Data handling practices designed to support GDPR requirements (EU customers)
- HIPAA readiness: Infrastructure designed with healthcare industry requirements in mind
Note: We are actively working toward obtaining SOC 2 Type II and other industry certifications. Updates on our certification status will be announced as they become available.
Data residency
- Data stored only in selected region
- Cross-region replication option
- On-premises deployment option (Enterprise)
Troubleshooting
Connection issues
| Symptom | Cause | Solution |
|---|---|---|
| Agent offline | Firewall blocking | Allow outbound HTTPS/WSS |
| Intermittent disconnections | Proxy timeout | Adjust proxy keepalive settings |
| Slow response | Region distance | Change to nearer region |
Log checking
# Agent logs
sudo systemctl status alpamon
sudo journalctl -u alpamon -n 50Migration checklist
Checklist for transitioning from SSH to Alpacon:
- Install Alpacon agent on all servers
- Invite users to Alpacon workspace
- Configure groups and permissions
- Configure MFA policy
- Update firewall rules
- Block SSH port 22 (except emergency)
- Configure audit logging
- Establish backup and recovery procedures
- Conduct team training