Architecture
VirtualMetric DataStream is architected with enterprise security and data sovereignty as core principles. Unlike traditional solutions that require sending sensitive data to third-party cloud platforms for processing, DataStream keeps all your critical data within your environment while providing centralized management and visibility through a secure cloud control plane.
Security-First Architecture
DataStream separates data plane and control plane operations to ensure that sensitive security data never leaves the customer environment. This separation is the foundation for data sovereignty, regulatory compliance, and minimal attack surface.
Data Plane vs Control Plane Separation
DataStream employs a strict separation between data plane and control plane operations, ensuring your sensitive security data never leaves your environment.
The control plane runs as a multi-tenant SaaS platform on VirtualMetric Cloud. It handles centralized management tasks: pipeline configuration and deployment, fleet management across all directors and Agents, real-time statistics with monitoring and alerting, and Role-Based Access Control (RBAC) for team collaboration. Critically, the control plane performs zero data processing and stores no customer logs.
The data plane operates entirely within the customer environment. All data processing occurs within customer-controlled infrastructure, where Director processes, transforms, and routes data locally. Agents collect data and communicate directly with the local Director, with no customer data ever transmitted to VirtualMetric Cloud. This guarantees complete data sovereignty and compliance control.
How This Architecture Addresses Enterprise Security Concerns
This architecture addresses critical enterprise security concerns across five dimensions.
All sensitive log data remains within your infrastructure, ensuring compliance with data residency requirements, industry regulations (GDPR, HIPAA, SOX), and corporate data governance policies. This data sovereignty guarantee is inherent in the architecture rather than a policy overlay.
The attack surface is minimal because only a single outbound HTTPS connection is required from Director to VirtualMetric Cloud for management. No inbound connections are needed, and Agents communicate exclusively with the local Director infrastructure.
Raw log data is never transmitted to external vendors, which eliminates the risk of data breaches during transit and maintains complete control over sensitive security information. Because data is processed locally before routing to destinations, unnecessary raw data transmission is eliminated, and intelligent compression and filtering capabilities further optimize bandwidth usage.
Network security is simplified through reduced firewall complexity with minimal external connections. There is no need to open firewall access from cloud to local systems, resulting in straightforward network security management.
Deployment Architecture
DataStream supports multiple deployment configurations to accommodate different enterprise requirements, from fully managed cloud environments to air-gapped on-premises installations.
VirtualMetric Cloud (Multi-Tenant)
The centralized management platform provides a web-based console for pipeline configuration and monitoring. It delivers real-time performance metrics, data flow visualization, and operational insights. Granular access controls with audit logging and secure authentication protect the management layer, while centralized deployment and configuration management extends across distributed environments.
Customer Environment Options
VirtualMetric Director can be deployed in multiple configurations to meet diverse enterprise requirements. These range from high-availability clusters to flexible single-node deployments across on-premises, cloud, and hybrid environments.
Clustered Director (High Availability)
A clustered deployment distributes the processing load across multiple Director instances with automatic failover to ensure continuous operation during maintenance or failures. This configuration handles enterprise-scale data volumes through horizontal scaling, and pipeline configurations are synchronized across all cluster nodes.
Flexible Deployment Models
An on-premises deployment runs Director on physical servers or virtual machines within customer data centers. This option provides complete isolation from external networks when required and integrates with existing infrastructure and security controls.
A cloud deployment places Director within customer-owned Azure, AWS, or other cloud environments. Data sovereignty is maintained within the customer's cloud tenants, and cloud-native services can be leveraged while preserving security isolation.
A hybrid deployment runs directors in both on-premises and cloud environments, unified through a single control plane. Data routing can be configured flexibly based on location and requirements.
Container and Serverless Support
DataStream also supports containerized and serverless deployment models for environments that require lightweight, elastic infrastructure.
Director is available as a Docker container for portable deployment across environments. This simplifies installation and maintenance, supports container orchestration platforms (Kubernetes, Docker Swarm), and provides a consistent runtime environment across platforms.
For Azure environments, the Director Proxy runs as an Azure Function for secure data forwarding. It scales automatically based on data volume and offers pay-per-use cost optimization.
Network Communication
DataStream is designed around minimal network requirements, with all connections initiated outbound from the customer environment. This eliminates the need for inbound firewall rules and simplifies network security management.
Outbound and Internal Communication Paths
Director connects to VirtualMetric Cloud over a single outbound HTTPS connection on port 443. This connection handles control plane synchronization and configuration updates, statistics reporting and health monitoring, and secure token-based authentication.
Within the customer environment, Agents communicate directly with the local Director over internal HTTPS. Agents require no external connectivity whatsoever. Data transmission remains within the customer environment, and firewall configuration is straightforward since only internal traffic is involved.
Zero Inbound Connectivity
DataStream requires no inbound connections from external networks. This eliminates the need for firewall rules granting external access to internal systems, reduces exposure to external threats, simplifies compliance and security auditing, and strengthens the overall network security posture.
Because Director initiates all outbound connections, no firewall rules are required to allow external traffic into the customer network.
Management Models
DataStream offers two management models to accommodate both connected and air-gapped environments. The choice between them depends on whether the deployment can maintain an outbound connection to VirtualMetric Cloud.
Managed (Default)
In the managed model, all pipelines are configured and deployed through the VirtualMetric portal. Configuration changes and updates are deployed seamlessly, comprehensive real-time monitoring provides visibility across the distributed infrastructure, and team-based access is governed by RBAC controls.
Self-Managed (Air-Gapped)
For environments requiring complete network isolation, the self-managed model supports fully offline operation. Pipeline configuration and deployment are performed manually, and administrators access Director management interfaces directly. Updates and maintenance are administrator-controlled, and the deployment operates with zero external connectivity requirements.