Network Controls

How ZYBER manages network traffic in and out of workspaces.

Network Architecture

┌──────────────────────────────────────────────────────────────────┐
│                         INTERNET                                  │
└──────────────────────────────────────────────────────────────────┘
                    ▲                           ▲
                    │                           │
            ┌───────┴───────┐           ┌───────┴───────┐
            │  Egress Proxy │           │ Ingress Proxy │
            │  (Outbound)   │           │  (Inbound)    │
            └───────┬───────┘           └───────┬───────┘
                    │                           │
            ┌───────┴───────────────────────────┴───────┐
            │              ZYBER Network                │
            │         (Private, Isolated)               │
            └───────────────────┬───────────────────────┘
                                │
        ┌───────────────────────┼───────────────────────┐
        │                       │                       │
   ┌────┴────┐             ┌────┴────┐             ┌────┴────┐
   │Workspace│             │Workspace│             │Workspace│
   │   VM    │             │   VM    │             │   VM    │
   └─────────┘             └─────────┘             └─────────┘
   (Isolated)              (Isolated)              (Isolated)

Egress (Outbound) Controls

All outbound traffic from workspaces passes through ZYBER's egress proxy.

Default Allowed

Destination

Port

Purpose

Package registries

443

npm, PyPI, crates.io, apt

Git hosts

22, 443

GitHub, GitLab, Bitbucket

AI APIs

443

OpenAI, Anthropic, Google AI

General HTTPS

443

Web APIs, downloads

DNS

Name resolution

Default Blocked

Traffic Type

Reason

SMTP (25, 587)

Prevent spam

Raw sockets

Prevent network attacks

Tor exit nodes

Policy compliance

Known malicious IPs

Security

IP Masking

All egress traffic shows ZYBER datacenter IP:

Your workspace request → ZYBER proxy (IP: 203.0.113.x) → Destination

Destination sees: 203.0.113.x
Destination doesn't see: Your real IP

Ingress (Inbound) Controls

By default, workspaces have no inbound connectivity from the internet.

Temporary Port Exposure

For development/testing, you can expose ports temporarily:

Feature

Behavior

Expose port

Generates temporary URL (e.g., abc123.tunnel.zyber.app)

Duration

Until session ends or manually closed

Authentication

Optional password protection

HTTPS

Automatic TLS termination

# Example: Expose local dev server
zyber expose 3000
# Returns: https://abc123.tunnel.zyber.app

No Persistent Ingress

Workspaces cannot:

Bind to public IPs
Run as long-term servers
Accept unsolicited inbound connections

This is by design, workspaces are development environments, not production hosting.

Inter-Workspace Isolation

Workspaces cannot communicate with each other:

Attempt

Result

Workspace A → Workspace B

Blocked

Scan internal network

No response

ARP spoofing

Isolated network namespace

Broadcast traffic

Not propagated

Each workspace has its own:

Network namespace
Virtual NIC
IP address (internal, non-routable)
Routing table

DNS Security

Resolution Path

Workspace DNS query → ZYBER DNS resolver → Upstream (Cloudflare/Google)

DNS Features

Feature

Implementation

No DNS leaks

All queries through ZYBER resolver

DNSSEC validation

Enabled

Malware domain blocking

Threat intelligence feeds

Query logging

Per-workspace, accessible to user

Traffic Inspection

What ZYBER Can See

Data

Visible to ZYBER

Destination IPs/domains

✅ Yes (for routing)

Connection metadata

✅ Yes (timestamps, bytes)

Encrypted payload

❌ No (TLS end-to-end)

Decrypted content

❌ No

What ZYBER Cannot See

Contents of HTTPS requests
API keys in headers (encrypted)
Request/response bodies
Authentication tokens

Rate Limiting

To prevent abuse:

Limit

Value

Connections per minute

1,000

Bandwidth (sustained)

100 Mbps

Bandwidth (burst)

1 Gbps

DNS queries per minute

500

Limits are per-workspace. Exceeding limits results in throttling, not termination.

Firewall Rules

Workspace-level firewall (iptables) is user-controllable:

# User can add rules within workspace
iptables -A OUTPUT -d suspicious.com -j DROP

ZYBER's network-level controls operate outside the workspace and cannot be modified by users.

PreviousPrivate Git NextDependency Safety

Last updated 1 month ago

Good morning

hashtagNetwork Architecture

hashtagEgress (Outbound) Controls

hashtagDefault Allowed

hashtagDefault Blocked

hashtagIP Masking

hashtagIngress (Inbound) Controls

hashtagTemporary Port Exposure

hashtagNo Persistent Ingress

hashtagInter-Workspace Isolation

hashtagDNS Security

hashtagResolution Path

hashtagDNS Features

hashtagTraffic Inspection

hashtagWhat ZYBER Can See

hashtagWhat ZYBER Cannot See

hashtagRate Limiting

hashtagFirewall Rules