Upwind SaaS Architecture
Web Access
Allow access to the following domains, to use the Upwind Management Console:
You can add *.upwind.io to include all of the following URLs:
- docs.upwind.io
- console.upwind.io
To access the Upwind Management Console, Chrome version 118 or later provides the optimal user experience. The Upwind Management Console uses advanced GL for topology mapping and is high-performance. It has been successfully tested on Chrome, and we recommend using Chrome for the best user experience.
To ensure the security of your data and high availability of Upwind SaaS, Upwind makes Security a priority. The Upwind SaaS architecture uses Cloudflare for DNS resolution of web requests and for protection against distributed denial-of-service (DDoS) attacks.
How data gets from you to Upwind
Upwind allows you to send data to Upwind in multiple ways, including from the Sensor, Cluster Manager, the public API, and integrations.
Data in motion through Upwind provided tools is protected with TLS and HSTS. Data stored by Upwind is protected by encryption, access controls, and authentication.
Whitelist Outbound (Egress) Domains
The following domains are accessed and if required should be added to any firewall configurations for egress:
- agent.upwind.io
- agentgrpc.upwind.io
- auth.upwind.io
- charts.upwind.io
- get.upwind.io
- registry.upwind.io
- releases.upwind.io
- prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com
Upwind Sensor
The sensor is the main channel for data getting from your systems to Upwind. Read all about data security measures in the Sensor.
Third party services integrations
The integrations for some third party services are configured directly in Upwind and might require you to provide credentials to allow Upwind to connect to the service on your behalf. The credentials you provide are encrypted and stored by Upwind in a secure credential datastore.
All data through these integrations is encrypted when at-rest in Upwind's systems and encrypted in-transit. Access to the secure credential datastore is controlled and audited, and specific services or actions within the third party services are limited to only what is necessary. Anomalous behavior detection tools continuously monitor for unauthorized access.
Cloud integrations
Due to their sensitive nature, additional security measures are implemented, where possible, when integrating with cloud providers, including the use of Upwind-dedicated credentials with limited permissions. For example:
- The integration with Amazon Web Services (AWS) requires you to configure role delegation using AWS IAM, as per the AWS IAM Best Practices, and to grant specific permissions with an AWS Policy. This will use a cross acount assume role and does not require any access keys or tokens.
- The integration with Microsoft Azure relies on you defining a tenant for Upwind, with access to a specific application granted only the reader role for the subscriptions you would like to monitor.
- The integration with Google Cloud relies on you defining a service account for Upwind, and granting it only the Compute Viewer and Monitoring Viewer roles.
Whitelist IPs
If your default settings are to block traffic from going out, there are two ways you can send information to Upwind, either through whitelist DNS or whitelist IPs. To set up one of these options for whitelisting, please contact us through one of the following methods:
- Access 24/7 live chat support directly in the Upwind Management Console .
- Reach out to us anytime via email at support@upwind.io.
- Collaborate with us by starting a shared Slack channel.