Skip to main content

Multitenant Isolation


Zipup Cloud allows multiple applications to share the same infrastructure (e.g., Postgres, Valkey). This makes tenant isolation necessary. In Zipup’s shared responsibility model, defining and enforcing that isolation is left to the userβ€”ensuring flexibility for use cases where platform-imposed restrictions might otherwise be limiting.

Isolation is achieved by creating separate credentials per app, scoped to only what that app needs.

🧠 How It Works​

There are two ways services are accessed:

1. From your local machine (via WireGuard)​

All services are exposed on the private network:

  • Postgres β†’ 10.13.13.1:5432
  • Valkey β†’ 10.13.13.1:6379

2. From apps inside Zipup Cloud​

Apps use internal service names:

  • Postgres β†’ postgres:5432
  • Valkey β†’ redis:6379

πŸ‘₯ Typical Workflow​

  1. Admin creates isolated credentials
  2. Shares them with a team/app owner
  3. App connects using internal service name

🐘 PostgreSQL Isolation​

Each app gets:

  • Its own database
  • Its own user

Step 1: Connect via WireGuard​

psql -h 10.13.13.1 -U zipup -p 5432

password is zipup

Step 2: Set Up Database and Application User​

Create a dedicated database and a least-privileged user for your application. This ensures your app only has access to what it needs, reducing the risk of accidental or malicious data access.

CREATE USER blog_app_user WITH PASSWORD 'strong_password';

# Create database for the blog application
CREATE DATABASE blog_db;

# Remove all default access to the database from all users
REVOKE ALL ON DATABASE blog_db FROM PUBLIC;

# Allow only the app user to connect to the database
GRANT CONNECT ON DATABASE blog_db TO blog_app_user;

# Connect to the newly created database
\c blog_db

# Remove all default access to the public schema
REVOKE ALL ON SCHEMA public FROM PUBLIC;

# Allow app user to use and create objects in public schema
GRANT USAGE, CREATE ON SCHEMA public TO blog_app_user;

# Ensure future tables in public schema are fully accessible to app user
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO blog_app_user;

Connection Details​

From app inside zipup cloud

DATABASE_URL=postgres://blog_app_user:strongpassword@10.13.13.1:5432/blog_db

Valkey (Redis) Isolation​

Valkey uses ACLs (Access Control Lists) for isolation.

Each app gets:

  • Its own user
  • Access limited to specific key prefixes
info

redis-cli should be installed on your system.

Step 1: Connect via WireGuard​

redis-cli -h 10.13.13.1 -p 6379

Step 2: Create an Isolated User​

  • replaceapp1_user with your username and storngpassword with your passord and app1 with your key prefix.
ACL SETUSER app1_user on >strongpassword ~app1:* +@all
  • This means app1 can only access keys starting with app1:

Step 3: Use Scoped Keys in Your App​

await redis.set("app1:user:123", "data");

Connection Details​

REDIS_URL=redis://app1_user:strongpassword@redis:6379