Architecture

System Architecture

A deep dive into Lambda's privacy-first architecture.

High-Level Architecture

Lambda is built on a multi-layered architecture where each layer is designed with privacy as the primary concern.

Architectural Layers

1. User Layer

The user-facing interfaces that customers interact with.

Components

  • Web Dashboard: React-based SPA for visual management
  • CLI Tools: Command-line interface for automation
  • API Clients: SDKs and direct REST/GraphQL clients

Responsibilities

  • User authentication
  • Request formation
  • Client-side encryption (for sensitive data)
  • Response handling and visualization

2. API Gateway Layer

The entry point for all requests to Lambda.

Components

Authentication Service
  • JWT-based authentication
  • API key validation
  • Multi-factor authentication
  • Session management
Rate Limiter
  • Per-user request limits
  • DDoS protection
  • Fair usage enforcement
  • Burst handling
Request Router
  • Routes requests to appropriate services
  • Load balancing
  • Health checking
  • Circuit breaking

Security Features

Client Request → TLS 1.3 → API Gateway

                      Authentication Check

                        Rate Limit Check

                     Request Validation

                    Route to Service

3. Control Plane

The brain of Lambda - orchestrates all operations without seeing private data.

Components

Instance Manager

Responsibilities:

  • Instance lifecycle management (create, start, stop, destroy)
  • Resource allocation
  • Health monitoring
  • Auto-scaling

Privacy Design:

  • Manages instances by ID only
  • No access to instance memory or storage
  • Only sees aggregated metrics
  • Uses blind orchestration
Network Controller

Responsibilities:

  • IP address allocation
  • Firewall rule management
  • Load balancer configuration
  • VPN setup

Privacy Design:

  • Routes traffic without inspecting packets
  • Manages network topology only
  • No packet logging
  • Encrypted traffic only
Storage Controller

Responsibilities:

  • Volume creation and deletion
  • Snapshot management
  • Storage allocation
  • Backup scheduling

Privacy Design:

  • Manages encrypted blocks only
  • No access to encryption keys
  • Cannot read volume contents
  • Metadata-only operations
Billing Engine

Responsibilities:

  • Usage tracking Usage calculation
  • Invoice generation
  • Payment processing

Privacy Design:

  • Tracks usage metrics only (CPU %, memory %, network bytes)
  • No application-level data
  • Aggregated statistics
  • Minimal data retention

4. Privacy Layer

The core innovation - ensures privacy at every interaction.

Architecture

Components

Encryption Manager

Responsibilities:

  • Encrypt/decrypt workflows
  • Encryption policy enforcement
  • Algorithm selection
  • Key rotation coordination

Implementation:

  • AES-256-GCM for data at rest
  • ChaCha20-Poly1305 for data in transit
  • Hardware-accelerated encryption
  • Zero-knowledge encryption keys
Key Management Service (KMS)

Responsibilities:

  • Encryption key generation
  • Key storage (customer-controlled)
  • Key rotation
  • Key access auditing

Security:

  • Keys never leave secure hardware
  • Customer-managed keys (BYOK)
  • Hardware Security Modules (HSM)
  • FIPS 140-2 Level 3 compliance

Key Hierarchy:

Master Key (Customer-Controlled)

Data Encryption Keys (DEK)

Per-Volume/Per-Instance Keys
Attestation Service

Responsibilities:

  • Generate attestation proofs
  • Verify secure enclave execution
  • Provide cryptographic evidence
  • Report tamper detection

Attestation Flow:

1. User requests attestation
2. Secure enclave generates proof
3. Proof includes:
   - Enclave measurement (hash)
   - Platform configuration
   - Timestamp and signature
4. User verifies proof locally
5. Confirms workload is isolated
Audit Logger

Responsibilities:

  • Log control plane operations
  • Track access attempts
  • Generate audit reports
  • Compliance documentation

What Gets Logged:

  • Control plane API calls
  • Instance state changes
  • Resource allocation/deallocation
  • Billing events
  • Authentication events

What's NEVER Logged:

  • Application logs
  • Command arguments
  • Environment variables
  • File access patterns
  • Network packet contents

5. Data Plane

Where your workloads actually run - completely isolated from Lambda.

Components

Compute Nodes

Hardware:

  • Intel Xeon with SGX support
  • AMD EPYC with SEV support
  • ARM processors with TrustZone
  • Latest-generation hardware

Isolation Technologies:

Intel SGX (Software Guard Extensions)
┌─────────────────────────────────────┐
│      Untrusted Environment          │
│  (OS, Hypervisor, Lambda Platform)  │
│                                     │
│   ┌─────────────────────────────┐   │
│   │   Secure Enclave (SGX)      │   │
│   │                             │   │
│   │   ┌─────────────────────┐   │   │
│   │   │  Your Application   │   │   │
│   │   │  (Encrypted Memory) │   │   │
│   │   └─────────────────────┘   │   │
│   │                             │   │
│   └─────────────────────────────┘   │
│                                     │
└─────────────────────────────────────┘

SGX Features:

  • Memory encryption (up to 128GB)
  • Attestation support
  • Sealing (persistent encrypted storage)
  • No OS/hypervisor access to enclave
AMD SEV (Secure Encrypted Virtualization)
┌─────────────────────────────────────┐
│         Hypervisor                  │
│  (Cannot Access VM Memory)          │
│                                     │
│   ┌─────────────────────────────┐   │
│   │   Guest VM                  │   │
│   │   (Encrypted Memory)        │   │
│   │                             │   │
│   │   Your Application          │   │
│   │   Your Data                 │   │
│   │   Your Logs                 │   │
│   │                             │   │
│   └─────────────────────────────┘   │
│                                     │
└─────────────────────────────────────┘

