Platform.sh User Documentation

Project isolation

Upsun Beta

Access our newest offering - Upsun!

Get your free trial by clicking the link below.

Get your Upsun free trial

Platform.sh handles project isolation slightly differently based on which underlying architecture your project lives on.

On the Grid, a single host may run multiple projects from multiple customers. Customer environments are strictly isolated from each other using namespaces, seccomp, and cgroups.

Persistent data (uploaded files into mounts, database data, etc.) is stored on a region-wide storage layer. Data is stored redundantly and mounted into the environments on deployment.

All Dedicated Gen 2 and Dedicated Gen 3 clusters are single-tenant. They provide three hosts that are exclusively used by a single customer.

Each cluster is launched into its own isolated network (VPC on AWS, equivalent on other providers).

For all projects, regardless of the underlying architecture:

  • The network is behind a firewall for incoming connections. Only a few ports are opened to incoming traffic by default: ports 22, 80, and 443.

  • Outgoing TCP traffic is not blocked, with the exception of port 25.

  • Both incoming and outgoing UDP traffic is blocked.

Is this page helpful?