Skip to content
Xferity

Air-Gapped Xferity Deployment — No Outbound Internet Required

Air-Gapped Deployment

Section titled “Air-Gapped Deployment”

Xferity is designed to run entirely on-premises. No outbound internet connections are required to operate the platform.

This makes Xferity suitable for:

  • Classified or regulated network environments
  • Financial institution networks with strict egress controls
  • Manufacturing environments with isolated OT/IT networks
  • Healthcare and government deployments with outbound restrictions

What requires internet access (and what doesn’t)

Section titled “What requires internet access (and what doesn’t)”

Required: nothing

Section titled “Required: nothing”

Xferity has no mandatory outbound network connections. The core transfer engine, audit logging, scheduling, retry, and web UI all work without internet access.

Optional: external secrets providers

Section titled “Optional: external secrets providers”

The following secrets providers communicate outbound to external services:

ProviderRequired outbound connection
HashiCorp VaultYour local Vault server (can be on-premises)
AWS Secrets Managerhttps://secretsmanager.<region>.amazonaws.com
Azure Key Vaulthttps://<vault>.vault.azure.net

If you use these providers, ensure your network allows outbound connections to those endpoints. Alternatively, use the built-in local vault (local-vault:) or file/environment references for air-gapped deployments.

Optional: licensing online sync

Section titled “Optional: licensing online sync”

License key online sync is disabled by default. When disabled, Xferity validates the license file locally without any outbound call.

licensing:
  online_sync:
    enabled: false   # default — no outbound connection
Section titled “Recommended secrets approach for air-gapped deployments”

Use the local vault provider. It stores secrets encrypted with AES-256 on local disk with no external dependency:

secrets:
  local_vault:
    master_key_ref: env:MFT_MASTER_KEY  # or file:/run/secrets/master_key

Seed secrets before deployment:

Terminal window
MFT_MASTER_KEY=<your-base64-key> xferity vault seed

Or use file: references pointing to secrets mounted from a secrets management system that operates within your network:

sftp:
  password: file:/run/secrets/vendor_a_sftp_password
  key_passphrase: file:/run/secrets/vendor_a_key_pass

Docker image loading

Section titled “Docker image loading”

To deploy in an air-gapped environment using Docker:

  1. Pull the Xferity Docker image on a machine with internet access:

    Terminal window
    docker pull ghcr.io/xferity/xferity:latest

  2. Save the image to a tar file:

    Terminal window
    docker save ghcr.io/xferity/xferity:latest -o xferity.tar

  3. Transfer the tar file to your air-gapped environment.

  4. Load the image:

    Terminal window
    docker load -i xferity.tar

  5. Deploy using Docker Compose as normal. No internet access is needed after the image is loaded.

Complete air-gapped configuration example

Section titled “Complete air-gapped configuration example”
# config.yaml for air-gapped deployment


logging:
  output: both
  file: /var/log/xferity/app.log
  format: json


storage:
  base_path: /var/lib/xferity/storage


state:
  backend: postgres
  postgres:
    host: db.internal        # internal database — no internet
    port: 5432
    user: xferity
    dbname: xferity
    password: env:XFERITY_DB_PASSWORD
    sslmode: require


audit:
  enabled: true
  path: /var/log/xferity/audit.jsonl
  tamper_evidence_enabled: true
  retention_days: 365


security:
  hardened_mode: true


# No secrets providers that need internet:
secrets:
  local_vault:
    master_key_ref: env:MFT_MASTER_KEY


# No licensing online sync:
licensing:
  enabled: true
  license_file: /etc/xferity/license.xlic
  state_file: /var/lib/xferity/state/license-state.json
  online_sync:
    enabled: false   # no outbound license call


# No external notification services are required —
# Slack/email webhooks are optional:
notifications:
  email:
    enabled: false


flows_path: /etc/xferity/flows
partners_dir: /etc/xferity/partners

Verifying no outbound connections

Section titled “Verifying no outbound connections”

After deploying, verify no unexpected outbound connections are made by checking your firewall logs or using netstat/ss on the Xferity host:

Terminal window
# Check active connections from the Xferity container
docker exec xferity ss -tnp


# Alternatively, use tcpdump on the host
tcpdump -n -i eth0 host not <db-host> and host not <sftp-partner>

Expected connections in a normal air-gapped deployment:

  • Inbound to the UI port (if enabled)
  • Outbound to your SFTP/FTPS/AS2 partners on your internal network
  • Outbound to your PostgreSQL database

No other outbound connections should appear.

Production checklist for air-gapped deployment

Section titled “Production checklist for air-gapped deployment”
  • licensing.online_sync.enabled: false
  • Secrets provider uses local-vault:, env:, or file: only
  • Docker images loaded from local registry or tar file
  • No outbound routes to vault.net, amazonaws.com, or azure.com
  • Firewall egress rules verified
  • security.hardened_mode: true
  • --expect-existing-state set after first run
  • Audit log path on persistent storage
  • PostgreSQL on internal network only

See Also

Section titled “See Also”