Mendix For Private Cloud

What is Mendix for Private Cloud?

Mendix For Private Cloud provides Mendix’s ‘LowOps’ 1-click deployment experience for your own Kubernetes-based (virtual) private cloud. This allows Mendix development teams to manage the application lifecycle, while still having control of the application data in a private cloud environment.

Mendix for Private Cloud is based on the Kubernetes native operator framework. It is responsible for the provisioning, building, deployment, and scaling of Mendix applications on a Kubernetes-based private cloud environment.

Why Does Mendix for Private Cloud Exist?

Mendix for Private Cloud allows you to run your app and store Mendix app data in a specific region or on a private network. This means you can comply with commercial or regulatory requirements for location and security of your data. Mendix for Private Cloud does this by allowing you to deploy and manage your Mendix apps in a Kubernetes-based private cloud which you set up and control.

How Does Mendix for Private Cloud Fit in the App Lifecycle?

The development of a Mendix app typically goes through five stages, which are then repeated to improve the app:

  • Ideation (or requirements gathering and design) is supported by the collaboration features of the Developer Portal
  • Development and testing are performed using Studio and Studio Pro
  • Deployment is supported by Mendix to your chosen cloud target where your app runs, and the data supporting the app is generated and consumed – your operation experience depends on the cloud target you have chosen

Mendix for Private Cloud is one of the options which support the Deploy and Operate phases of the app lifecycle.

How Does Mendix Control Deployment to the Private Cloud?

Mendix controls deployment to a private cloud using the Mendix Operator. This tells your app how to use the services you have set up in your Kubernetes-based cluster.

You install the necessary Mendix for Private Cloud components using the Operator Configuration tool which also configures or re-configures which services your app uses.

The Mendix Operator is a separate, licensed, piece of software in addition to the license(s) you require for your Mendix app.

Does My Deployment Need to be Connected to the Internet?

By default, you can control your deployments on Mendix for Private Cloud by securely connecting your Kubernetes-based cluster to the Mendix Developer Portal. This gives the most complete Mendix experience and is known as Connected Mode.

You can also transfer all the resources you need to a cluster which is not connected to the internet (air-gapped). In this Standalone Mode, Mendix will help you by generating the commands you need to set up your environments and perform your deployments.

How is Access Controlled?

Access to perform actions directly on your Private Cloud cluster is completely under your control through the credentials required to access your Kubernetes-based cluster.

Access to manage Mendix for Private Cloud clusters, namespaces, environments, and deployment within the Developer Portal is controlled through applying roles to users of the Developer Portal.

There are three standard roles:

  • Cluster Manager – which has access to manage Mendix for Private Cloud’s use of an entire cluster
  • Cluster Administrator – who can create, delete, and manage individual app environments within the cluster
  • Developer – who can manage an existing app environment to which they have access

You can also give users custom roles within Mendix for Private Cloud.

Access to the app itself is controlled by the standard Mendix Developer Portal roles described in Platform Security

What do I Need to Provide?

Because Mendix for Private Cloud is running on your own Kubernetes-based private cloud, you need to set up resources in this cloud to support your app.

Mendix provides you with the following:

  • Mendix for Private Cloud setup
  • The Mendix Operator to control how your app uses the services in the cluster

And, in addition, for connected mode:

  • Online platform services in the Developer Portal
  • The Mendix Gateway Agent, to connect the Mendix Operator to the Developer Portal

Support for setting up your resources is not included in your Mendix license, but Mendix can help you on a consultancy basis.

A Kuberbetes-based Cluster

Kubernetes is the environment in which the apps need to run.

Data Storage

You need to provide a database server and file storage where your Mendix app will store its persistent data.

Networking

Since Mendix apps are web-based you need to configure the network to allow access to the application. Mendix for Private Cloud will leverage the existing network configuration.

Monitoring and Logging

You can connect your own monitoring and logging solution to Mendix for Private Cloud.

Registry

Kubernetes is a container-based runtime platform so you need to provide an image-storage registry to store application images which will be deployed to the Kubernetes-based environments by the Mendix Operator.

How is My Data Secured?

Data security is very important to you, and to Mendix. Mendix for Private Cloud uses the following techniques to keep your data secured.

Cluster Secrets

Mendix does not have access to secrets in the cluster. They are managed by the customer.

Data Security at Rest

Your data is secured where it is stored:

  • You can encrypt all the data in your Kubernetes-based containers
  • You can encrypt your persistent data using features built in to the file and database storage options
  • If you are using Connected Mode, Mendix securely maintains only the data which facilitates collaboration and the development of your application and on its servers but does not hold any data used by the application itself

If you need to encrypt data within your app you can do this by, for example, using a Mendix encryption module.

Data Security in Flight

Your data is also secured as it moves from one place to another:

  • You can set up secure network communication between your cluster and the end-users
  • Communication with data storage stays within your network
  • Communication with the database can be encrypted
  • You can encrypt communication within your cluster between the internet connection and your app