Requirements

Some users want to secure the data intensive backend deployment using TEE. It’s a typical web service architecture with frontend, backend and databases.

Here’s a breakdown of a typical requirement:

• HA MongoDB in TEE cloud
• Backend (next js) running in TEE cloud
• E2E encrypted VPC to isolate the network
• Backend has the full access to the database
• Can scale based on demand

Architecture

Components

• Backend: Stateless backend, deployed by BlueNexus
• MongoDB: Replicated database, deployed by Phala
• VPC: CVMs connected via wireguard VPN

Details

• VPC
  • Sidecar pattern: wireguard (via Tailscale) deployed to every CVM
  • Control plane running in TEE, managed by Phala Cloud
  • Use the TEE generated key pair to establish session
  • Interconnected via UDP mapped ports / hole punching
• Database
  • Database is in TEE
  • Storage is secured by full disk encryption
  • High available deployment using MongoDB replica set
  • MondoDB instances interconnected via VPC
• Backend
  • Deploy using docker compose
  • Join VPC with a wireguard sidecar
  • Discover the database service via cloud injected endpoints
  • Expose the public endpoint via Phala Cloud gateway, secured with TLS (zt-https)
• Attestation
  • Backend produces its attestation to prove the TEE environment and secure code
  • Databases produce attestations
  • Every CVM generates a RA with the wireguard config to ensure the network is e2e secured
• Service discovery
  • TBD: scaling may require service discovery