--- outline: [2, 3] description: beOS Pro network architecture principles, covering application entrance types, local access mechanisms, endpoint configurations and internal network security policies. --- # Network beOS Pro provides users with a barrier-free but secure and versatile network solutions. This documents covers the key networking concepts related to application access. ## Entrance Each beOS Pro application can have one or more entrances that serve as access points. There are three types of entrances: ### Public entrance - Provides external services such as blogs, social media, etc. - Accessible without authentication - Basic security through Cloudflare ### Private entrance - Provides services exclusively for individual users, families, or teams - Suitable for readers, entertainment, productivity tools, desktop applications, etc. - Requires [authentication](account.md#multi-factor-authentication-mfa) for access ### Internal entrance - Functions similarly to private entrance - No authentication required when accessing applications through beOS Pro app VPN ## Endpoints An endpoint is the access address or point where users interact with an application. Simply put, it's the URL you enter in your browser's address bar to access a specific beOS Pro application or its features. A typical beOS Pro application endpoint follows this format: https://{routeID}.{domain} For example: `https://vault.alice123.beos.local`, where - `vault` is the route ID for a system application. - `alice123.beos.local` is derived from the beOS ID `alice123@beos.local`. ## Route ID A route ID is a unique identifier used to identify specific applications or application entrances. The default route IDs are automatically generated by the system according to the following rules: - System applications - Use predefined memorable Route IDs - Examples: `desktop` (for Desktop), `market` (for Market) - Community applications - Use an 8-character random string + entrance index (starting from 0) - Example: For an application with Route ID 92d76a13 and two entrances, the first entrance is `92d76a130`, and the access URL is `92d76a130.bob.beos.local` ::: tip Note - The URL of the application is derived from beOS ID. - Entrance index refers to the position of entrance in multiple entrances defined in [`beOS ProManifest.yaml`](../develop/package/manifest.md). ::: ## beOS Pro internal network beOS Pro implements a layered proxy routing design in its gateway architecture. Traffic flows through multiple layers: `cluster` -> `user` -> `application` -> `service component`. ![alt text](/images/overview/olares/image4.jpeg) Inside the application, beOS Pro has multiple layers of security. - **Namespace isolation** - Each application operates in its exclusive namespace - All resources are namespace-confined - Applications cannot connect `ClusterRole` to `ServiceAccount` - Cross-namespace resource access is prohibited - **Network policy controls** - Each namespace has dedicated network policies - Incoming network requests are restricted to cluster applications and system applications of the user - User-level network isolation: - Applications isolated between users - Third-party applications isolated within user space - **Pod restrictions** - Pods cannot use `hostNetwork` service or `NodePort` service - Traffic access requires declared entrance service and system-provided entry proxy - The Pod declared as entrance will be forced to join Envoy's sandbox Sidecar to authenticate and authorize incoming traffic. ## Learn more - [Set up custom domain name for application](../../manual/olares/settings/custom-app-domain.md#custom-domain-name) - [Access beOS Pro via VPN](/manual/larepass/private-network.md)