eryph
by

Network Isolation & Projects

Secure pre-production environments with OpenVSwitch networking and project-based isolation. Organize test labs and development infrastructure with network boundaries, access control, and logical separation.

Virtual Networking

OpenVSwitch-based networking with overlay support for flexible VM connectivity

NAT Overlay (Default)

Default networking mode with NAT overlay for immediate VM deployment without network configuration.

  • Zero configuration setup
  • Internet access via NAT
  • Access from eryph-zero host
  • Automatic IP assignment

Custom Overlay Networks

Configure overlay networks with custom IP ranges and external access for broader network integration.

  • Custom IP ranges (CIDR)
  • Gateway configuration
  • VLAN support
  • External network access

OpenVSwitch Foundation

Built on proven OpenVSwitch technology for reliable virtual networking.

  • Virtual switches
  • Network bridges
  • High-performance packet processing
  • Production-proven technology

Project-Based Organization

Structure your infrastructure with logical boundaries and security isolation

Logical Organization

Group related catlets and resources into projects for better organization and management.

  • Project-based catlet grouping
  • Environment separation (default, staging, production)
  • Team-based organization
  • Resource naming and identification

Security Isolation

Projects provide security boundaries between different workloads and teams on the same host.

  • Network isolation between projects
  • Storage isolation
  • Access control per project
  • Member role management

Virtual Networks

Each project has its own virtual network configuration with custom IP ranges and subnets.

  • Project-specific networks
  • Custom IP address ranges
  • Multiple subnets per project
  • DNS configuration

Multi-Layer Isolation

Comprehensive isolation across network, storage, access control, and hypervisor security

Network Isolation

Projects cannot reach each other when overlay networks are used, providing secure network boundaries.

  • Complete project network isolation
  • No cross-project communication
  • Separate virtual networks
  • Independent IP address spaces

Storage Isolation

Catlets can only access volumes from the same project, ensuring data security.

  • Project-specific storage access
  • No cross-project disk access
  • Datastore separation
  • Secure volume management

Identity & Access Control

OpenID-based identity service with project members and role-based permissions.

  • Client certificate authentication
  • Scope-based permissions
  • Project member roles
  • Remote access controls

Hyper-V Security

Built-in Hyper-V security features including secure boot and TPM support.

  • Secure boot templates
  • TPM 2.0 support
  • Generation 2 VM security
  • Nested virtualization control

Configuration Examples

Configure networks and projects for your infrastructure needs

Custom Overlay Network Configuration

Configure an overlay network with custom IP ranges for external access to catlets.

config.yaml
# Network provider configuration
network_provider:
- name: default
  type: overlay
  bridge_name: br-pif
  adapters:
  - 'Ethernet 2'
  subnets:
  - name: default
    network: 172.16.20.0/24
    gateway: 172.16.20.1
    ip_pools:
    - name: default
      first_ip: 172.16.20.5
      next_ip: 172.16.20.244

Project Network Configuration

Define custom project networks with multiple subnets and IP pools for different catlet groups.

config.yaml
# Project network specification
version: "1.0"
project: web-application
networks:
- name: app-network
  address: 10.100.0.0/24
  subnets:
  - name: web-subnet
    address: 10.100.0.0/26
    ip_pools:
    - name: web-pool
      first_ip: 10.100.0.10
      last_ip: 10.100.0.50
    dns_servers:
    - 9.9.9.9
    - 8.8.8.8
  - name: db-subnet
    address: 10.100.0.64/26
    ip_pools:
    - name: db-pool
      first_ip: 10.100.0.70
      last_ip: 10.100.0.100

Catlet Project Assignment

Assign catlets to specific projects for isolation and organization.

config.yaml
# Catlet specification with project assignment
version: "1.0"
name: web-server-01
parent: dbosoft/ubuntu-22.04/latest
project: web-application
environment: production
cpu: 4
memory: 4096
networks:
- name: app-network
  subnet_v4:
    name: web-subnet
    ip_pool: web-pool
fodder:
- name: setup
  type: cloud-config
  content:
    package_update: true
    packages:
      - nginx

Common Use Cases

How organizations use projects and networks for secure infrastructure

Team Isolation

Separate different development teams with their own isolated project environments.

Organization with multiple development teams working on different applications

  • Team workspace isolation
  • No network interference
  • Independent catlet management
  • Role-based team access

Environment Separation

Use environments within projects to separate dev, staging, and production workloads.

Application lifecycle management with proper environment progression

  • Environment-based organization
  • Safe testing isolation
  • Production security
  • Consistent naming patterns

Application Isolation

Separate different applications into their own projects for security and organization.

Multiple applications running on the same eryph host requiring isolation

  • Application boundaries
  • Network security
  • Resource organization
  • Independent management

Client Separation

Service providers can isolate different client workloads using separate projects.

MSP or consultant managing multiple client environments on shared infrastructure

  • Client data isolation
  • Secure multi-tenancy
  • Independent access control
  • Billing separation

Security Best Practices

Recommended practices for secure infrastructure organization

Project Isolation

Use projects to isolate different teams, applications, or environments

Create separate projects for production, staging, and development workloads

Identity Client Management

Create specific identity clients with minimal required scopes

Use role-based scopes like compute:catlets:read for read-only access

Secure VM Configuration

Enable security features at the hypervisor level

Use secure boot, TPM, and generation 2 VM security features

Network Access Control

Control catlet network access through project network configuration

Use overlay networks to limit external access and inter-project communication

Single-Host Architecture

eryph provides project isolation and virtual networking on a single Hyper-V host. Projects create secure boundaries for catlets, networks, and storage within the host system, making it perfect for development environments, branch offices, and single-server deployments.

Secure project isolation on single host
OpenVSwitch virtual networking
Identity-based access control
Hyper-V security features
Platform OverviewNetworking Guide

Ready to Build Secure Infrastructure?

Start creating isolated VM environments with project-based organization

10 Minute QuickstartBack to Platform