Network security

The Swiss AI Hub uses defense-in-depth network security. Multiple independent layers protect the platform, its data, and its users.

All internal services (Swiss AI Hub API, Web UI, LiteLLM Proxy, databases) run in isolated Docker containers on private networks. The Traefik reverse proxy is the only component accessible from the internet, accepting public traffic on ports 80 and 443.

Traefik routes requests to the correct internal service. Backend services remain isolated and never get exposed directly to the public internet.

Internet
    ↓
[Firewall/NSG]
    ↓ (ports 80, 443)
[VM Public IP]
    ↓
[Traefik Reverse Proxy]
    ↓
[Docker Internal Network]
    ├── Swiss AI Hub API
    ├── Web UI
    ├── LiteLLM Proxy
    ├── Database Services
    └── Background Workers
         ↓
    (Outbound to External Services)
         ├── LLM Providers (Swiss LLM Cloud, or local vLLM for GPU deployments)
         ├── Authentication (Microsoft Entra ID, Azure AD)
         ├── Jina AI (Web Search & Embeddings)
         └── Customer APIs (SharePoint, Confluence, Custom REST APIs)

Security layers

Security applies at every stage of a request, from network edge to application logic.

Network firewall (NSG)

The Network Security Group (NSG) or firewall enforces a default deny policy. Only ports 80 (HTTP) and 443 (HTTPS) are accessible from the public internet. All other ports are blocked. You can restrict administrative access like SSH to specific trusted IP ranges.

Reverse proxy (Traefik)

Traefik serves as the single entry point and secures all incoming connections. It terminates TLS (requiring HTTPS with TLS 1.2+), automatically provisions and renews certificates via Let's Encrypt, and injects security headers like HSTS and X-Frame-Options. Rate limiting protects backend services from brute-force and simple DoS attacks.

Authentication (IAM)

Azure AD OAuth2 handles user authentication, integrating with corporate identity. This enables Role-Based Access Control (RBAC) for fine-grained permissions. API keys authenticate service-to-service communication. Session management with configurable timeouts protects user sessions.

Container isolation

Application services run as non-root users in isolated Docker containers with minimal privileges. Container networking rules prevent direct communication between unrelated services. Resource limits mitigate resource exhaustion attacks. Images get updated regularly with security patches.

Network segmentation

The platform uses five isolated Docker networks (proxy, backend, data, storage, egress) to enforce the principle of least privilege at the network layer. Services are assigned only to the networks they require:

Internal networks (backend, data, storage) have no external internet access
Egress network allows outbound internet access only, with Inter-Container Communication (ICC) disabled
Services needing to browse external websites (e.g., playwright) use the egress network without exposing ingress

See Network Isolation for detailed network topology and service assignments.

Data protection

Presidio automatically detects and anonymizes Personally Identifiable Information (PII) in LLM requests. AI-powered sensitive information guards scan responses before delivery to users. An audit trail logs all data access and processing.

Network isolation - Docker network zones and service assignments
Network requirements - Firewall rules and connectivity
Deployment options - Architecture and hosting strategies
Container security - Container isolation and hardening
Authentication - Authentication mechanisms
Input validation - Input sanitization and validation
Infrastructure layers - Infrastructure component overview

Monitoring & Alerting

Identity Provider Setup

Microsoft Entra ID

Sources

Network security ​

Security layers ​

Network firewall (NSG) ​

Reverse proxy (Traefik) ​

Authentication (IAM) ​

Container isolation ​

Network segmentation ​

Data protection ​

Related documentation ​