Skip to main content
Skip table of contents

Thru Cloud Architecture

Introducing Thru's Cloud Architecture

This technical overview introduces Thru's cloud-native architecture, deployment options, resiliency capabilities, and infrastructure design patterns for prospective customers and solution architects. It explains how Thru leverages public cloud providers to enhance security, availability, operational agility, and TCO savings.

This briefing highlights considerations for integrating Thru within existing AWS or Azure environments. It provides transparency into our service-oriented architecture optimized for elastic scale, automated resilience, and ease of administration across infrastructure tiers.

Whether planning for on-premises, hybrid, or cloud migrations, Thru aligns to infrastructure best practices across major providers. Our architecture empowers customers through compatibility, flexibility, and visibility as part of a secure and reliable cloud partnership.

Design Philosophy

The main design philosophies for this architecture focused on security, scalability, reliability, integrity, and simplicity. Specifically, the system was built to provide infinite scalability to handle increasing loads. High reliability was crucial for ensuring robust operation, including guaranteed message delivery alerts if issues ever occurred. We also prioritized maintaining data integrity - if a file was received, we needed absolute assurance of retrieving it intact later when required. Finally, the overall simplicity of the architecture guided decisions, following the philosophy that unnecessary complexity often indicates deeper flaws.

Architectural Principles

A core architectural principle was ensuring high availability and disaster recovery capabilities for all services. For instance, we designed for resilience against losing an entire cloud zone - if one goes down, services continue functioning through redundancy across zones. Additionally, we prioritized the ability to recover rapidly from potential disasters like security breaches or VM destruction. No singular VM or box is positioned as an irreplaceable special case. We can swiftly spawn replacements as needed. This decoupling of service dependencies allows for elasticity and guards against prolonged downtimes when issues emerge. By building in redundancy, geographic distribution, and rapid recreation of critical components, the architecture provides robust high availability and disaster recovery to maintain business continuity.

Security and high availability are ingrained in the architecture through isolation, redundancy, and decoupled services. Externally, traffic passes through cloud-hosted firewalls and load balancers providing inbound protection and uptime assurances before reaching our systems. We minimize exposed attack surfaces by only opening essential ports (443, 22, etc.) along with permission access. Internally, microservices sit behind a HAProxy layer that evenly distributes requests while enabling graceful rolling upgrades. This proxy abstraction also facilitates incrementally draining traffic to upgrade specific APIs without service disruption.

Security Groups

Thru cloud leverages native access controls provided by AWS and Azure.

In Azure, application security groups (ASGs) play a key role in network segmentation. VMs are tagged with ASGs reflecting their appropriate communication scopes based on server function. Web frontends join the Web ASG, internal microservices map to the internal servers ASG, and perimeter proxies for message handling and routing fall under the DMZ ASG.

Traffic flows only from higher trust to lower trust ASGs. The Web layer can access Internal functions but not vice versa. By cataloging infrastructure into declarative policy groups, communication boundaries remain consistently enforced even as new instances spin up or down dynamically. These hierarchical ASGs abstract network security tiers so that connectivity appears intrinsic to the machine rather than manual IP tables. The resulting model inherently restricts lateral movement options for threats without increasing complexity

Web Application Firewall (WAF)

Our defense-in-depth technology stack reinforces application security across layers. Azure load balancers restrict external traffic to minimal ports and allowed URLs. The HAProxy layer authenticates API flows before passing to the React frontend, locking down paths without valid tokens. React's inherent security helps prevent injection attacks compared to PHP alternatives while database access requires penetrating service boundaries and role permissions.

By stacking protections from network to application, we minimize attack surfaces exposed to penetration testing. Findings remain rare as hackers must bypass load balancers, evade proxies, breach React's sanitization, pivot to backend microservices, and escalate database privileges - an arduous chain of unlikely advances. Our layered validations continually halt progress before assets or data can be compromised. The combination of restrictive network policies, hardened application frames, strict service scopes, and locked-down databases yields robust environment security.

Extended Threat and Detection Monitoring

Thru leverages a XDR Tool for unified security monitoring, serving as a central pane aggregating critical event streams. Agents on each system host perform file integrity and policy compliance checks while forwarding application and system logs. By funnelling these events, our XDR Tool applies correlation rules, scanning for indicators of compromise or audit failures.

Alerts trigger on detecting unauthorized access attempts, data exfiltration commands, or configuration deviations from benchmarks. Our XDR service quantifies standards adherence across assets, facilitating both incident response and compliance reporting for frameworks like CIS Level 1. Consolidating and analyzing platform telemetry under a single lens makes it faster to detect, investigate, and recover from breaches while evidencing due diligence.

Continuous Security Awareness

Continuous security awareness and response rely on consuming common vulnerabilities and exposures (CVE) advisories along with threat intelligence sources. By tracking disclosed bugs, patches, attack techniques, and high-risk categories like the OWASP Top 10, we maintain an up-to-date inventory of vectors requiring vigilance.

As new CVEs emerge, our vulnerability management program kicks off impact analysis followed by updates across assets. Expediting remediation coverage proactively fortifies our posture against both known and derivative zero-day exploits before threat actors weaponize them in the wild. Tight integration from threat monitoring to issue tracking to incident response procedures allows prompt translation raw risk data into actionable prevention.

To request Thru's detailed proprietary architecture documentation protected under NDA, please contact sales to initialize the confidential disclosure process and gain access to additional technical specifics.


Thru Application Portfolio

The Thru Managed File Transfer platform comprises two core applications for automated and ad-hoc file operations:

Automated File Transfer (AFT)

AFT enables scheduled or event-driven file transfers across the extended enterprise. Acting as an integration layer, AFT connects source and target endpoints for continuous, automated workloads.

File Sharing Application (FS)

The File Sharing app allows ad-hoc, user-initiated file transfers into and out of the organization.

Thru cloud architecture.png

Thru Cloud Network Integration

Enabling Secure Connectivity

Thru environments are deployed globally across Azure regions. Platform network access is restricted to the following encrypted protocols SFTP, FTPS and HTTPS for transport security. In addition Thru also supports private links between an Azure Virtual Private Cloud (VPC) and Thru.

SFTP/FTPS Support

The Thru service supports both active and passive modes for SFTP and FTPS client connections, providing flexibility for diverse network connectivity patterns. (IE Acting as a Client or Server)

HTTPS Connectivity

HTTPS encrypts all Thru control and data channels via TLS.

Data Channels

Web UI and API-based file uploads to Thru use HTTPS connections where the platform acts as a server, securing upload transport.

Control Channels

The Thru REST API and admin console leverage HTTPS passive connections to obtain metadata or submit configuration requests. As the server endpoint, the Thru app handles and responds to inbound control queries over TLS.

By leveraging industry-standard encrypted protocols like FTPS, SFTP and HTTPS, Thru enables securing sensitive data flows and access controls across complex network architectures.

For source or target endpoints within an Azure Virtual Private Cloud (VPC), connectivity to Thru can be established using Azure Private Link. With both Thru and the Azure VPC hosted on the same Azure network, file transfers occur over the high-speed, low-latency Azure backbone, avoiding public internet exposure.

Azure-Private-Link-diagram.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.