Aporeto offers a comprehensive cloud-native security solution for deploying and operating modern and legacy applications.

With Packet and Aporeto, users have the ability to:

  • Move faster with composable services for higher business agility without sacrificing security
  • Close the gap between security and workflow operations by enabling real-time application visibility
  • Deploy your containerized or legacy applications with a verifiable security posture throughout the workload lifecycle

Explore Cloud Native Security, Simplicity, and Scalability with Aporeto and Packet

You can secure your containerized or legacy Linux workloads running on Packet's infrastructure with Aporeto. These instructions are for using Aporeto as a cloud service for protecting your applications. If you want to host your own Aporeto service on Packet servers, please contact Aporeto directly to get additional instructions.



Aporeto provides a comprehensive cloud-native security solution for deploying and operating modern applications.

To understand how Aporeto’s allows you to define security policies in your network, you need to understand the 3 main concepts:

  • Policies: defines, through the Aporeto Platform, what is allowed.
  • Enforcerd: runs on your servers to apply policies to the processing units.
  • Processing Units: Docker containers or Linux processes.

In a nutshell, policies are applied by Enforcerd to the Processing Units.


Aporeto uses a white list approach to security: what is not explicitly allowed is forbidden. You define what is allowed by creating policies. Here are the 3 main types of policies:

  • API Authorization Policies: defines what a user can access in the Platform
  • Network Access Policies: defines a communication rule between source and a destination Processing Units, both identified by their Tags
  • File Access Policies: defines a communication rule to a file


In order to enforce your policies, you need to install Enforcerd on your servers.

Enforcerd needs to be registered to the Platform to connect securely and listen to any policy change. It will also report back statistics about your Processing Units. However, the traffic content between your Processing Units will never be visible or used by the Platform.

Once Enforcerd is registered, it applies the policies you have created in the Platform, and encrypts the traffic between your Processing Units. By default, if no policy is defined, the communication between two Processing Units is refused.

Enforcerd automatically adds cryptographically signed authentication Tags during the SYN/SYNACK part of the TCP session establishment.

Processing Units

A Processing Unit (also called PU) can be any linux process or container. Each Processing Unit is labeled with Tags either coming from the environment in which it is running or is directly defined by you. Based on these Tags, you will be able to define Network Policies via the Aporeto Platform.

When a new Processing Unit is created in your network, it will be automatically policed according to its Tags.