On-premise Agent Overview

Keep customer data in your VPC for internal tools, while keeping Superblocks always up-to-date from our cloud

caution

Only users with Admin privileges can set up the agent and access the On-premise Agent page in-app.

Customers can choose between two options to deploy Superblocks:

1. Cloud (default) - simple to get started, simple to manage. Superblocks Cloud acts as a proxy to your Integration. Superblocks never stores your customer data.
2. On-premise Agent - your customer data never leaves your VPC. Used by organizations with specific compliance requirements. Requires deploying our light-weight open source on-premise agent.

On this page:

1. On-premise Agent Benefits
2. On-premise Agent Architecture and Data Flow
   • How it works
   • Network Security
   • Bring your own key (BYOK)
   • Agent Authentication
   • Secure Agent Communication
3. Superblocks Data Storage and Access Control

On-premise agent benefits

The on-premise agent is designed as a hybrid cloud/on-premise deployment option for organizations with sensitive data:

• Customer data never leaves your VPC: Your customer data never leaves your network / VPC and it cannot be sent to the Superblocks Cloud.
• Seamless updates from Superblocks Cloud: Non-sensitive data like new UI components and Integration templates are always served from the Superblocks Global Edge Network.
• Bring your own key: The code you write is signed by your agent in your VPC meaning your code is always secure since it cannot be modified by Superblocks or a 3rd party.
• Low Operational Overhead: Simple to manage, the agent is stateless - no database migrations, no downtime, no rollback concerns.
• Developer Extensibility: Since the agent is open source, you can add integrations or extend it any way you see fit.
• Simple Security Audits: The agent is open source so your Security team can audit the code directly.
• Scalability: The agent is both horizontally and vertically scalable making it simple to manage larger workloads as you grow.

On-premise agent architecture and data flow

info

Secure Customer Data The on-premise agent ensures customer data never leaves your network and is never seen by the Superblocks server.

How it works

When your developers build apps in Superblocks and write SQL statements or API calls, your customer data flows from your Database to the On-premise Agent to the browser directly; never to Superblocks Cloud. In addition, the Superblocks Cloud cannot make any inbound network calls to the customer’s network.

The Browser will call out to the Superblocks Cloud only for Authentication, Permissions, App UI Definitions and App Integration Definitions. This approach keeps Superblocks components and functionality up-to-date for your developers with each release and bug fix, without needing to upgrade the On-Premise Agent.

When the Developer is ready to go to production, they click “Deploy” (Superblocks can alternatively integrate into your version control system) and the application will be accessible on a URL.

In the deployed app, when a user clicks a button to trigger an API call, the call is routed to the On-Premise Agent and the App Integration Definition will be fetched from Superblocks Cloud (Optionally customers can connect to their version control system so API Integration Definitions are fetched directly from a branch). This round-trip restricts end users from running arbitrary APIs, only APIs from the App Integration Definition approved by Developers with the right permissions can be triggered. The On-Premise Agent will execute the API logic based on the definition and all customer data flows from the data sources to the agent to the browser directly, never leaving the customer’s network and never going to the Superblocks Cloud.

Network security

All traffic to and from the On-premise Agent is encrypted with TLS. The On-premise Agent sets CORS so it will only accept requests that originated from Superblocks Cloud and rerouted to the agent

Bring your own key

Before the On-premise Agent executes an API, Workflow, or Scheduled Job, it verifies the integrity of the definition so that you have confidence that the code that is running is always the code you wrote.

Agent authentication

Authentication is enabled by default on the agent, users have to authenticate with Superblocks Cloud in order to trigger API requests via the agent. The agent will verify the auth token from the cloud and pass it along any requests to the cloud to verify permissions.

Secure agent communication

Superblocks Cloud does not make any network requests to the Superblocks On Prem Agent. All communication between the agent and cloud is one-way and initiated from the agent. Detailed information about all network calls to and from the agent can be found here.

Superblocks data storage and access control

Data Type	On Prem Agent Hybrid Deployment	Cloud only Deployment	Role Based Access Controls
App UI Definition UI Component Pages and layouts Component triggers and events JavaScript for the UI	Stored on the cloud and rendered in the browser	Stored on the cloud and rendered in the browser	End users granted access to the deployed version of the app. Developers granted edit permissions can perform CRUD operation in Edit mode
App Integration Definition Integration template Credentials & Secrets Connection configurations Code	Stored on the cloud. Agent will fetch the definition when API requests are triggered Secrets & credentials are stored separately in Vault. Code is stored in the cloud, and can be connected to customer’s Github account	Stored on the cloud Secrets & credentials are stored separately in Vault. Code is stored in the cloud, and can be connected to customer’s Github account	Developers granted edit permissions can perform CRUD operation
Role Based Access Controls definitions for Integrations, Editing Apps and Viewing Apps	Stored in the cloud. Cloud will verify permissions when Agent tries to fetch App Integration Definition from the cloud	Stored in the cloud	Developers granted edit access can perform CRUD operation
Authentication Email Password Google and Okta SSO	Stored and configured in Auth0	Stored and configured in Auth0	SSO configured by Admins only
Organization Settings Organization name Agent metadata Billing and payment	Stored in the cloud, browser will fetch from the cloud	Stored in the cloud, browser will fetch from the cloud	Organization settings are only accessible to org Admins. Each user can view and update their own profile
Usage & Billing Data Number of API calls Type of API Avg latency of API calls Number of page views Number of user login/signup Number of app and component creation	API usage is sent from the agent to the cloud Product usage is tracked within cloud	Tracked within cloud	Developers with edit access can view usage of an application. Admins can view all usage data across applications
Audit Logs	Generated in the agent and sent to the cloud. Optionally can also be stored by 3rd party monitoring solutions (ex. Datadog)	Generated and stored in cloud. Optionally can also be stored by 3rd party monitoring solutions (ex. Datadog)	Developers/owners with audit log access for the application

For a full list of the outbound network calls the agent makes along with request/response see the Github page here.

Additional resources

Learn more about the On-Premise Agent here:

• Blog: On-Premise Agent: The ultimate architecture for data security and developer velocity
• Customers: Casechek: Onboarding hospitals 70% faster at scale with Superblocks