SynapseEdge Defense

Deployment Topology

One control plane. A fleet of edge sensors. A persistent WebSocket tunnel that carries config in and telemetry out — with tenant isolation enforced at every layer.

1
Control Plane
N
Edge PoPs
5
Tunnel Channels
Multi
Tenant Isolated
Physical & Logical Topology
SYNAPSE FLEET · CONTROL PLANE RuleDistributor RolloutOrchestrator FleetCommander TunnelBroker Telemetry API ClickHouse WSS TUNNEL EDGE PoP · us-east Synapse Pingora Apparatus sensor WAF · risk · schema EDGE PoP · eu-west Synapse Pingora Apparatus sensor WAF · risk · schema EDGE PoP · ap-south Synapse Pingora Apparatus sensor WAF · risk · schema EDGE PoP · sa-east Synapse Pingora Apparatus sensor WAF · risk · schema Protected Origin + @atlascrew/synapse-client Protected Origin + @atlascrew/synapse-client Protected Origin + @atlascrew/synapse-client Protected Origin + @atlascrew/synapse-client DATA PLANE CONTROL PLANE
Rules & config · control → edge
Telemetry · edge → control
Persistent WSS tunnel
Edge PoP boundary
Control-Plane Services
RuleDistributor
FLEET RULE SYNC
Tracks per-sensor rule status, enforces tenant isolation, coordinates blue/green swaps on rule updates.
RolloutOrchestrator
BATCHED ROLLOUTS
Health-aware rollout of binary releases via BullMQ queue. Fails a batch early rather than rolling the whole fleet.
FleetCommander
REMOTE CONTROL
Routes reload/restart/drain/resume commands to named sensors over the tunnel. Audit-logged.
TunnelBroker
CHANNEL MULTIPLEX
WebSocket session manager. Per-session auth, per-channel rate limits, per-sensor concurrent session cap.
Telemetry API
EVENT INGEST
JWT-auth'd batched ingest with replay protection. Feeds ClickHouse & materialized views.
DeploymentStateStore
BLUE/GREEN STATE
Durable record of which rule set each sensor is serving — survives control-plane restarts.
Rule & Release Propagation — Health-Aware Batching
1%
Canary
One sensor per PoP gets the new rule set first. Block on health check pass.
10%
Early Wave
Expands to a single region after canary green. First look at real traffic patterns.
50%
Half Fleet
Blue/green split. Failed batches stop the rollout; passing batches hold.
100%
Full Rollout
Remaining sensors swap. Previous state retained for instant rollback via the state store.
Tunnel Protocol — 5 Multiplexed Channels
>_
Shell
Remote terminal with PTY
Logs
Live log streaming w/ filters
Diag
Health · mem · rules · actors
Control
reload · restart · drain
Files
Secure file xfer & browse
Tenant isolation at every layer
Sensors belong to exactly one tenant. Rule distribution, tunnel sessions, and telemetry queries all enforce tenant scoping — attempting to touch another tenant's sensors throws TenantIsolationError before any side effect occurs. Multi-tenant deployments share the control plane, not the data.
One tunnel in. Tenant-isolated all the way down.
Health-aware rollouts. Blue/green rule swaps. Instant rollback. Every channel audit-logged.
Synapse · Horizon
Detect. Decide. Fire.
atlascrew.dev/synapse
Atlas Crew Security