On this page

Tenant Isolation

Every project on Guara Cloud runs in a completely isolated environment. This means your services, data, and network traffic are fully separated from every other project on the platform — including other projects in your own account.

Network isolation

Services in one project cannot communicate with services in another project. Network traffic is strictly scoped to the project it belongs to.

This means:

  • A service in Project A cannot reach a service in Project B, even if both projects belong to the same account.
  • Inbound traffic from the internet is routed exclusively to the correct project and service.
  • There is no shared network layer between projects.

Resource isolation

Each project has its own resource quotas. One project’s workload cannot consume resources allocated to another project.

This provides noisy neighbor protection — if one project experiences a traffic spike or heavy processing, it will not degrade the performance of your other projects or anyone else’s.

ResourceIsolation level
CPUDedicated allocation per project
MemoryDedicated allocation per project
StorageScoped to the project, inaccessible outside
NetworkFully isolated per project

Data isolation

All project data is scoped and inaccessible from other projects:

  • Environment variables and secrets — stored and encrypted per project. One project’s secrets cannot be read by another.
  • Logs — each project’s logs are visible only to members of that project.
  • Metrics — performance and usage metrics are scoped to the project.
  • Storage volumes — persistent data is tied to the project and cannot be mounted elsewhere.

API access control

Every API request to Guara Cloud is scoped to a specific project. The platform enforces this through membership checks:

  • You must be a member of a project to perform any action on it.
  • API tokens and sessions are validated against your project membership on every request.
  • There is no way to access another project’s resources through the API, even if you know the project ID.

Team-based access

Projects are accessed through team membership:

  • Only users who have been explicitly invited to a project can see or manage it.
  • Project owners control who has access and what role each member has.
  • Removing a member immediately revokes their access to all project resources.

For more details on managing team access, see the Projects documentation.