Air-gapped networks—systems physically isolated from the internet—are common across defence, critical infrastructure, and sensitive government operations. They exist because some assets are valuable enough that network isolation is worth the operational cost.
Building software for these environments requires unlearning assumptions that are baked into modern development practices.
The Cloud-Native Problem
Modern software architecture assumes constant connectivity:
- Microservices communicating over networks
- Cloud-based authentication and authorisation
- Automated updates and patches
- Telemetry and monitoring to external systems
- SaaS licensing and feature flags
Every one of these assumptions breaks in an air-gapped environment. And the solutions aren't just "do the same thing locally"—they require fundamental rearchitecture.
Authentication Without Cloud
Cloud-based identity providers (Azure AD, Okta, Auth0) are off the table. But the alternative isn't just "use local Active Directory." Many air-gapped environments have specific identity requirements:
- Integration with existing identity infrastructure
- Hardware token or CAC support
- Offline authentication capabilities
- Complex authorisation models that map to organisational hierarchies
Building for these requirements means authentication can't be an afterthought delegated to a cloud provider.
Updates Without Internet
The SaaS model of continuous updates fails completely. Instead, you need:
- Stable, versioned releases that can be tested before deployment
- Portable update mechanisms (often physical media)
- Clear documentation of changes for security review
- Rollback capabilities that work offline
- Update processes that survive long gaps between versions
This is closer to traditional on-premises software than to cloud-native development. But it needs to be combined with modern security practices and development velocity.
Monitoring Without Phoning Home
Most modern applications send telemetry to external services. In air-gapped environments, this is a security violation. But operators still need visibility into system health and performance.
This requires:
- Complete on-premises monitoring stacks
- Local log aggregation and analysis
- Offline diagnostic capabilities
- Secure, controlled mechanisms for any data that does need to leave (often involving sneakernet and formal approval processes)
Licensing Without Connectivity
SaaS licensing assumes connectivity. Air-gapped licensing requires:
- Offline license verification
- Grace periods for disconnected operation
- Mechanisms for license updates that don't require real-time connectivity
- Trust models that work when you can't phone home
This is a solved problem—software has shipped with offline licensing for decades—but many modern vendors have forgotten how.
The infraPatterns Approach
Our infraPatterns product addresses this challenge through declarative, composable infrastructure patterns. Instead of rewriting automation for each environment, you express intent through abstracted patterns that deploy consistently—whether to connected environments or air-gapped networks.
The key insight: separate what you want (infrastructure intent) from how to build it (provider-specific implementation). Patterns encode best practices and security controls. The composition engine generates deployment artifacts appropriate for each target environment.
This isn't about dumbing down modern automation—it's about raising the abstraction level so that air-gapped environments get the same operational sophistication as connected ones.
Reality Over Ideology
Building for air-gapped environments requires pragmatism over ideology. The cloud-native dream of universal connectivity is just that—a dream. The reality of critical infrastructure includes networks that will never be connected to the internet, and software vendors need to meet that reality rather than wishing it away.