Architecture Overview

Platform components

flowchart BT
  subgraph site["Customer site"]
    direction LR
    subgraph v1["VLAN A"]
      direction TB
      LAN1["Hosts & traffic"]
      E1["Monozu edge"]
      E1 -->|asset discovery| LAN1
      LAN1 -.->|traffic analysis| E1
    end
    subgraph v2["VLAN B"]
      direction TB
      LAN2["Hosts & traffic"]
      E2["Monozu edge"]
      E2 -->|asset discovery| LAN2
      LAN2 -.->|traffic analysis| E2
    end
    subgraph v3["VLAN …"]
      direction TB
      LAN3["Hosts & traffic"]
      E3["Monozu edge"]
      E3 -->|asset discovery| LAN3
      LAN3 -.->|traffic analysis| E3
    end
  end

  subgraph cloud["Monozu Cloud"]
    direction LR
    BE["cloud.monozu.io"]
    IG["ingest.cloud.monozu.io"]
    VPN["VPN Hub"]
  end

  E1 & E2 & E3 -->|control, config, remote commands| BE
  E1 & E2 & E3 -->|logs, alerts, telemetry, discovery| IG
  E1 & E2 & E3 -->|WireGuard tunnel| VPN
  BE -.->|policies, session metadata| VPN

On the customer site, Monozu typically installs one edge appliance per VLAN (or per isolated segment). Each unit performs asset discovery and optional traffic analysis on its VLAN. Appliances do not accept inbound connections from the internet.

In Monozu Cloud, three components handle different responsibilities:

• cloud.monozu.io — control plane: device registration, configuration, remote commands, and VPN policy.
• ingest.cloud.monozu.io — save telemetry and discovery: logs, alerts, metrics, and asset data sent by the edge to database.
• VPN Hub — WireGuard endpoint for remote user access to assets behind the edge. The control plane stores policies and session metadata; the edge maintains an outbound tunnel to the Hub.

Every connection from the edge to the cloud is initiated outbound from the customer site, so no inbound firewall rules are required.

Communication model

All communication is outbound from the edge appliance (and from user browsers to the cloud). No inbound ports need to be opened at the customer firewall for the appliance.

For hostnames, ports, protocols, and proxy guidance, see Network & Connectivity.

Data isolation

Each organization (tenant) has its own data in Monozu Cloud. Users only access records belonging to their tenant. Tenant administrators cannot view other customers’ data.

Note

The VPN Hub is a separate infrastructure component from the main cloud API. Edge appliances connect to the Hub for WireGuard tunneling; the cloud API manages policies and session metadata.