On-premise Agent Overview
Keep customer data in your VPC for internal tools, while keeping Superblocks always up-to-date from our cloud
Who can use this feature?
Organization Owners, Admins, and other users with the agents:read permission
Customers can choose between two options to deploy Superblocks:
- Cloud (default) - simple to get started, simple to manage. Superblocks Cloud acts as a proxy to your Integration. Superblocks never stores your customer data.
- On-premise Agent - your customer data never leaves your VPC. Used by organizations with specific compliance requirements. Requires deploying our light-weight open source on-premise agent.
On this page:
- On-premise Agent Benefits
- On-premise Agent Architecture and Data Flow
- Superblocks Data Storage and Access Control
On-premise agent benefits
The on-premise agent is designed as a hybrid cloud/on-premise deployment option for organizations with sensitive data:
- Customer data never leaves your VPC: Your customer data never leaves your network / VPC and it cannot be sent to the Superblocks Cloud.
- Seamless updates from Superblocks Cloud: Non-sensitive data like new UI components and Integration templates are always served from the Superblocks Global Edge Network.
- Bring your own key: The code you write is signed by your agent in your VPC meaning your code is always secure since it cannot be modified by Superblocks or a 3rd party.
- Low Operational Overhead: Simple to manage, the agent is stateless - no database migrations, no downtime, no rollback concerns.
- Developer Extensibility: Since the agent is open source, you can add integrations or extend it any way you see fit.
- Simple Security Audits: The agent is open source so your Security team can audit the code directly.
- Scalability: The agent is both horizontally and vertically scalable making it simple to manage larger workloads as you grow.
On-premise agent architecture and data flow
Secure Customer Data The on-premise agent ensures customer data never leaves your network and is never seen by the Superblocks server.
How it works
When your developers build apps in Superblocks and write SQL statements or API calls, your customer data flows from your Database to the On-premise Agent to the browser directly; never to Superblocks Cloud. In addition, the Superblocks Cloud cannot make any inbound network calls to the customer’s network.
The Browser will call out to the Superblocks Cloud only for Authentication, Permissions, App UI Definitions and App Integration Definitions. This approach keeps Superblocks components and functionality up-to-date for your developers with each release and bug fix, without needing to upgrade the On-Premise Agent.
When the Developer is ready to go to production, they click “Deploy” (Superblocks can alternatively integrate into your version control system) and the application will be accessible on a URL.
In the deployed app, when a user clicks a button to trigger an API call, the call is routed to the On-Premise Agent and the App Integration Definition will be fetched from Superblocks Cloud (Optionally customers can connect to their version control system so API Integration Definitions are fetched directly from a branch). This round-trip restricts end users from running arbitrary APIs, only APIs from the App Integration Definition approved by Developers with the right permissions can be triggered. The On-Premise Agent will execute the API logic based on the definition and all customer data flows from the data sources to the agent to the browser directly, never leaving the customer’s network and never going to the Superblocks Cloud.
Network security
All traffic to and from the On-premise Agent is encrypted with TLS. The On-premise Agent sets CORS so it will only accept requests that originated from Superblocks Cloud and rerouted to the agent
Bring your own key
Before the On-premise Agent executes an API, Workflow, or Scheduled Job, it verifies the integrity of the definition so that you have confidence that the code that is running is always the code you wrote.
Agent authentication
Authentication is enabled by default on the agent, users have to authenticate with Superblocks Cloud in order to trigger API requests via the agent. The agent will verify the auth token from the cloud and pass it along any requests to the cloud to verify permissions.
Secure agent communication
Superblocks Cloud does not make any network requests to the Superblocks On Prem Agent. All communication between the agent and cloud is one-way and initiated from the agent. Detailed information about all network calls to and from the agent can be found here.
Data stored by Superblocks
| Data | Superblocks Cloud | Superblocks On-Premise |
|---|---|---|
Authentication
| Configured and stored in Auth0 | Same as Superblocks Cloud |
Organization settings
| Stored in Superblocks Cloud servers | Same as Superblocks Cloud |
RBAC & Governance
| Stored in Superblocks Cloud servers | Same as Superblocks Cloud |
Application UI
| Stored in Superblocks Cloud servers and can sync with Git repo using Source Control | Same as Superblocks Cloud |
Backend Code
| Stored in Superblocks Cloud servers and can sync with Git repo using Source Control | Same as Superblocks Cloud, PLUS |
Integrations
| Stored in Superblocks Cloud server | Same as Superblocks Cloud, PLUS |
Telemetry & Audit Logs
| Execution logs are generated by the agent and sent to Superblocks Cloud | Same as Superblocks Cloud |
Usage & Billing
| API & step executions are sent from agents to Superblocks Cloud services | Same as Superblocks Cloud |
For a full list of the outbound network calls the agent makes along with request/response see the Github page here.