Skip to content
Aether Platform

Cross-Tenant Connection

Aether Platform allows for secure network interconnection between different organizational or project tenants. This enables a workspace in one tenant to securely access a shared API or database provided by another tenant.

How it Works

Cross-tenant connections are established based on the Peer-to-Peer trust relationship of the NCS (Network Connectivity Service). A connection always involves an “Invitation” step from one tenant and an “Acceptance” step from the other.

Connection Procedure

Step 1: Issue a Connection Secret (Provider Tenant)

First, the administrator of the tenant providing the resource issues a one-time connection secret.

  1. Log in to the Admin Console and select “NCS Networking” -> “Cross-Tenant Connections.”
  2. Click “Create Connection Secret.”
  3. Set the expiration time (default 24 hours) and generate the secret.

[!WARNING] The secret carries significant permissions. Share it only with trusted parties via secure channels (e.g., private messages).

Step 2: Submit a Connection Request (Consumer Tenant)

The administrator of the tenant consuming the resource uses the received secret to establish the connection.

  1. In the Admin Console, go to “Cross-Tenant Connections” and select “Connect to External Tenant.”
  2. Enter the shared secret and click “Connect.”
  3. Once the connection is established, the remote Tenant ID and status will appear as “Active.”

Step 3: Configure Security Policies

Establishing a connection does not automatically permit traffic. You must explicitly allow it using an NCS security policy.

# Example NCS Policy in the Consumer Tenant
kind: NCSPolicy
metadata:
  name: allow-external-api
spec:
  source:
    workspaceLabel: project-a-ide
  destination:
    tenantID: "tenant-xyz-123" # The remote Tenant ID
    serviceName: "global-inventory-api"
  action: allow

DNS Resolution

Services in a connected tenant can be accessed using a special domain format:

  • Format: <service-name>.<tenant-id>.aether.internal
  • Example: http://inventory-api.tenant-xyz.aether.internal:8080

Features and Benefits

  • Complete Isolation: Even when connected, only authorized packets can pass through. Strict L4/L7 filtering is applied.
  • Overlapping IP Support: NCS transparently routes traffic between tenants using the same private IP space without requiring complex manual NAT configurations.
  • Centralized Management: Easily monitor which tenants are connected and track traffic volume directly from the portal.