IBM Cloud Docs
Learning about project architecture and workload isolation

Learning about project architecture and workload isolation

Review the following sample architecture for projects and learn more about different isolation levels so you can choose the solution that best meets the requirements of the workloads that you want to run in the cloud.

Project architecture

Projects are an IBM Cloud® platform feature that's supported by a highly available multi-region infrastructure. The project UI and API services are managed microservices, which are deployed to a minimum of three multi-zone regions around the world. A single zone failure results in service instances in other zones that are in the same region taking over. A regional failure results in another region taking over. Project microservices use IBM managed instances of Continuous Delivery Toolchains in at least three regions to run multi-step validation, deployments, and destroy resource jobs.

Projects create instances of IBM Cloud Schematics workspaces in your account and uses them to perform plan, deploy, and destory resource jobs. This ensures that Terraform state storage and any access to private resources is completely under customer control. The Schematics workspace UI, API, and CLI can be used, if needed, to provide additional control and visibility over how Infrastructure as Code (IaC) is managed by projects.

Deleting a Schematics workspace that's used by a project can cause the loss of the Terraform state for that configuration, which can lead to unexpected behavior for project users, for example, causing the project to create duplicate resources on the next deployment. Project-created Schematics workspaces are tagged with the related projects and configurations.

Project data storage

Projects are a multi-tenant service that uses a regional data storage model where the data is stored in the region that is selected for the project. Specifically, project configuration data (the deployable architecture reference and selected inputs) is stored in a multi-tenant IBM managed IBM Cloudant database in the project region. The Schematics instances that are created in the customer account for a project are also located in the project region. This ensures that all configuration data is stored in the customer selected region. However, basic project metadata, like the name, description, and state is replicated globally to enable global search and the ability to list all projects across regions.

Project data protection

Project's are a multi-tenant platform service where all project data is encrypted at rest and in flight. Project primary storage uses separate documents for each project in IBM® Cloudant® for IBM Cloud®. IBM Cloudant provides robust data protection and security. For example, IBM Cloudant encrypts all data at rest and automatically stores three copies of every document to different nodes in a cluster. In addition, project data is periodically backed up to IBM Cloud® Object Storage, which is also encrypted. Access to project data is protected by IAM authentication and authorization policies that ensure client isolation. All project data is encrypted in flight by using HTTPS with TLS1.2+.

For more information on IBM Cloudant data protection, see Securing your data in IBM Cloudant. For more information on Object Storage data protection, see Data security.