Built on a Foundation of Trust: By leveraging best-in-class AWS services, Arc inherits a security and compliance posture that meets the stringent requirements of global enterprises, including certifications like SOC 2, ISO 27001, and PCI DSS.
High-Level System Design
The Arc platform is logically separated into three distinct planes, each optimized for its specific task: the Data Plane for handling real-time RADIUS traffic, the Control Plane for management and configuration, and the Analytics Plane for processing accounting data.The Data Plane: A RADIUS Request’s Journey
The Data Plane is the heart of Arc, processing millions of authentication and accounting requests with double-digit millisecond latency. Here is the step-by-step journey of a single RADIUS packet.1
Global Ingress & Low-Latency Routing
A Network Access Server (NAS) initiates a RadSec (RADIUS over TLS) connection to our global anycast endpoint. AWS Global Accelerator instantly directs this traffic over the AWS backbone to the nearest, healthiest Arc regional deployment (e.g., a NAS in Melbourne is routed to our Sydney region, not Ashburn).
This is superior to GeoDNS, as it eliminates DNS propagation delays and automatically fails over between regions in seconds, not minutes.
2
Secure TLS Termination & Offloading
The TLS-encrypted traffic arrives at a regional Network Load Balancer (NLB), which operates at Layer 4 for extreme performance. The NLB forwards the raw TCP connection to our custom, high-performance Go proxy running in an AWS ECS container. This proxy is responsible for:
- TLS Offloading: Terminating the RadSec connection securely and efficiently.
- Request Branching: Forwarding
Access-Requestpackets to the RADIUS server tasks and asynchronously streamingAccounting-Requestandpost-authdata directly to the Analytics Plane via Kinesis.
3
Horizontally Scalable RADIUS Core
The RADIUS Server Task, also running on ECS, receives the request. This lightweight task’s sole job is to translate the RADIUS request into a secure REST API call to our internal, region-local API endpoint. The ECS cluster automatically scales the number of these tasks based on real-time traffic, ensuring limitless capacity.
4
Secure, Resilient Data Access
The internal API call is handled by AWS Lambda within a private VPC. All communication to the database occurs over AWS PrivateLink, meaning no data ever traverses the public internet.User profiles, group policies, and NAS secrets are stored in Amazon DynamoDB Global Tables. This provides an active-active, multi-region database with near real-time replication. If our entire Ashburn region were to fail, the Sydney region would seamlessly take over using its own local, fully-replicated copy of the data.
The Control & Analytics Planes
While the Data Plane is built for raw speed, the Control and Analytics planes are designed for flexibility, security, and insight.Control Plane: The Management API
Control Plane: The Management API
Your team and applications interact with Arc through our Management API. This standard REST API is built on a serverless stack using API Gateway and Lambda. This architecture provides:
- Fine-grained Security: Robust authentication and authorization for all configuration changes.
- Effortless Scalability: The serverless design scales automatically, whether you’re managing 10 users or 10 million.
- Rich Integrations: Easily connect your existing provisioning, billing, or identity management systems to Arc.
Analytics Plane: Real-time Insights
Analytics Plane: Real-time Insights
All accounting and post-authentication events are streamed into Amazon Kinesis, a high-throughput data streaming service. From there, data is ingested into Amazon Timestream, a serverless time-series database. This architecture provides significant advantages over traditional logging:
- Decoupled Processing: The RADIUS core’s only job is to authenticate. It fires off accounting data and immediately moves on, ensuring accounting load never impacts authentication performance.
- Massively Parallel Ingestion: Kinesis can handle millions of records per second, ensuring no accounting data is ever dropped, even during peak load.
- Powerful, Fast Queries: Timestream is purpose-built for analyzing time-series data, enabling complex queries over billions of events to return in seconds, powering our Insights API and your dashboards.
The Pillars of Altostrat Arc
Our architectural choices directly translate into the core benefits that make Arc the most reliable and performant RADIUS platform available.Reliability & Resiliency
- Multi-AZ & Multi-Region Deployments for automated failover.
- DynamoDB Global Tables for active-active database replication.
- Self-Healing Services like ECS and Lambda automatically replace unhealthy components.
Performance & Scalability
- Global Accelerator for routing traffic to the lowest-latency endpoint.
- Serverless & Containerized components that scale horizontally on demand.
- Decoupled Analytics Pipeline ensures accounting never impacts authentication speed.
Security & Compliance
- RadSec (TLS) everywhere for end-to-end encryption.
- Isolated VPCs and PrivateLink ensure your data never touches the public internet.
- AWS IAM Roles & Policies enforce the principle of least privilege for all internal services.
Why Altostrat Arc? Building, securing, and maintaining a globally distributed, highly available system like this is an immense undertaking requiring deep, specialized expertise in cloud architecture. Altostrat Arc isn’t just RADIUS in the cloud; it’s a fully-managed, battle-tested system that encapsulates years of engineering effort. We handle the complexity of global infrastructure so you can focus on what matters: serving your users.
Next Steps
Register Your First Device
Learn how to connect your network hardware to the Arc platform.
Explore Core Concepts
Understand the key entities like Accounts, Groups, and Realms that you’ll use to build policies.