SEV Features:

  • Full VM memory encryption
  • DMA protection
  • Encrypted state during migration
  • Hardware root-of-trust
Storage Nodes

Architecture:

Encryption Layers:

  1. Application Layer: Optional application-level encryption
  2. Filesystem Layer: Per-file encryption (customer keys)
  3. Block Layer: Block-device encryption (customer keys)
  4. Hardware Layer: Drive-level encryption

Storage Isolation:

  • Dedicated encrypted volumes per instance
  • No shared storage between customers
  • Secure erase on deallocation
  • Snapshot encryption
Network Fabric

Architecture:

┌────────────────────────────────────────┐
│          Public Internet               │
└──────────────┬─────────────────────────┘
               │ TLS 1.3

┌──────────────────────────────────────────┐
│       Load Balancer (Edge)               │
│  (Terminates TLS, Encrypted Forwarding)  │
└──────────────┬───────────────────────────┘
               │ WireGuard/IPsec

┌──────────────────────────────────────────┐
│          Firewall Layer                  │
│      (Customer-Defined Rules)            │
└──────────────┬───────────────────────────┘
               │ Encrypted Tunnel

┌──────────────────────────────────────────┐
│         Your Instance                    │
│      (Private Network)                   │
└──────────────────────────────────────────┘

Network Security:

  • End-to-end encryption
  • Traffic isolation per customer
  • No packet inspection
  • DDoS protection at edge
  • Private VPC support

Security Mechanisms

1. Blind Orchestration

Lambda orchestrates your infrastructure without seeing your data.

How It Works:

User Request: "Create instance with Ubuntu 22.04"

Lambda Control Plane:
  1. Allocate encrypted compute resources
  2. Provision encrypted storage volume
  3. Deploy encrypted OS image
  4. Provide connection details to user

User connects directly to instance
  - Lambda cannot intercept connection
  - Lambda cannot access instance memory
  - Lambda cannot read storage

2. Zero-Knowledge Encryption

Encryption Key Flow:

3. Hardware Root of Trust

Trust Chain:

Hardware TPM/SGX

Measured Boot

Secure Enclave

Your Application

Attestation Process:

  1. Request attestation from instance
  2. Hardware generates signed proof
  3. Proof includes measurements
  4. Verify signature with Intel/AMD/ARM keys
  5. Confirm application is running in secure enclave

4. Network Isolation

Per-Instance Networking:

┌───────────────────────────────────┐
│  Instance A                       │
│  VLAN: 100                        │
│  Private IP: 10.0.1.5             │
│  No route to Instance B           │
└───────────────────────────────────┘

┌───────────────────────────────────┐
│  Instance B                       │
│  VLAN: 101                        │
│  Private IP: 10.0.2.5             │
│  No route to Instance A           │
└───────────────────────────────────┘

Unless explicitly configured, instances cannot communicate.

Data Flow Examples

Instance Creation Flow

Data Upload Flow

Metrics Collection Flow

Scalability

Horizontal Scaling

Lambda's control plane is designed for massive scale:

  • Distributed Control Plane: No single point of failure
  • Regional Isolation: Regions operate independently
  • Resource Pooling: Efficient resource utilization
  • Auto-Scaling: Automatic capacity management

Performance Characteristics

MetricTargetTypical
Instance creation time< 60s~30s
API response time< 200ms~50ms
Snapshot creation< 5min~2min
Cross-region replication< 30min~15min

High Availability

Redundancy

┌─────────────────────────────────────────┐
│          Load Balancer                  │
│      (Multi-Region, Active-Active)      │
└──────┬──────────────────────┬───────────┘
       │                      │
       ▼                      ▼
┌─────────────┐        ┌─────────────┐
│  Region A   │        │  Region B   │
│  (Primary)  │◄──────►│  (Backup)   │
└─────────────┘        └─────────────┘
       ↕                      ↕
┌─────────────┐        ┌─────────────┐
│  Storage    │        │  Storage    │
│ (Replicated)│◄──────►│ (Replicated)│
└─────────────┘        └─────────────┘

Failure Handling

  • Instance Failure: Automatic restart or migration
  • Storage Failure: Redundant storage with automatic failover
  • Network Failure: Multi-path networking
  • Region Failure: Cross-region failover (optional)

Next Steps

Think Lambda, Think Privacy

Lambda Architecture

Previous Page

Privacy Infrastructure

Next Page

On this page

High-Level ArchitectureArchitectural Layers1. User LayerComponentsResponsibilities2. API Gateway LayerComponentsAuthentication ServiceRate LimiterRequest RouterSecurity Features3. Control PlaneComponentsInstance ManagerNetwork ControllerStorage ControllerBilling Engine4. Privacy LayerArchitectureComponentsEncryption ManagerKey Management Service (KMS)Attestation ServiceAudit Logger5. Data PlaneComponentsCompute NodesIntel SGX (Software Guard Extensions)AMD SEV (Secure Encrypted Virtualization)Storage NodesNetwork FabricSecurity Mechanisms1. Blind Orchestration2. Zero-Knowledge Encryption3. Hardware Root of Trust4. Network IsolationData Flow ExamplesInstance Creation FlowData Upload FlowMetrics Collection FlowScalabilityHorizontal ScalingPerformance CharacteristicsHigh AvailabilityRedundancyFailure HandlingNext Steps