Network Security
Rime runs in a hardened network environment with multiple layers of defence. This page describes the network architecture, traffic controls, and container security measures that protect your data.
VPC architecture
Rime runs in isolated Virtual Private Clouds (VPCs) with a layered network design:
Public subnet
The public subnet contains only the load balancer and WAF. No application code runs in the public subnet. The load balancer terminates TLS and forwards decrypted traffic to the application subnet over an internal connection.
Application subnet
The application subnet hosts Rime’s application services (API, scheduler, connector runner). These services:
- Accept traffic only from the load balancer — direct internet access to application pods is not possible
- Communicate with the database subnet over private network connections
- Make outbound connections to external services (Snowflake, S3, identity providers) through a NAT gateway with a fixed egress IP
Database subnet
The database subnet hosts PostgreSQL instances. These instances:
- Accept connections only from the application subnet — no direct internet access is possible
- Run in a private subnet with no internet gateway
- Use encrypted connections for all communication with the application layer
Network segmentation
Each layer can communicate only with its adjacent layers:
Internet -> Load Balancer (public) -> Application (private) -> Database (private)There is no path from the internet directly to the database subnet. There is no path from the database subnet to the internet.
Web Application Firewall
A Web Application Firewall (WAF) inspects all incoming HTTP requests before they reach the application layer. The WAF provides:
Managed rule sets
- OWASP Core Rule Set — protects against common web attacks: SQL injection, cross-site scripting (XSS), path traversal, protocol violations, and remote code execution
- Known bad inputs — blocks requests containing patterns associated with exploitation of known vulnerabilities
- Bot detection — identifies and rate-limits automated traffic that does not match legitimate browser or API client patterns
Custom rules
- Rate limiting — limits requests per IP address and per authenticated user to prevent abuse. Default limits are generous enough for normal use but prevent automated attacks
- Geographic restrictions — optionally restrict access to specific countries or regions. Available on request for tenants with geographic compliance requirements
- IP reputation — blocks traffic from known malicious IP addresses using threat intelligence feeds
Logging
All WAF decisions (allow, block, rate-limit) are logged. Blocked requests include the rule that triggered the block. WAF logs are available to Rime’s operations team for incident investigation and are summarised in your tenant’s audit log when relevant to your traffic.
DDoS protection
Rime deploys DDoS mitigation at multiple layers:
- Network layer (L3/L4) — AWS Shield Standard (included by default) absorbs volumetric attacks (SYN floods, UDP reflection, etc.) before they reach the VPC
- Application layer (L7) — the WAF rate-limiting rules and bot detection mitigate application-layer DDoS (HTTP floods, slowloris, etc.)
- Scaling — the application layer runs on Kubernetes with horizontal pod autoscaling. During traffic spikes, additional pods are provisioned to handle legitimate load while the WAF blocks malicious traffic
For tenants with elevated DDoS risk, AWS Shield Advanced is available on request. Shield Advanced provides dedicated DDoS response team support and cost protection for scaling events caused by attacks.
Egress controls
Rime controls outbound network traffic to prevent data exfiltration and limit the blast radius of a potential compromise:
Allowed egress destinations
Rime only makes outbound connections to:
| Destination | Purpose | Protocol |
|---|---|---|
| Snowflake (customer account) | SQL API calls, metadata queries | HTTPS (443) |
| AWS S3 (staging buckets) | Parquet file upload and download | HTTPS (443) |
| Customer identity providers | SAML/OIDC authentication flows | HTTPS (443) |
| Customer source systems | Connector extraction (database, API) | Configured port |
| Notification endpoints | Slack, email, PagerDuty, webhooks | HTTPS (443) |
All other outbound traffic is blocked by network policy.
Source system connections
When you configure a connector to extract data from a source system (database, REST API), Rime connects from a fixed egress IP address. This IP is specific to your Rime region and does not change. You can allowlist this IP in your source system’s firewall to restrict access to only Rime.
The egress IP for your region is displayed in Settings > Network > Egress IP.
Container hardening
Rime’s application services run as containers on Kubernetes with the following hardening measures:
Image security
- Minimal base images — containers use distroless or Alpine-based images with only the binaries required to run the application. No package managers, shells, or utilities are included in production images
- Vulnerability scanning — container images are scanned for known vulnerabilities before deployment. Images with critical or high-severity CVEs are not deployed until the vulnerability is patched
- Signed images — images are cryptographically signed and verified before deployment to prevent tampering
Runtime security
- Non-root execution — all containers run as a non-root user. No process in the application layer runs with root privileges
- Read-only filesystem — container filesystems are mounted read-only. Temporary files (e.g., generated Terraform configurations, dbt projects) are written to ephemeral volumes that are destroyed when the container restarts
- No privilege escalation — containers are configured with
allowPrivilegeEscalation: false, preventing processes from gaining additional capabilities - Resource limits — each container has CPU and memory limits to prevent a single service from consuming all cluster resources
- Network policy — Kubernetes network policies restrict pod-to-pod communication. The API cannot communicate directly with the connector runner; they interact only through the database
Secret management
Sensitive configuration (encryption keys, database credentials, service account tokens) is injected into containers through Kubernetes secrets, not environment variables or configuration files baked into images. Secrets are:
- Encrypted at rest in the Kubernetes secret store
- Mounted as temporary files in memory-backed volumes
- Never written to container logs or disk
IP allowlisting
If your organisation requires that only specific IP addresses can access Rime, contact Rime support to configure IP allowlisting for your tenant. When enabled:
- Only requests from the allowlisted IP ranges reach the application layer
- All other traffic is blocked at the WAF
- The allowlist applies to both the web interface and the API
IP allowlisting is useful for organisations that require all access to come through a corporate VPN or office network.
Next steps
- Review Encryption for data encryption details
- Understand Tenant Isolation for database-level isolation
- Check Audit Logging for tracking network access events
- See Compliance for how network security supports regulatory requirements