# Isolation and Firewall

Isolation of the environment is the most basic principle in any infrastructure security implementation. Cloud providers allow many constructs to implement this isolation to varying degrees. For example, you can isolate two workloads in completely different cloud accounts, different VPCs within the same account, or different "security groups" within the same VPC. Then there are other constructs like IAM (AWS roles, Azure managed Identity, GCP service accounts) or Kubernetes namespaces, and so forth. But how do we bring together dozens of these security constructs and map them to an application-centric isolation model?

DuploCloud gathers these constructs together in a single application-centric model, in the figure below, which is described in more detail [here](https://docs.duplocloud.com/docs/automation-platform/security-and-compliance/broken-reference). To summarize, there have three layers of isolation:

* **Account Level**: This offers the deepest grade of separation. As it is heavyweight, it also incurs maximum overhead in terms of maintenance and cost as almost no construct can be reused across two environments.
* **VPC Level (a.k.a *****DuploCloud Infrastructure*****)**: Within the same account, environments are segregated by virtual networks (VPC/ VNET).
* **Security group and IAM (a.k.a *****DuploCloud Tenant*****)**: Within the same account and same VPC, we can isolate by having separate security groups, IAM roles (Managed Identity in AWS, Service accounts in GCP), encryption keys, etc. A DuploCloud Tenant is similar to an environment. Two Tenants can reside in the same VPC, in different VPCs, or within different VPCs in various accounts.

{% hint style="info" %}
**A Tenant is similar to a Kubernetes namespace with an extended cloud provider scope**. Most cloud resources directly consumed by applications reside within a Tenant, such as databases, queues, storage, VMs, etc. Some resources are shared, including but not limited to VPC, VMs, Encryption Keys, SSL certs, etc. You can also create resources in one Tenant and allow other Tenants to consume those via [inter-tenant access policies](https://docs.duplocloud.com/docs/automation-platform/security-and-compliance/access-control-2/cross-tenant-access).
{% endhint %}

<figure><img src="https://2471407984-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F68cb0s9ce5UIUKWPuYs8%2Fuploads%2FKTuHgPbC1B3azMgeKqzE%2Fduplocloud-customer-walkthroughs-diagram.png?alt=media&#x26;token=9a1e9896-5452-4a9d-bac0-0113dc6efdf5" alt=""><figcaption><p>DuploCloud Application-centric Deployment Model</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.duplocloud.com/docs/automation-platform/security-and-compliance/access-control.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.