Skip to main content
This topic uses private connectivity as a general term for AWS PrivateLink and Azure Private Link.
This page explains how dedicated instances protect data through private connectivity, encryption, and network access controls.

Encryption

Dedicated Instances use encryption in transit across external and internal service boundaries. All supported connections use TLS 1.2 or higher.
LayerEncryption
API endpointsTLS 1.2 or higher with certificate validation
Cloud storage connections (S3, Blob Storage)TLS 1.2 or higher, with bucket or container policies used to enforce encryption requirements
Internal service meshmTLS between microservices

Security without private connectivity (internet-facing mode)

Customers who deploy a dedicated instance without private connectivity access the Unstructured platform over the public internet via HTTPS. The following security measures and connectivity options apply:
  • TLS 1.2+ for all traffic in transit.
  • AWS WAF (Web Application Firewall) provides DDoS protection, rate limiting, and optional geo-blocking for ITAR compliance.
  • IP Allowlisting - restricts Unstructured platform access to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this.
  • Independent paths - allow you to use the UI and API over the public internet while Unstructured uses private connectivity to reach your data sources. The two paths are configured separately.

Security with private connectivity

When private connectivity is enabled, traffic between your environment and the Unstructured platform stays on cloud-provider private networking. Service endpoints resolve to private IP addresses, and inbound access from the public internet is blocked.

What private connectivity does and does not protect

Private connectivity helps protect:
  • Network traffic from public internet exposure.
  • Data in transit between VPCs and VNets.
  • DNS resolution of service endpoints.
Private connectivity does not protect against:
  • Application-layer vulnerabilities.
  • Misconfigured Identity and Access Management (IAM) or Role-Based Access Control (RBAC) policies.
  • Compromised credentials.

Network access controls

Network access controls determine whether traffic between the Unstructured platform and your cloud environment may traverse the public internet. Your cloud environment is the VPC or VNet that hosts your data sources and related resources. This section describes the default inbound and outbound traffic rules and how to request exceptions when a use case requires them. Default configuration:
Traffic DirectionWithout private connectivityWith private connectivity
Public IngressEnabled — The platform is accessible over the public internet via HTTPS. Customers can request to restrict access to specific IP addresses or CIDR ranges by opening a support ticket.Blocked — All inbound traffic from the public internet is denied. Access is only available via private connectivity.
Public EgressEnabled — Outbound traffic to the public internet is permitted.Blocked by default — Supported connectors connect via PrivateLink, keeping all traffic off the public internet. For use cases where private connectivity is not supported — such as SaaS connectors — public egress can be enabled on request by opening a support ticket. See connector support for AWS and Azure.