Contact Us

Driving Reliability and Performance Through Containerized DevOps Solutions

Air-Gapped Infrastructure Case Study

Industry Defense, Aerospace, National Security
Solution Defense, Aerospace, National Security
Partner Secure On-Premises Data Center (Classified Environment)

The Client

The client is a critical branch of Pakistan’s armed forces that is responsible for supporting strategic defense operations. It conducts operations, personnel training, and both defensive and humanitarian missions across the country.

Renowned for operational discipline, tactical precision, and technical excellence, the client continuously modernizes its technological capabilities to address evolving security challenges.

That is why they contacted DPL to create a highly secure, air-gapped infrastructure that can host mission-critical applications and operational systems in a completely isolated environment, with zero external network connectivity. The solution needed to support containerized microservices, automated CI/CD pipelines, and DevOps practices while meeting stringent defense-grade security requirements and operating entirely offline within classified data centers.

Business Requirements & Challenges

As a defense organization with critical national security responsibilities, the client partnered with DPL to architect and deploy a secure, air-gapped containerized infrastructure. Key business challenges included:

1.Air-Gapped Kubernetes Cluster for Classified Operations
Defense applications handling classified information required complete network isolation with zero external connectivity. The infrastructure needed a fully air-gapped Kubernetes cluster that could orchestrate containerized workloads, manage service discovery, handle load balancing, and provide high availability—all without any connection to the public internet or external networks. This required local container registries, offline Kubernetes distributions, and self-contained tooling.

2.Offline CI/CD Pipelines with GitLab On-Premises
Development teams needed automated build, test, and deployment capabilities despite the air-gapped environment. The solution required a fully self-contained GitLab instance running on-premises with GitLab CI/CD pipelines, runners, and container registry. All of these had to operate without external dependencies. The CI/CD infrastructure needed to support automated testing, security scanning, artifact management, and progressive delivery while maintaining complete isolation.

3.Defense-Grade Security and Compliance
Military applications demanded defense-grade security controls exceeding commercial standards. The infrastructure required multi-layered security including network segmentation, zero-trust architecture, end-to-end encryption, certificate-based authentication, intrusion detection systems, and
comprehensive audit logging. The platform needed to comply with defense security frameworks while supporting operational security (OPSEC) requirements for classified systems.

4.Container Orchestration and Microservices Architecture
Legacy monolithic applications needed modernization. They had to be changed into containerized microservices to improve scalability, maintainability, and deployment velocity. The architecture required Kubernetes-native service mesh, distributed tracing, centralized logging, and monitoring—all implemented in an air-gapped manner. The solution needed to support blue-green deployments, canary releases, and automatic rollbacks without external dependencies.

5.Self-Contained Infrastructure Management
Operating in a classified environment required all infrastructure components—including Kubernetes distributions, container images, Helm charts, operating system packages, and security updates—to be available locally without external repository access. The platform needed air-gap-compatible package managers, local mirror repositories, and offline update mechanisms for maintaining currency with security patches while preserving network isolation.

Solution Overview Top Right Icon Bottom Left Icon

Business Impact and Considerations

Addressing these air-gapped infrastructure challenges was critical for this client’s operational security and mission readiness since:

  • Network connectivity may expose classified systems to cyber threats and espionage risks
  • Manual deployment processes can create security vulnerabilities and operational delays
  • Monolithic architecture may limit rapid feature delivery and system resilience
  • Inability to adopt modern DevOps practices within secure, isolated environments
  • Infrastructure complexity can prevent efficient scaling and service management

 

Air-Gapped Kubernetes Architecture

DPL designed and implemented a sophisticated air-gapped Kubernetes platform deployed entirely on-premises within PAF’s secure, classified data center. The solution leverages containerization, zero-trust security principles, and offline-capable DevOps automation to deliver modern cloud-native capabilities in a completely isolated environment.

