IBM Cloud Shell architecture

IBM Cloud Shell is a public, multi-tenant regional service that is available in IBM Cloud®. With Cloud Shell, you can manage IBM Cloud resources and applications in a cloud-hosted shell environment from any web browser, with one click from the IBM Cloud console.

The Cloud Shell control plane is responsible for provisioning Cloud Shell servers and managing the lifecycle.

• The API server provides an API interface to the Cloud Shell service.
• The controller manager manages the lifecycle of the Cloud Shell servers.
• The scheduler finds the best node that the Cloud Shell server is provisioned on.

The Cloud Shell data plane is hosting the user's Cloud Shell servers.

• The gateway is operating at the edge to manage the access and route the user's requests to the Cloud Shell server that is provisioned for the user.
• The Cloud Shell server is a virtual machine that is running on a bare metal server.

IBM Cloud Shell workload isolation

Each regional deployment of the IBM Cloud Shell serves multiple tenants. It is accessed through public endpoints. IBM keys encrypt all the data at rest. Data in transit is encrypted by using TLS.

The user's Cloud Shell server is running in a virtual machine. It is isolated from the other user's Cloud Shell server that is running on the same node. Cloud Shell servers that are running on the same node share physical resources such as CPU, memory, and I/O devices. The guest OS in an individual Cloud Shell server cannot detect any device other than the virtual devices that are made available to it.

The networks of the Cloud Shell servers are isolated from each other. Direct traffic is not allowed between Cloud Shell servers. The Cloud Shell server can access only the public internet.