LogoLogo
Ockam.ioOpen Source CodeContact usSign up
  • Intro to Ockam
  • Ockam's core concepts
  • Get started demo
  • Quickstarts
    • Add secure connectivity to your SaaS product
    • Snowflake federated queries to Postgres
    • Postgres to Snowflake
    • Snowflake to Postgres
    • Kafka to Snowflake
    • Snowflake to Kafka
    • Snowflake stage as SFTP server
    • Snowflake stage as WebDAV file share
    • Snowflake hosted private APIs
    • Federated queries from Snowflake
  • ENCRYPTED PORTALS TO ...
    • Databases
      • PostgreSQL
        • Docker
        • Kubernetes
        • Amazon RDS
        • Amazon Aurora
      • MongoDB
        • Docker
        • Kubernetes
        • Amazon EC2
      • InfluxDB
        • Amazon Timestream
    • APIs
      • Nodejs
      • Python
    • AI
      • Amazon Bedrock
      • Amazon EC2
      • Azure OpenAI
    • Code Repos
      • Gitlab Enterprise
    • Kafka
      • Apache Kafka
        • Docker
      • Redpanda
        • Self Hosted
      • Confluent
        • Cloud
      • Warpstream
        • Cloud
      • Instaclustr
        • Cloud
      • Aiven
        • Cloud
  • Reference
    • Command
      • Nodes and Workers
      • Routing and Transports
      • Relays and Portals
      • Identities and Vaults
      • Secure Channels
      • Verifiable Credentials
      • Guides
        • AWS Marketplace
          • Ockam Node
          • Ockam Node for Amazon MSK
          • Ockam Node for Amazon RDS Postgres
          • Ockam Node for Amazon Timestream InfluxDB
          • Ockam Node for Amazon Redshift
          • Ockam Node for Amazon Bedrock
      • Manual
    • Programming Libraries
      • Rust
        • Nodes and Workers
        • Routing and Transports
        • Identities and Vaults
        • Secure Channels
        • Credentials and Authorities
        • Implementation and Internals
          • Nodes and Workers
        • docs.rs/ockam
    • Protocols
      • Nodes and Workers
      • Routing and Transports
      • Keys and Vaults
      • Identities and Credentials
      • Secure Channels
      • Access Controls and Policies
Powered by GitBook
On this page
  • Create an Orchestrator Project
  • Set up Command on your local dev machine
  • Install Ockam Command and create an Ockam Node in AWS
  • Create a Portal Outlet in this Ockam Node
  • Create a Secure Channel to Orchestrator, and create a Relay in your Project
  • Create an Ockam Node in Azure
  • Create a Portal Inlet in this Node in Azure
  • Local Query
  • There’s so much more….
  • The Trick behind Ockam's Magic, by our Founders

Was this helpful?

Edit on GitHub
Export as PDF

Get started demo

PreviousOckam's core conceptsNextQuickstarts

Last updated 3 months ago

Was this helpful?

Let’s build a simple example together. We will create an encrypted from a psql microservice in Azure to a Postgres Database in AWS.

When you get done with this page you will understand

  1. the basic building blocks of Ockam,

  2. the first steps you should take in your architecture, and

  3. how to build an end-to-end encrypted portal between two private services.

Create an Orchestrator Project

Set up Command on your local dev machine

Run the following commands to install Ockam Command on your dev machine.

curl --proto '=https' --tlsv1.2 -sSfL https://install.command.ockam.io | bash
source "$HOME/.ockam/env"

ockam enroll

The `enroll` command does a lot! All at once it...

  1. creates an Ockam Node on your machine.

  2. guides you to sign in to your new Ockam Orchestrator Project.

  3. makes you the administrator of your Project.

  4. creates a Secure Channel between your local Ockam Node and your Project in Orchestrator.

Congrats! Your dev machine Node has a secure, encrypted Ockam Portal connection to your Project Node inside of Ockam Orchestrator over a Secure Channel!

Install Ockam Command and create an Ockam Node in AWS

curl --proto '=https' --tlsv1.2 -sSfL https://install.command.ockam.io | bash
source "$HOME/.ockam/env"

ockam enroll

The process is repeated in AWS through the same set of commands.

You now have an Ockam Node running in your VPC. As before, this Node will have

  1. a set of private key Identifiers, stored in a local Vault

  2. a Membership Credential that will allow this Ockam Node to join your Project in Orchestrator.

Create a Portal Outlet in this Ockam Node

ockam tcp-outlet create --to 5432

An Outlet is created in the Ockam Node and a raw TCP connection is created to the postgres server on localhost port 5432.

Create a Secure Channel to Orchestrator, and create a Relay in your Project

ockam relay create postgres

This command

  1. initiates an outgoing tcp connection from the Ockam Node in AWS to your Project in Ockam Orchestrator.

  2. creates a Relay in your Project at the address: postgres

Notice that we didn’t have to change anything in the AWS network settings. It’s possible because Bank Corp’s network allows outgoing tcp connections to the Internet. We use this port to create the Secure Channel.

Create an Ockam Node in Azure

curl --proto '=https' --tlsv1.2 -sSfL https://install.command.ockam.io | bash
source "$HOME/.ockam/env"

ockam enroll

Create a Portal Inlet in this Node in Azure

ockam tcp-inlet create --from 15432 --via postgres

This command

  1. creates a tcp Portal Inlet.

  2. creates a tcp listener on localhost port 15432.

  3. creates an outgoing tcp connection to your Project.

  4. creates an end-to-end Secure Channel from the Inlet to the Outlet in Bank Corp’s VPC via the Relay in your Project at address: postgres

Congrats! The psql microservice at Analysis Corp and the Postgres database at Bank Corp are connected with an Ockam Portal.

Local Query

psql --host localhost --port 15432

The psql service now has an end-to-end encrypted, mutually authenticated, secure channel connection with the postgres database on localhost:15432

There’s so much more….

In the next section we will dive into all sorts of ways to build portals across different infrastructures, networks, and applications.

The Trick behind Ockam's Magic, by our Founders

and pick a subscription plan through the guided workflow on Ockam.io. After you complete this step you will have a Project in Ockam Orchestrator. A Project offers two services: a Membership and a service. More on both of those later.

generates a private key as your local Node’s cryptographic.

creates a local

asks your Project’s Membership Authority to issue and sign a for this Node.

creates a over the tcp connection.

creates a to your Project over this tcp connection.

All of the data-in-motion is end-to-end with strong forward secrecy as it moves through the Internet. The communication channel is and. Keys and Credentials are automatically rotated. Access to connect with postgres can be easily revoked.

This is just one simple example. Ockam’s stack of work together to ensure security, privacy, and trust in data. They can be combined and composed in all sorts of ways.

Sign up for Ockam
Authority
Relay
Identifier
Identity
Vault to store keys.
membership Credential
Secure Channel
Secure Channel
encrypted
mutually authenticated
authorized
protocols
Ockam Portal