Network security

Alpacon’s network architecture is designed with security as the top priority, eliminating the need to expose server ports while maintaining secure, reliable connections.

Architecture overview

Agent-based connection model

Unlike traditional SSH access that requires exposing port 22, Alpacon uses an agent-based architecture:

Traditional SSH:
Internet → Firewall (Port 22) → Server (Security Risk) 🚨

Alpacon Architecture:
Server (Secure) → Alpamon Agent (Outbound Only) → Firewall → Internet ✅

Key benefits:

No inbound ports: Servers never accept incoming connections
Outbound only: Alpamon agent initiates all connections
Firewall friendly: Works with restrictive firewall policies
Zero trust: Network location doesn’t grant access

Connection flow

Agent initialization:
- Alpamon agent starts on server
- Establishes outbound WebSocket (WSS) connection to Alpacon platform
- Authenticates using workspace-specific token
- Maintains persistent connection with heartbeat
User connection:
- User authenticates to Alpacon platform (via web or CLI)
- Requests access to server (with IAM permission check)
- Platform routes connection through existing agent channel
- End-to-end encrypted session established
Data transmission:
- All data flows through encrypted WebSocket
- No direct connection between user and server
- Platform acts as secure relay
- Session terminated on either end closes connection

Network components

Alpamon agent

The agent running on your servers:

Features:

Lightweight: < 20MB memory footprint
Resilient: Automatic reconnection with exponential backoff
Secure: End-to-end encryption for all data
Minimal permissions: Runs with minimal required privileges

Network requirements:

Outbound HTTPS (443) to <workspace>.<region>.alpacon.io
Outbound WSS (443) for persistent connection
Optional: Outbound HTTPS (443) to S3 for WebFTP features

Proxy support:

# Configure HTTP proxy
export HTTP_PROXY=http://proxy.company.com:8080
export HTTPS_PROXY=http://proxy.company.com:8080
 
# Configure SOCKS proxy
export ALL_PROXY=socks5://proxy.company.com:1080
 
# Restart agent
sudo systemctl restart alpamon

Platform infrastructure

Alpacon’s cloud platform:

Architecture:

Load balancers: Distributed across multiple availability zones
Application servers: Auto-scaling based on demand
Database: Multi-region replication with automatic failover
Cache layer: Redis for session and metadata caching

Security features:

DDoS protection: CloudFlare and AWS Shield
WAF (Web Application Firewall): Protection against common attacks
Rate limiting: Per-user and per-IP request limits
Intrusion detection: Real-time threat monitoring

Encryption & protocols

Transport layer security (TLS)

All network communication uses TLS 1.2 or higher:

Configuration:

Minimum version: TLS 1.2
Preferred version: TLS 1.3
Cipher suites: Only strong ciphers (AES-256-GCM, ChaCha20-Poly1305)
Perfect forward secrecy: ECDHE key exchange
HSTS: Strict-Transport-Security header enforced

Certificate management:

Automated renewal: Let’s Encrypt with automatic renewal
Certificate pinning: Optional for enterprise deployments
Wildcard certificates: Secure subdomains

WebSocket secure (WSS)

Real-time bidirectional communication:

Features:

Persistent connection: Long-lived connection for low latency
Compression: Optional payload compression (negotiated)
Heartbeat: Keep-alive mechanism to detect disconnections
Automatic reconnection: Seamless reconnection on network issues

Websh protocol

Terminal sessions use Alpacon’s proprietary Websh protocol over WSS:

Encapsulation:

Terminal Data (Websh)
  ↓
WebSocket Frames (WSS)
  ↓
TLS 1.3 Encryption
  ↓
TCP/IP

Architecture benefits:

Gateway visibility: Alpacon Gateway can inspect, log, and audit all commands for compliance
Real-time monitoring: Security teams can monitor active sessions for suspicious activity
Policy enforcement: Gateway enforces security policies (command blocking, approval workflows)
Session recording: Optional recording for compliance (SOC 2, HIPAA, PCI-DSS)
Encrypted transit: Data encrypted using TLS 1.3 while in transit

Why not end-to-end encryption?

Traditional end-to-end encryption (like direct SSH) prevents the platform from inspecting traffic, which eliminates critical security and compliance capabilities:

❌ No audit trail of actual commands executed
❌ No real-time threat detection
❌ No session recording for compliance
❌ No ability to block dangerous commands
❌ Difficult to meet SOC 2, HIPAA, PCI-DSS requirements

Alpacon’s gateway-based approach provides both security and compliance by maintaining encryption in transit while enabling comprehensive audit logging.

