Schematics architecture

How are API requests to the service isolated from other API requests?

All API requests to the Schematics api-server are handled as separate service processes. IAM requests are made to authenticate user access to Schematics, workspaces and operations. Authenticated API requests are processed and queued as Schematics internal messages.

The Schematics job queue manager forwards the requests with the job ID and health check messages. At any particular time, a maximum of n API requests are processed by the Schematics engine. By default, n equals 20, but this number is manually adjusted by the Schematics operator based on the current API workload.

For every queued request from a Schematics user, the Schematics engine creates a dedicated runtime job that runs to completion. The request is removed from the queue when it is fully processed. The Schematics jobs are not shared between tenants or reused later.

How is the information in IBM Cloudant and IBM Cloud Object Storage isolated from other tenant data?

Schematics does not store any personally identifiable information. Sensitive technical information for a workspace is stored as described in What technical information is stored in Schematics?. Data that is stored in Cloudant and IBM Cloud Object Storage is encrypted in transit using TLS and at rest by using AES GCM 256 and envelope encryption. Refer to Securing your data with encryption.

How are cloud resources isolated from other tenants?

When you use Schematics to provision IBM Cloud resources, these resources are created in your personal IBM Cloud account. You are responsible to manage these resources and to keep them up-to-date to avoid security vulnerabilities or downtime for your workloads. IBM Cloud resources are provisioned, updated, and deleted as defined in the Terraform template and requested by the user.

Because all resources are created in your personal account, resources are not shared with or reused by other IBM Cloud tenants.