This document defines how services are exposed to users and the network requirements for each exposure category.
- Definition: Services reachable from the internet.
- DNS: Must resolve to the Public IP of the platform.
- Auth: Must enforce SSO/MFA at the Ingress layer.
- TLS: Must use valid, publicly trusted certificates.
- Definition: Services reachable only from LAN or VPN.
- DNS: Must resolve to a Private IP (RFC1918).
- Auth: Must enforce SSO at the Ingress layer.
- TLS: Should use certificates (internal or public CA).
- Definition: Services reachable only from VPN clients.
- DNS: Must resolve to a Private IP (RFC1918) only on VPN resolvers.
- Auth: Must enforce SSO at the Ingress layer.
- TLS: Should use certificates (internal or public CA).
- Definition: Administrative endpoints (SSH, Git, control plane consoles).
- DNS: Must resolve to management-only records or private IPs.
- Auth: Must enforce MFA and privileged access controls.
- TLS: Must use certificates (internal or public CA).
| Category | Allowed Ingress | Allowed Source Networks | DNS Resolution |
|---|
| Public | Public Ingress only | Internet | Public IP |
| Internal | Internal Ingress only | LAN + VPN | Private IP |
| VPN-Only | Internal Ingress only | VPN only | Private IP (VPN resolvers only) |
| Management | Management endpoints only | Admin LAN + VPN | Private IP / management records |
| Category | Authentication | Authorization |
|---|
| Public | SSO + MFA at Ingress | Group-based access (IdP) |
| Internal | SSO at Ingress | Group-based access (IdP) |
| VPN-Only | SSO at Ingress | Group-based access (IdP) |
| Management | MFA + privileged access | Admin-only groups, audited access |
- All services MUST use the
*.risu.tech domain.
- Internal service names MUST match their public counterparts (if they exist) to ensure a seamless user experience.
- The platform uses Split-Horizon DNS to ensure that
app.risu.tech resolves to the correct IP based on the client’s network location.
- Public Ingress MUST NOT route traffic to backends tagged as “Internal.”
- Internal Ingress MUST drop any traffic originating from outside the Home Network Boundary.
- No direct port-forwarding (NAT) to backend services is allowed. All traffic must pass through an Ingress controller.