Superblocks On-Prem Agent: The ultimate architecture for data security and developer velocity

The Superblocks Team

Multiple authors

March 8, 2023

10 min Read


Internal applications, workflows, and jobs read and write to production databases and APIs, accessing your most sensitive data. In regulated industries such as finance, healthcare, insurance, aerospace, and government it can be challenging to quickly build internal tooling while also meeting stringent data security and compliance requirements.

When deciding whether to DIY or build using Superblocks to accelerate developer time, 3 groups have requirements to satisfy:

  • Application Developers want easy deployment along with the latest tooling available to aid in their development
  • Security teams want to ensure customer data stays inside their VPC
  • DevOps teams want minimal deployment and maintenance overhead

This is where the Superblocks On-Premise Agent comes in. The on-prem agent architecture allows customers to take advantage of Superblocks Cloud, “the control plane,” for authentication, permissions, and application definitions, while the on-prem agent executes code and queries, “the data plane,” from inside the customer’s private network or VPC.

In this post, we'll cover the key benefits across data security, ease of deployment, an always-up-to-date platform, open source code auditability, developer extensibility, and more.

A false dichotomy: Cloud vs On-Premise

In the market today, internal tooling vendors typically offer either a Cloud or On-Premise deployment option, sometimes both. Let’s dive into each to understand the trade-offs for background before we dig into the on-prem agent benefits in more detail.


You have zero-management experience and a platform that is always up-to-date, offloading reliability and scalability to the vendor. This is how Superblocks Cloud works. Though for security teams in high-compliance industries, exposure of customer data outside of their VPC is a requirement that cannot be met.

Legacy on-premise installation

Similar to software from the ‘90s, this option secures customer data within your network,  but comes with a large burden of overhead and costs, including exorbitant vendor platform fees, training and maintenance costs, scheduled downtime for upgrades, and vendor database migrations. As a result of these high deployment and maintenance costs, upgrades are often deprioritized by DevOps teams, so on-prem software can become months or years out-of-date. In the end, developers miss out on the latest improvements, bug-fixes, and features that they are using the software for in the first place.

As you can see, the Cloud Managed option is superior in almost every decision criteria, except for when there is a data security requirement to keep all customer data in-network or VPC. Those customers were forced onto an expensive on-prem installation to adopt an internal tooling platform, until now.

The best of both worlds: Superblocks On-Prem Agent

The Superblocks On-Prem Agent is architected to take advantage of the benefits of modern cloud software with the security benefits offered by on-prem software. By decoupling the control plane in the cloud and data plane within your private network or VPC, customers can achieve the security benefits they desire, without inheriting the full set of on-prem software drawbacks.

Customer Benefits across Developers, Security, and DevOps Teams

#1 Customer data never leaves your network or VPC

With data plane operations handled by the on-prem agent, like querying databases and code execution, your data never leaves your private network. You control network rules and can restrict access to only in-network browsers or servers. Requests are made to the agent via HTTPS and TLS 1.3 so data is always encrypted in transit. And since the agent executes APIs server-side, you control what data is returned to the browser, eliminating the opportunity for unauthorized access to data used between API steps by ensuring the only data returned is the data needed for display.

#2 Always up-to-date Superblocks platform

Get access to the latest features in the Superblocks platform in the cloud without upgrading in order to access the latest Superblocks Editor and Admin features where every new component, platform feature, security update, and bugfix is instantly available. This minimizes the need to upgrade your on-prem agent as the surface area is small in comparison.

#3 Fast deployment, scalability, and zero-downtime upgrades

Superblocks On-Prem Agents run as stateless Docker containers enabling you to:

  • Deploy in minutes using the Terraform module or Helm chart and easily manage future deployments using infrastructure-as-code
  • Achieve high availability by horizontally scaling the agent with automatic load balancing across agents and take advantage of auto-scaling via an exposed metric interface
  • Vertically scale the agent if required for an intensive use case to allocate additional CPU or memory

#4 Auditable by security teams

The Superblocks Agent is open-source and available on GitHub, unlike most software that is installed as binary that is closed source. This offers an added layer of security, letting your Security team audit the agent’s dependencies and source code at any time. You can use your own vulnerability scanning tools on the agent. If a vulnerability is found, the community can report and even open a PR and Superblocks will merge in a patch immediately.

#5 Infinitely extensible

Since the agent is open-source, it is designed to be highly customizable. Some examples of extensions you can add to your agent include:

  • Running sidecar services to handle custom authentication
  • Adding security middleware to intercept requests to meet custom rules
  • Customizing the agent image to import custom packages from your registry
  • Create custom plugins to integrate with legacy databases or proprietary services

Data flow for a deployed application

To illustrate data flow, imagine deploying an application on Superblocks for your Support team to fetch customer data to display in a table in the user interface. Starting from the Support User opening the application URL:

User Authentication, RBAC, and loading the user interface

  • A Support user logged into the VPN accesses the app URL and logs into Superblocks by successfully authenticating via username/password or via SSO from your Identity Provider
  • Superblocks Cloud checks if the user has the appropriate permissions (RBAC) to use the application and blocks access if they do not
  • The Support user’s browser securely retrieves the application definition from the closest cache on the Superblocks Global Edge Network to render the user interface with minimal latency

Executing APIs in-network via On-Premise Agent

  • The browser makes a separate secure request to the On-Prem Agents inside of your network to execute an API
  • The Agent securely retrieves the API definition from the closest cache on the Global Superblocks Edge Network
  • The Agent executes the API inside your private network querying your databases or internal APIs and sends the data directly to the browser

Telemetry for Monitoring and Debugging

  • The On-Premise Agent forwards telemetry such as Audit Logs, Observability, and Billing Metrics to Superblocks Cloud where you can enable forwarding to a 3rd party observability solution such as Datadog, New Relic, or Splunk

Get Started with the Superblocks On-Prem Agent

Want to save 100s of engineering hours off your internal tooling roadmap while keeping your data secure?

Getting started with the Superblocks On-Premise Agent takes minutes. Deploy an agent today using the Superblocks Agent Terraform module for ECS and Google Cloud Run, or deploy to Kubernetes using Helm.

To learn more about deploying the agent, head to the Superblocks On-Prem Agent docs or get started today with a free 14-day trial.

Stay tuned for updates

Get the latest Superblocks news and internal tooling market insights.

You've successfully signed up
The Superblocks Team

Multiple authors

Dec 13, 2023