Heroku's Private Spaces Brings New Levels of Security for Apps in the Cloud

Monday, September 28, 2015

Heroku’s new Private Spaces, now in limited beta, offers a new Heroku runtime that provides a way to isolate network applications and data services in the cloud. It provides a network isolated group of apps and data services with a dedicated runtime environment, provisioned to Heroku in a specific geographic region. Private Spaces is powered by Heroku Dogwood, a new runtime architecture that augments the current Cedar runtime stack. Private Spaces is being released as part of Salesforce’s new App Cloud.

A Heroku Private Space contains all of the elements of a Heroku app, including dynos and data services which are deployed and run in network isolated environments, separating the “private” application, including its associated data, from the “public” systems that keep it running.

Developers create and deploy apps in Private Spaces just as they would normally on Heroku with the Heroku Button, git push deployments, review apps, pipelines, seamless scaling, self healing and Elements Ecosystem all included.

Applications in a Private Space reside in an isolated virtual network with access controlled at the network level. Space administrators can choose from which other networks applications can be accessed and with the built-in NAT gateway, apps in a Private Space can be granted access to restricted services in other networks using IP whitelisting.

Heroku’s new Private Spaces offers a new Heroku runtime that provides a way to isolate network applications and data services in the cloud. Private Spaces is powered by Heroku Dogwood, a new runtime architecture that augments the current Cedar runtime. Spaces are being released as part of Salesforce’s new App Cloud.

Dynos running in a Private Space are connected to a single private dyno network allowing dynos to communicate with each other using any TCP or UDP port and protocol. For example the platform provides the ability for web dynos to communicate with each other and share session state over a gossip protocol as well as allowing web and worker dynos to communicate with each other without going over the public Internet. It also allows dynos from different applications to talk to each other as long as they are in the same Private Space which can be useful for deploying diagnostics applications that consume diagnostics streams from other application dynos over the private network.

Private Spaces can take advantage of fine-grained access controls which can be delegated to apps inside Private Spaces allowing organizations to manage large application portfolios. The new network controls allow for separation of responsibilities where administrators control network access while developers retain maximum self-service deployment without compromising security.

Read more: https://www.heroku.com/private-spaces