Skip to main content
The Reference section provides detailed documentation for all Control Plane resources. Each resource type has specific properties, permissions, and relationships that enable you to build secure, scalable applications across multiple cloud providers.

Resource Hierarchy

Control Plane uses a hierarchical structure where resources are scoped to provide isolation and governance: 
Org (Organization)
├── Principals: Users, Groups, Service Accounts
├── Governance: Policies, Quotas
├── Infrastructure: Cloud Accounts, Agents, Locations
├── Assets: Secrets, Images, Domains
└── GVC (Global Virtual Cloud)
    ├── Workloads
    ├── Identities
    └── Volume Sets

Organization

Org

Isolated environment and top-level container for all resources. Configure external logging, threat detection, tracing, and organization-wide settings.

Access Control

Resources that control who can access what within your organization.

Policy

Grant permissions to principals (users, groups, service accounts, identities) for resources in your organization.

Group

Collections of users and service accounts. Supports dynamic membership via tag-based queries.

User

Organization members who access Control Plane via the Console, CLI, API, Terraform, or Pulumi.

Service Account

Programmatic access for CI/CD pipelines, automation, and API integrations.

Quota

Resource limits for your organization including agents, domains, and workloads.

Compute & Storage

Core resources for running and managing your applications.

GVC

Global Virtual Cloud - container for workloads deployed across multiple cloud locations with shared configuration.

Workload

Your applications running as standard, stateful, cron, or serverless deployments with autoscaling and load balancing.

Location

Geographic regions across AWS, GCP, and Azure where your workloads can be deployed.

Volume Set

Persistent storage for workloads with snapshots, autoscaling, and encryption.

Networking & Domains

Resources for routing traffic and connecting your services.

Domain

Custom domain mapping with TLS certificates, CORS configuration, and path-based routing to workloads.

IP Set

Reserve static public IPs per location for DNS configuration and firewall rules.

Agent

Secure tunneling to private networks, on-premises systems, and cloud VPCs without exposing them to the internet.

Cloud Integration

Resources that connect Control Plane to your cloud providers and private networks.

Cloud Account

Bridge to AWS, GCP, Azure, or NATS for identity-based access to cloud services.

Identity

Credential-free access to cloud resources and private networks via workload identity federation with AWS, GCP, Azure, and NGS.

Secrets, Images & Audit

Resources for managing credentials, container images, and audit trails.

Secret

Encrypted storage for credentials including AWS keys, Docker registries, TLS certificates, and more.

Image

Container images in Control Plane’s private registry or references to external registries.

Audit Context

Tamper-proof audit trails for Control Plane actions and custom external events from your workloads.

Workload Configuration

The Workload resource has extensive configuration options documented across multiple pages:

General

Endpoints, environment variables, and debug mode

Types

Standard, stateful, cron, and serverless workloads

Containers

Image references, ports, CPU, memory, and GPU

Autoscaling

Metric-based scaling, scale-to-zero, and KEDA event-driven scaling

Capacity

Capacity AI and resource optimization

Load Balancing

Direct load balancer and IP Sets

Firewall

Ingress and egress rules

Security

mTLS and external authorization

JWT Auth

Token-based authentication

Volumes

Mount secrets, cloud storage, and volume sets

Custom Metrics

Prometheus-based metrics for advanced scaling

Termination

Grace periods and shutdown behavior

Key Concepts

Control Plane uses a role-based access control model where Policies grant specific permissions to Principals (users, groups, service accounts, identities) for target resources. Permissions follow hierarchical “implies” relationships - for example, manage implies create, delete, and edit.
A single GVC can deploy workloads across multiple Locations spanning AWS, GCP, and Azure regions simultaneously. Traffic is automatically routed to the nearest healthy instance.
Identities provide credential-free access to cloud resources and private networks. Instead of embedding secrets in your code, workloads assume cloud-native identities (AWS IAM roles, GCP service accounts, Azure managed identities) at runtime.
Agents create secure tunnels to private networks without exposing them to the internet. Combined with Identities, workloads can access databases, APIs, and services in your VPCs.