Nebula. The engine behind every connection.
Nebula is the internal infrastructure that powers Mezusphere. It coordinates Warpgates, processes end-user traffic, and enforces security policies across the global edge. You don't deploy it. You don't manage it. You benefit from it, every time a request is authenticated, routed, and delivered to your workload.
What Nebula does
Nebula is the coordination and enforcement layer inside Mezusphere. It manages the infrastructure that sits between end users and your Warpgates, organized into three planes.
Data plane
The global edge network that faces the internet. Terminates TLS, enforces authentication, absorbs DDoS attacks, routes traffic, and forwards approved requests to Warpgates through encrypted tunnels. This is where every request enters and every security policy is applied.
Control plane
The configuration, policy, and lifecycle layer. Manages projects, environments, routes, authentication rules, user directories, service accounts, billing, and team access. The Console is the interface to this plane.
Service plane
The future extensibility layer. Plugins, third-party integrations, and marketplace services will run here, extending the platform without re-integration. Financial-grade API (FAPI), advanced authorization engines, and AI guardrails are planned for this plane.
How it connects to you
Nebula runs inside Mezusphere. Warpgate and Console are the two touchpoints that connect your team to it.
Warpgate connects to Nebula
Warpgate runs beside your workload and opens an outbound mTLS tunnel to the data plane. Traffic flows through this tunnel; your workload never faces the internet directly.
Console manages Nebula
Console is the management interface to the control plane. Projects, routes, authentication, users, metrics, and billing, all configured and monitored through one UI.
Plugins extend Nebula
The service plane will host third-party and first-party extensions. Activate capabilities from a marketplace without touching your workload code or Warpgate configuration.
Security that runs before your code does
Every security decision happens inside Nebula, at the edge, before a request reaches your Warpgate. This isn't middleware you bolt on. It's infrastructure you inherit.
Zero trust
No inbound attack surface
Your workload has no public IP, no open ports, no DNS records pointing to it. Warpgate connects outward. The only publicly reachable surface is Mezusphere's global edge, purpose-built to handle adversarial traffic.
Identity
Edge-enforced authentication
Per-route authentication resolved at the edge. User identity validated, tokens checked, access policies applied, all before the request is forwarded. No SDK integration, no middleware, no auth code in your application.
Encryption
TLS everywhere
TLS 1.3 terminated at the edge. Mutual TLS on every Warpgate tunnel. Certificates automatically provisioned and rotated. No certificate management for your team, ever.
Protection
DDoS absorption
Volumetric and application-layer attacks absorbed at the edge before they reach your infrastructure. Rate limiting, IP reputation, and bot detection, always on, automatically.
Policy
Centralized security rules
Define security policies once in the Console. The control plane distributes them. The data plane enforces them. No scattered config across CDN, WAF, gateway, and auth provider.
Isolation
Project and environment boundaries
Each project has isolated environments with their own routes, auth rules, and Warpgate connections. A misconfiguration in staging cannot affect production.
Availability you don't have to build
Nebula is deployed across multiple cloud providers and regions. It scales automatically based on demand. Your Warpgate reconnects if anything shifts. You don't manage any of this.
Multi-region by default
Edge infrastructure is distributed across regions and cloud providers. End-user traffic is routed to the nearest edge automatically. No region configuration required from your side.
Self-healing connections
Warpgate maintains persistent connections to the edge and automatically reconnects if a connection drops. Configuration updates are pushed in real-time; no restart, no downtime.
Scales with your traffic
The data plane scales to absorb traffic spikes. The control plane scales independently. Your Warpgate stays lightweight; it forwards, it doesn't buffer or queue.
The data plane: request lifecycle
Every request follows the same path. Every security check happens in the same place.
Delivery
Routing and load balancing
Path-based and hostname-based routing directs traffic to the right Warpgate. Multiple Warpgates in the same environment get automatic load distribution.
Infrastructure
DNS and domain management
DNS records for all endpoints managed automatically. Custom domains, automatic subdomains, and certificate provisioning from the Console.
Performance
Caching and compression
Response caching and traffic compression reduce latency and bandwidth. Cache policies configurable per route.
The control plane: secure configuration
The control plane is the source of truth for your entire platform configuration. Every route, every auth rule, every policy change flows through it, with audit trails, role-based access, and environment isolation built in.
Projects and environments
Organize workloads into projects with isolated environments for development, staging, and production. Each environment has its own routes, auth rules, and connected Warpgates. Changes in one environment never leak to another.
Identity and access
User directories, authentication rules, authorization policies, and service accounts are all managed in the control plane. Identity is a first-class primitive, not a third-party integration that can drift out of sync.
Billing and observability
Real-time traffic metrics, authentication outcomes, per-project spending, and audit logs. One place to understand what your platform is doing, what it costs, and who changed what.
What this replaces
The public-facing layers of a traditional architecture, collapsed into one managed platform.
| Capability | Traditional stack | With Mezusphere |
|---|---|---|
| TLS termination | AWS ACM, Let's Encrypt, cert-manager | Automatic, provisioned and rotated at the edge |
| DNS management | Route 53, Cloudflare DNS, manual records | Automatic, managed from Console |
| DDoS protection | Cloudflare, AWS Shield, Akamai Prolexic | Built in, always on |
| Load balancing | ALB, NGINX, HAProxy, cloud LBs | Automatic, distributed across Warpgates |
| Authentication | Auth0, Cognito, Keycloak + integration code | Per-route auth enforced at the edge |
| CDN / caching | CloudFront, Fastly, Akamai | Edge caching and compression included |
| API gateway | Kong, Traefik, AWS API Gateway | Routing and policy at the edge, no gateway needed |
| User management | Auth0, Cognito admin, custom back-office | Built-in user directories in the control plane |
| Multi-vendor billing | 6-10 separate vendor invoices | One bill with per-project breakdown |
Infrastructure you inherit, not assemble.
Security, availability, and global reach, built into the platform so your team ships product instead of managing infrastructure.