 

1.Air-Gapped Kubernetes Cluster with Rancher

  • Rancher Kubernetes Engine (RKE2) for providing air-gap-compatible Kubernetes distribution
  • Multi-master high-availability cluster configuration with automated failover
  • Local container registry (Harbor) for hosting all application and system images
  • Kubernetes control plane secured with certificate-based authentication and RBAC
  • Network policies enforcing microsegmentation between namespaces and pods
  • Local Helm chart repository for application package management

 

2. GitLab On-Premises for Offline CI/CD

  • GitLab Enterprise Edition deployed on-premises with all CI/CD capabilities
  • GitLab Runners configured for Kubernetes executor enabling containerized builds
  • Integrated container registry for storing build artifacts and Docker images
  • Automated pipeline stages: build, test, security scan, deploy to Kubernetes
  • Environment-based deployment workflows (dev, staging, production)
  • Pipeline caching and artifact storage for faster build times
  • GitLab Pages for internal documentation and API references

 

3. Zero-Trust Security Architecture

  • Istio service mesh to provide mutual TLS (mTLS) for all service-to-service communication
  • Certificate-based authentication using internal Certificate Authority (Vault PKI)
  • Network-level isolation with VLANs, firewalls, and Kubernetes network policies
  • Container image scanning with Trivy for vulnerability detection
  • Pod Security Policies (PSP) and OPA Gatekeeper for enforcing security constraints
  • Secrets management with HashiCorp Vault integrated with Kubernetes
  • Falco runtime security monitoring for detecting anomalous container behavior

 

4. Containerized Microservices Platform

  • Microservices architecture for decomposing monolithic applications into containerized services
  • Service mesh (Istio) for providing traffic management, load balancing, and circuit breaking
  • Kubernetes Ingress controllers for external traffic routing and SSL termination
  • Horizontal Pod Autoscaler (HPA) for automatically scaling based on CPU and memory metrics
  • StatefulSets for databases and persistent workloads with stable network identities
  • ConfigMaps and Secrets for environment-specific configuration management

 

5. Offline Observability Stack

  • Prometheus for metrics collection and alerting from Kubernetes and applications
  • Grafana dashboards to provide real-time visibility into cluster and application health
  • EFK Stack (Elasticsearch, Fluentd, Kibana) for centralized log aggregation
  • Jaeger distributed to trace tracking requests across microservices
  • Kube-state-metrics and node-exporter to expose Kubernetes cluster metrics
  • AlertManager routing critical alerts to operations teams via internal channels

 

6. Air-Gap Package Management and Updates

  • Local YUM/APT mirror repositories for OS packages and security updates
  • Harbor container registry with replication policies for multi-cluster sync
  • ChartMuseum for hosting Helm charts for application deployments
  • Nexus Repository Manager for Maven, NPM, and PyPI artifacts
  • Air-gap bundle management for Kubernetes version upgrades
  • Automated vulnerability scanning of all packages before deployment
Container Orchestration
logo
logo
logo
logo
logo
CI/CD
logo
logo
logo
Service Mesh & Security
logo
logo
logo
logo
logo
logo
Registry & Artifacts
logo
logo
logo
Monitoring & Logging
logo
logo
logo
logo
Operating System
logo
logo
Storage
logo
logo
logo

Business Outcomes and Benefits

Air-Gapped (Zero external)
Network Isolation
Multiple daily (from monthly)
Deployment Frequency
< 10 minutes (from hours)
Pipeline Execution Time
100+ microservices deployed
Container Orchestration
99.95% (HA multi-master)
Cluster Availability
Zero (defense-gradesecurity)
Security Incidents
60% improvement (containerization)
Resource Efficiency
< 5 minutes (via auto-healing)
Mean Time to Recovery (MTTR)

Innovation as a Service

DPL delivers end-to-end cloud and DevOps services, helping organizations modernize their infrastructure, automate deployment pipelines, and accelerate software delivery with greater reliability, speed, and efficiency.

20+ Years
Delivering Innovation since 2003
500+
Projects Completed
Top 1%
Sourcing the Best Talent
Up to $20M USD
Projects Delivering Capability

Let's work on something new

Contact Us Arrow
×