Firewall configuration

Required outbound rules (server side)

For servers running Alpamon agent:

Protocol	Port	Destination	Purpose
HTTPS	443	`<workspace>.<region>.alpacon.io`	Agent connection
WSS	443	`<workspace>.<region>.alpacon.io`	Persistent channel
HTTPS	443	`s3.amazonaws.com`	WebFTP (optional)

Example iptables rules:

# Allow outbound HTTPS to Alpacon
iptables -A OUTPUT -p tcp --dport 443 -d <workspace-ip> -j ACCEPT
 
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Drop all other inbound
iptables -A INPUT -j DROP

Required outbound rules (client side)

For users accessing Alpacon (web browser or CLI):

Protocol	Port	Destination	Purpose
HTTPS	443	`alpacon.io`	Main application
HTTPS	443	`<workspace>.<region>.alpacon.io`	Workspace access
HTTPS	443	`auth.alpacon.io`	Authentication
WSS	443	`<workspace>.<region>.alpacon.io`	Terminal sessions

Corporate firewall / proxy

Alpacon works seamlessly with corporate proxies:

Supported configurations:

HTTP/HTTPS proxy: Standard proxy with CONNECT method
SOCKS proxy: SOCKS4/SOCKS5 support
Authenticated proxy: Username/password authentication
Proxy auto-config (PAC): Automatic proxy configuration

Proxy bypass:

# Bypass proxy for local network
export NO_PROXY=localhost,127.0.0.1,10.0.0.0/8,192.168.0.0/16

IP allowlisting

🚧 Coming Soon - This feature will be available in Essentials plan or higher

IP allowlisting will allow you to restrict access based on source IP addresses for enhanced security:

Planned features

Workspace-level allowlist:

Restrict workspace access to specific IP ranges (office networks, VPN gateways, etc.)
Support for both IPv4 and IPv6 addresses
CIDR notation for flexible IP range configuration

Server-level allowlist:

Apply IP restrictions to individual servers
Perfect for production database servers requiring additional protection
Override workspace-level settings per server

Use cases:

Office-only access to workspace
VPN-required access for production servers
Geographic restrictions for compliance
Partner/vendor access management
Lock down production databases to application servers only

Dynamic IP support:

CIDR ranges for dynamic IP addresses
VPN gateway as single entry point
Emergency override with admin approval for urgent access

Timeline: IP allowlisting is currently in development. Contact support@alpacax.com if you need this feature for your organization.

DDoS protection

Multi-layer DDoS protection:

Layer 3/4 protection

AWS Shield Standard: Automatic protection against common attacks
CloudFlare: Additional layer for volumetric attacks
Rate limiting: Per-IP connection limits

Layer 7 protection

WAF rules: Block malicious HTTP requests
Bot detection: Identify and block automated attacks
Challenge pages: CAPTCHA for suspicious traffic

Application-level protection

Connection limits: Maximum concurrent connections per user
Request rate limits: API call throttling
Payload size limits: Prevent large payload attacks

VPN replacement strategy

Alpacon eliminates the need for traditional VPNs:

Problems with VPNs

Broad access: VPN grants network-level access to everything
Performance: VPN adds latency and throughput overhead
Complexity: Difficult to set up and maintain
Visibility: Limited audit trail and monitoring
User experience: Cumbersome connection process

Alpacon advantages

Zero trust: Access granted per-server, per-user basis
Better performance: Direct agent connections, no VPN overhead
Simpler setup: No VPN client installation required
Full visibility: Complete audit trail of all access
Seamless UX: Access from any browser, no separate connection

Migration path

Phase 1: Parallel operation

Keep existing VPN for emergency access
Deploy Alpacon to all servers
Train team on Alpacon usage

Phase 2: Gradual migration

Migrate non-critical servers first
Move teams one at a time
Monitor usage and gather feedback

Phase 3: VPN decommission

Remove VPN client from workstations
Close VPN firewall rules
Keep VPN infrastructure for 90 days (emergency fallback)

Phase 4: Full transition

Decommission VPN infrastructure
Update security documentation
Celebrate simplified security! 🎉

Security best practices

For network administrators

Minimize attack surface: Block all inbound ports except essential services
Network segmentation: Isolate servers in separate network segments
Monitor traffic: Use network monitoring tools to detect anomalies
Regular updates: Keep Alpamon agent updated to latest version
Firewall logs: Enable logging for all firewall rules
Incident response: Have a plan for network security incidents

For server administrators

Disable SSH: Block port 22 after Alpacon deployment
Agent monitoring: Monitor agent status and connectivity
Resource limits: Configure agent resource limits if needed
Proxy configuration: Use corporate proxy if required
Log collection: Forward agent logs to central logging system

Troubleshooting

Agent connection issues

Symptom: Agent shows as “Offline”

Possible causes:

Firewall blocking outbound HTTPS/WSS
Proxy configuration incorrect
Network connectivity issues
Invalid agent token

Solutions:

# Check agent status
sudo systemctl status alpamon
 
# Test connectivity
curl -v https://<workspace>.<region>.alpacon.io/health
 
# Check agent logs
sudo journalctl -u alpamon -f
 
# Test with proxy
export HTTPS_PROXY=http://proxy:8080
curl -v https://<workspace>.<region>.alpacon.io/health

High latency issues

Symptom: Slow terminal response