Upwind SaaS
Overview
Upwind SaaS is designed to facilitate secure and efficient data transfer between your systems and Upwind, leveraging advanced security measures to protect your data.
How data gets from you to Upwind
Upwind allows you to send data in multiple ways, including from the Sensor, Cluster Manager, the public API, and integrations. Data in motion through Upwind-provided tools is protected with TLS and HSTS. Data stored by Upwind is protected by encryption, access controls, and authentication.
| Method | Description | Learn more |
|---|---|---|
| Upwind Sensors | Sensors serve as the primary channel for transferring data from your systems to Upwind. They ensure secure and efficient data transmission. | For more information, see the Sensors section. |
| Cloud Integrations | Cloud integrations enable Upwind to connect with various cloud services. These integrations apply additional security measures, utilizing Upwind-dedicated credentials with restricted permissions. This includes role delegation in Amazon Web Services (AWS), role definition in Microsoft Azure, and service account in Google Cloud. | For more information, see the Cloud account section. |
| Third-party Integrations | Third-party integrations enable Upwind to connect with external services. These are configured directly within Upwind, with credentials securely encrypted and stored. Data is encrypted both at rest and in transit, while access to credentials is tightly controlled, audited, and monitored for anomalies. | For more information, see the Integrations section. |
Security measures
Security is a top priority for Upwind to ensure the protection and high availability of your data. The Upwind SaaS architecture employs several layers of security measures to safeguard your data against threats.
| Security Aspect | Description |
|---|---|
| Data in Transit | Data in transit refers to data actively moving from one location to another, such as across the internet or through a private network. Upwind ensures the security of data in transit by employing industry-standard encryption protocols like Transport Layer Security (TLS). TLS encrypts the data being transmitted, preventing unauthorized access and ensuring that the data remains confidential and unaltered during transmission. Additionally, HTTP Strict Transport Security (HSTS) is enforced to further protect against man-in-the-middle attacks by ensuring that browsers interact with Upwind services only over secure connections. |
| Data at Rest | Data at rest refers to data that is stored on physical or virtual storage systems, such as databases or file systems. Upwind protects data at rest through robust encryption methods. This ensures that even if the storage media is compromised, the data remains inaccessible without the appropriate decryption keys. Access controls are implemented to restrict data access to authorized personnel only, and authentication mechanisms are in place to verify user identities before granting access. Regular audits and monitoring are conducted to detect and respond to any unauthorized access attempts promptly. |
| Web Application Firewall (WAF) | In addition to protecting data in transit and at rest, Upwind utilizes a Web Application Firewall (WAF) to defend against distributed denial-of-service (DDoS) attacks. The WAF monitors and filters incoming traffic to the application, identifying and blocking malicious requests that could disrupt service availability. This proactive defense helps maintain high availability and performance of Upwind services, ensuring that your data is accessible when you need it. |
Web access
To ensure access to the Upwind Management Console and its documentation, allow access to the following domains. You can simplify this process by adding *.upwind.io, which will include all essential endpoints.
auth.upwind.io
login.upwind.io
console.upwind.io
docs.upwind.io
For the best user experience, we recommend accessing the Upwind Management Console using Chrome version 118 or later. This version of Chrome is optimized for the console's advanced GL features used in topology mapping, ensuring high performance. While the console has been successfully tested on Chrome, using this browser will provide the most seamless experience.
Network access
To ensure functional communication and uninterrupted data flow with Upwind's services, you should whitelist the necessary domain or IP addresses. This allows you to send and receive information to and from Upwind, even if your default network settings block inbound or outbound traffic.
Domains
Below are the outbound (egress) domains you may need to whitelist:
agent.upwind.io
agentgrpc.upwind.io
auth.upwind.io
oauth.upwind.io
charts.upwind.io
get.upwind.io
registry.upwind.io
releases.upwind.io
prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com
IPs
Below are the IP addresses you may need to whitelist:
18.213.31.221/32
3.216.212.115/3
44.209.52.119/32