✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Enterprise AI chat has no enforcement layer beneath it. Until now.
LibreChat delivers on the self-hosted data-residency promise at the application layer. It does not ship with network enforcement below it. Any LLM provider, any MCP server, any compromised dependency can reach the open internet by default. This VCA puts the enforcement layer in place — and derives it directly from your existing librechat.yaml.
Self-hosted without containment. The gap is below the application.
LibreChat keeps data in your environment at the application layer. Without network enforcement below it, the blast radius of a compromise is the entire internet — any component of the open-source stack can reach any destination. The kill chain every self-hosted deployment needs to plan before it calls its containment posture complete.
Supply-chain compromise
A compromised npm package, tampered container image, or poisoned Helm chart enters the LibreChat dependency tree. No known CVE at install time — passes SCA scanning. Code execution inside the chat stack.
Unauthorized LLM provider call
Compromised component or misconfigured administrator adds an unapproved LLM provider to librechat.yaml. Without the CI shim, no network rule is generated. The call completes — invisible until something goes wrong.
MCP server lateral reach
A MCP-based tool server reaches destinations beyond its authorized downstream APIs. Conversation data and retrieved documents are accessible in the tool server's process — any MCP server with unrestricted egress is a potential exfiltration channel.
Exfiltration attempt — blocked
Malicious code initiates outbound HTTPS to attacker-controlled host. TCP SYN traverses the Aviatrix Spoke Gateway. Destination is not in any permit rule. Connection never completes. Data has nowhere to go.
Audit trail
Blocked connection logged at the Spoke Gateway with pod identity, destination FQDN, policy rule name, and timestamp. CoPilot FlowIQ provides per-pod traffic analysis — full attribution for SOC 2, ISO 27001, and EU AI Act audit requirements.
Three enforcement layers. Zero code changes.
Enforcement runs at the network infrastructure layer, outside the application's trust boundary entirely. No agent to install. No process to kill. No bypass risk. The result is a governed boundary around the entire chat stack — LLM provider egress, per-MCP allow-lists, and supply-chain containment in a single overlay.
CI shim — policy derived from config, not authored by hand
The CI pipeline shim reads your existing librechat.yaml and generates the exact Aviatrix Kubernetes CRD manifests encoding those declarations as enforceable network policy. A new provider in the config produces a new WebGroup entry in the PR diff. A new MCP server produces a new per-server allow-list scoped to its authorized downstream APIs. A removed entry removes the corresponding rule. The diff appears alongside the config change in the same pull request and gets reviewed at the same time. An administrator who adds an unauthorized provider cannot merge without surfacing an unreviewed egress path.
Spoke Gateway — network-level containment at the pod boundary
The Aviatrix Spoke Gateway deploys into the Kubernetes cluster. Pod identity — namespace and label selectors — is the SmartGroup model. Every outbound connection from every LibreChat pod traverses DCF inline before the first packet leaves the cluster. Zero bypass risk: no software process can circumvent enforcement. The registry WebGroup allows only the exact OCI registries the LibreChat Helm chart is known to use — a compromised dependency that tries to beacon outbound hits the deny rule before the socket opens.
Transparent TLS decryption — URL-path visibility and AgentGuard insertion point
The shim loads the Aviatrix CA certificate into the LibreChat container via a Kubernetes ConfigMap mounted as NODE_EXTRA_CA_CERTS — no image rebuild required. The Spoke Gateway decrypts LLM provider traffic inline. CoPilot shows URL paths, not just destination FQDNs. The decrypted traffic path is the insertion point for Aviatrix AgentGuard — prompt inspection, output classification, and tool-argument validation plug in as those capabilities ship, with no architectural change to the deployment. Requires Controller 9.0+.
Why Kubernetes NetworkPolicy doesn't solve this
Kubernetes NetworkPolicy is IP-based, doesn't survive pod restarts reliably, and has no FQDN-aware filtering. It cannot distinguish pypi.org from evil.attacker.io — both are TCP/443. Aviatrix DCF filters by FQDN using SNI inspection and optional transparent TLS decryption, with policy tied to pod identity that survives scaling events and restarts automatically.
