Deployment
The same IIOS build runs in our managed cloud, in a dedicated VPC, or fully on-premises — including air-gapped facilities. Topology is configuration; applications and the control plane are identical everywhere.
Deployment topologies
Every topology ships the same runtime, control plane, and knowledge graph. What changes is where data lives and who operates it. This lets you start in the managed cloud and graduate to a sovereign installation without re-architecting.
| Topology | Operated by | Data residency | Typical use |
|---|---|---|---|
| Managed cloud | IndustrialGraph | Regional, multi-tenant | Fast start, pilots |
| Dedicated / VPC | IndustrialGraph in your account | In your VPC | Enterprise production |
| On-prem / air-gapped | Your team | Never leaves site | Regulated / classified |
Installation
Installations are declarative. A single values file describes topology, sovereignty boundary, storage, and key management; the installer reconciles the cluster to match.
# values.yaml — a dedicated / VPC installation
iios:
topology: dedicated # managed | dedicated | on-prem
region: us-east-1
sovereignty:
boundary: acme-vpc # data residency + isolation domain
egress: deny-all # explicit allowlist below
allowEgress:
- identity.acme.internal
knowledgeGraph:
storage: in-vpc # never leaves the customer network
replicas: 3
controlPlane:
audit: immutable # append-only ledger
keyManagement: customer # BYOK / HSMUpgrades & release management
Releases are version-pinned and reversible. Graph migrations are planned as a dry-run first, then applied with a canary strategy that halts and rolls back automatically on policy drift.
# Zero-downtime, version-pinned rollout
iiosctl release plan --to 2025.3 # dry-run: shows graph migrations
iiosctl release apply --to 2025.3 \
--strategy canary --canary 10% \
--pause-on-error # halts + rolls back on policy driftOperational patterns
Start managed, grow sovereign
Prove value in the managed cloud, then lift the same workload into a VPC or on-prem boundary with a config change — not a rewrite.
Air-gapped by design
On-prem installs run with deny-all egress and a local root of trust, so classified environments stay fully disconnected.
Immutable audit everywhere
The append-only audit ledger is part of every topology, so compliance evidence is identical regardless of where you run.
Canary + auto-rollback
Progressive rollouts with automatic rollback keep upgrades safe even for stateful graph migrations.
