Secure-by-default distributed edge computing with Suborbital and Ockam

When looking at the next few years of cloud computing, several trends become apparent, but the concept of edge computing is one that sticks out time and time again. It really seems like the idea of “the edge” gets many people excited, but that the technology has not yet caught up to power it. Platforms such as Kubernetes have become the default when building in the so-called “centralized cloud”, but what does infrastructure, networking, compute, storage, and software architecture look like when built natively for a globally distributed edge network? Edge networks include some inherently hard problems such as global-scale orchestration of applications and security of the underlying compute and networking that powers them.

I met the folks from Ockam a few months ago, and even though they are working to tackle a vastly different piece of the cloud computing story, we immediately saw a parallel between our efforts: the cloud should be secure-by-default. Our work with WebAssembly-powered compute largely revolves around the ability to easily and automatically ensure the principles of least privilege are applied to the components of your cloud applications. Ockam’s work with end-to-end encryption ensures that the communication between those components has end-to-end data integrity and authenticity while remaining performant and easy to administer. We got excited at the idea of creating a marriage between these two ideas, and set out to create a sketch of what a future edge-native application could look like.

The project we’ve created serves as a reference design for the first generation of this secure-by-default global application architecture. As a quick introduction, we are taking advantage of three main building blocks for this reference design:

  • Ockam’s end-to-end encrypted and mutually authenticated Secure Channels
  • Sat, the tiny WebAssembly edge compute server
  • Atmo, the WebAssembly server application environment


The goal of this project is to allow a globally-distributed cluster of Sat instances (something we call a ‘constellation’), each running a WebAssembly serverless function, to handle requests received by Atmo, which is acting as a proxy to receive HTTP requests and coordinate the constellation. Normally this would be an incredibly difficult architecture to bootstrap and deploy, but when we take advantage of the unique properties of Ockam’s Secure Channels and Suborbital’s WebAssembly functions, we arrive at a simpler, more secure, and more performant application.

When this reference application is deployed, the Atmo proxy and an Ockam tcp outlet are installed on a traditional cloud instance with a public IPV4 address. The Sat constellation and Ockam tcp inlets are then deployed… anywhere you need them to be. While testing this design, we had Sat instances deployed on Raspberry Pis, Mac minis, and local development machines, and they were all able to discover and create encrypted connections with the Atmo proxy via Ockam. This allowed the constellation to handle HTTP requests sent to the public address without setting up complicated NAT traversal, certificate authorities, or service discovery systems.

The result is a highly distributed, flexible and scalable compute cluster that guarantees the privacy and security of your application. WebAssembly executes your code in a sandbox that dynamically grants access to resources like databases and caches. Atmo and Sat handle the sandbox, runtime, and scaling of serverless functions while Ockam’s Secure Channels maintains the security of the networking fabric that connects them. The future of globally distributed edge computing is looking pretty great to me.

Check out the reference design and let us know how you see Suborbital and Ockam fitting into your edge computing plans for 2022!