Skip to content

Hybrid deployment

The hybrid deployment model gives customers full control over their data and compute environment while leveraging Opaque’s hosted control plane to manage job orchestration, metadata, and platform intelligence.

In this setup:

  • Control plane (hosted by Opaque): Manages users, workspaces, job metadata, and platform coordination. This component is multi-tenant and remains outside the customer’s environment.
  • Data plane (hosted by the customer): Executes confidential workloads inside a trusted execution environment (TEE). This ensures data remains protected throughout processing.
  • Client / API pod (hosted by the customer): Handles local data encryption and request submission. This component may also run inside a TEE.
  • Data storage (hosted by the customer): Stores encrypted data and job results locally within the customer’s cloud environment or infrastructure.

Note on Azure-hosted environments

When deployed via an Azure Managed Application, the data plane, client/API pod, and storage reside in the customer’s environment but are provisioned and managed by Opaque. This gives customers the benefits of cloud-local execution without the operational overhead of managing the platform themselves.

This model satisfies strict data sovereignty and compliance requirements by ensuring all sensitive data remains within the customer’s ecosystem. It is the most commonly requested deployment approach among enterprise customers.

Architecture overview

The hybrid deployment architecture, shown in the following diagram, separates responsibilities across two domains: the Opaque-hosted control plane (left) and the customer-hosted environment (right), which includes both the client and data plane.

Diagram of the hybrid Opaque deployment architecture

Opaque-hosted control plane

The shared, Opaque-hosted control plane is responsible for platform orchestration, metadata management, and system-level services.

  • Management hub:
    • Stores job metadata, workspace configurations, and user roles.
    • Maintains state for platform workflows and access policies.
  • Notifications:
    • Delivers user-facing alerts for events such as job completion and approval requests.
    • Supports asynchronous coordination across components.
  • Audit logger:
    • Records signed, tamper-evident logs of user actions.
    • Supports platform observability and compliance reporting.
  • Key management service (KMS):
    • Manages data encryption keys for user data and job log.
    • Gates access to data encryption keys by verifying user identities.
    • Runs within a confidential VM to ensure that even Opaque cannot view or extract the underlying encryption keys.

Note

All user interaction, including the web UI and REST API, is served from within the customer environment.

Customer-hosted environment

The customer-hosted environment includes all components that process, encrypt, and store sensitive data. These components run entirely within the customer’s infrastructure and are responsible for interacting with the control plane, executing confidential workloads, and managing encrypted data at rest.

  • Opaque client / API pod (optionally inside a TEE):
    • Authenticates user sessions
    • Submits encrypted job definitions and variables
    • Interacts with local storage and the compute cluster
  • Confidential compute cluster:
    • Provides the secure runtime environment using TEE-enabled infrastructure. This cluster hosts the components responsible for executing and managing secure workloads:
      • Workload manager: Coordinates job execution and approval workflows. It translates job definitions into Kubernetes-native workloads and orchestrates their lifecycle, but does not process data directly.
      • Workload executors: Run jobs and services inside TEEs. These components are responsible for loading encrypted datasets from object storage, performing computation, and writing encrypted results—ensuring data remains protected throughout execution.
    • Includes a mutual attestation-enabled aTLS mesh, which ensures that all communication within the cluster is encrypted and authenticated between trusted workloads only. This reinforces confidentiality even across service boundaries.
  • Encrypted object storage (e.g., S3, Azure Blob):
    • Stores datasets and output artifacts encrypted with per-org keys

Deployed artifacts

When deploying Opaque in a hybrid configuration, the following components are instantiated in the customer environment:

  • Opaque client:
    • frontend: Hosts the web UI (React SPA)
    • api: Provides the REST API for user and programmatic access
    • enc-dec-engine: Handles client-side encryption and decryption
  • Data plane components:
    • Workload manager:
      • job-operator: Runs the Kubernetes controller that manages Spark-based job execution
      • Third-party dependencies:
        • Argo Workflows: Orchestrates job execution workflows
        • Spark Operator: Manages Spark job lifecycles
    • Workload executors:
      • service-host: Handles service requests (e.g., data ingestion, redaction)
      • Spark driver and executor pods (run inside AMD SEV-SNP-enabled node pools)
    • Mesh sidecars and init containers (injected via cc-webhook) for attested TLS and firewall policy
  • Supporting services:
    • Azure Cache for Redis (customer-hosted or BYO) for temporary job coordination state
    • Azure Blob storage for storing encrypted input datasets and job results
    • (Optional) Private DNS zones and private endpoints for secure, non-public access to control plane services