Skip to content
Aether Platform

NCS (Network Connectivity Service)

At the core of the Aether Platform lies NCS (Network Connectivity Service), our proprietary global service mesh (Marketed as Secure Tunnel Fabric).

While generic Cloud IDE SaaS solutions are often trapped in “rigid network silos” with limited connectivity, NCS leverages Carrier-grade Logic to provide a borderless, high-velocity fabric. Moving away from traditional “perimeter defense” models like VPNs and firewalls, NCS adopts an “Identity-Based” Zero Trust model to deliver secure and high-velocity connectivity.

Architectural Overview

NCS leverages eBPF (extended Berkeley Packet Filter) for data plane acceleration.

  • Kernel-Level Processing: By handling packets within the kernel rather than user space (sidecar proxies), we drastically reduce context switch overhead.
  • Sidecar-less: Eliminates the heavy sidecar containers required by traditional service meshes (like Istio), providing equivalent functionality with a fraction of the resource footprint.
graph TD
    User[Developer/User]

    subgraph Edge ["NCS Edge Node (Global)"]
        Filter[eBPF Packet Filter]
        Router[ID-Based Router]
    end

    subgraph Mesh ["Secure Mesh"]
        Workspace[Workspace Pod]
        Service[Internal Service (DB/API)]
    end

    User -->|mTLS 1.3| Filter
    Filter --> Router
    Router -->|WireGuard| Workspace
    Router -->|WireGuard| Service

Key Capabilities

1. Identity-Based Routing

We do not trust IP addresses. NCS routes packets based on Cryptographic Identity (SPIFFE ID)—verifying “who the user is” and “what device they are on.”

  • Dynamic Access Control: Enforce policies like “Only members of Project A can access Database B” at the network packet level.
  • BYOIP (Bring Your Own IP): Because tenants are logically isolated, different customers can use overlapping IP ranges (e.g., 192.168.1.0/24) without conflict.

2. World-Class Overlay Performance

NCS is not just a security layer; it is a performance accelerator.

  • mTLS 1.3 Hardware Offload: Optimizes encryption processing to deliver connectivity with lower latency than traditional VPNs.
  • Smart Routing: Connections enter via the Edge Node closest to the user and traverse Aether’s backbone network via the shortest path to the workspace.

3. “No-Open-Port” Policy

Workspaces on Aether do not expose open ports to the public internet. All connections are established as outbound connections via NCS or reached only through authenticated tunnels. This minimizes the attack surface to near zero.

4. Cross-Tenant Connection

Securely interconnect independent tenants across different organizations or projects. Establish secure access to shared APIs or databases with a simple procedure.

Learn more: Cross-Tenant Connection

Comparison to Traditional VPNs

Legacy VPN / BastionNCS (Zero Trust)
GranularityNetwork PerimeterIdentity (User/App) Level
Access ControlIP-based (Fragile)Cryptographic Identity
PerformanceOften a bottleneckeBPF Kernel Speed
OperationsManual Key/Cert MgmtTransparent & Automated

Deep Defense Capabilities

NCS inspects not just connectivity, but content integrity.

DNS Filtering & Threat Blocking

Blocks access to malicious domains and C2 servers at the DNS level. Threat lists are updated automatically to prevent data exfiltration.

Intelligent Caching (SSL Bump)

NCS transparently inspects and caches traffic.

  • SSL Bump: Temporarily decrypts traffic to perform real-time virus scanning within the stream.
  • Acceleration: Dramatically speeds up package downloads (like pip install or npm install) by serving them from an internal organization-wide cache.