Enforcement architecture
DCF policy pack — rules in priority order.
First match wins. Deploy all rules in monitor mode first; promote to enforcement rule by rule after validating against production traffic. The dataplane never reloads on rule changes.
Rules (in priority order)
| Pri | Rule name | Source | Destination | Action | Notes |
|---|---|---|---|---|---|
| 10 | allow-llm-providers | librechat-pods SmartGroup | avx-ai-llm-providers | PERMIT | TCP 443 · Aviatrix-managed WebGroup. Shim populates only providers declared in librechat.yaml. |
| 15 | allow-mcp-per-server | librechat-pods SmartGroup | Per-server FQDN WebGroup | PERMIT | TCP 443 · One WebGroup per MCP server. Generated by shim. Reviewed in PR alongside config change. |
| 20 | allow-oci-registry | All chart pods | librechat-oci-registries | PERMIT | TCP 443 · DECRYPT_NOT_ALLOWED · Exact OCI registries the LibreChat Helm chart uses. |
| 25 | deny-supply-chain-ioc | All pods | supply-chain-fqdn-group | DENY + LOG | URL filter · DECRYPT_ALLOWED · Blocks IoC URL paths on hosts also in permit list. Requires Controller 8.2+. |
| 30 | allow-k8s-control-plane | All pods | Kubernetes API FQDNs | PERMIT | DECRYPT_NOT_ALLOWED · EKS/AKS/GKE API server, ECR, ACR, Artifact Registry. |
| 40 | deny-data-store-internet | MongoDB / PostgreSQL pods | ANY external | DENY + LOG | All protocols · Conversation data store hard-isolated from internet. |
| 1000 | default-deny | All pods | ANY | DENY + LOG | All protocols · Final catch-all. Every match logged to CoPilot FlowIQ with pod identity, destination, rule name, timestamp. |
SmartGroup and WebGroup objects
| Object | Type | Purpose |
|---|---|---|
| librechat-pods | Namespace + label SmartGroup | Matches LibreChat API server, MCP server, and UI pods. Source identity for all egress rules. |
| avx-ai-llm-providers | Aviatrix-managed AI WebGroup | Curated, auto-updated destination list for major LLM API providers. Shim populates only providers in librechat.yaml. |
| mcp-<server-name> | Per-server FQDN WebGroup | One object per MCP server, scoped to authorized downstream API FQDNs. Generated by shim from librechat.yaml MCP stanza. |
| librechat-oci-registries | FQDN WebGroup | Exact OCI registries the LibreChat Helm chart pulls from. Set via Terraform variable. |
| supply-chain-fqdn-group | FQDN WebGroup | Hosts requiring URL-path enforcement (e.g. raw.githubusercontent.com). Used with DECRYPT_ALLOWED. Requires Controller 8.2+. |
What this architecture governs — and what it does not
Out of scope
Prompt content · tool arguments · model responsesAI guardrail layer. Aviatrix governs network reachability; guardrails govern content. Both required.
Shadow AI discoveryAgentGuard Shadow AI Discovery finds every AI workload via cloud telemetry. Deploy discovery before containment.
Out of scope — v1
Init-container CA deliveryShim runs at CI time for v1. Init-container delivery deferred to v1.1.
URL-path enforcement rulesURL-path visibility ships in v1; URL-path enforcement rules require URL WebGroup GA. Deferred to v1.1. Do not promise for v1.
Everything your team needs.
Reference Architecture
Prerequisites, SmartGroup and WebGroup design, full DCF policy pack, CI shim integration guide, TLS decryption configuration, and Kubernetes version compatibility. For platform engineers deploying the blueprint.
Download PDF →Threat Model & Enforcement
LibreChat supply-chain threat model, full kill chain with point of intervention, three enforcement layers, why Kubernetes NetworkPolicy is insufficient, and compliance evidence for SOC 2, ISO 27001, and EU AI Act. For security architects.
Download PDF →Field & Buyer Overview
Threat narrative, three things your current stack can't do, compliance proof points, and discovery questions for security conversations. For security and platform teams evaluating the architecture.
Download PDF →Full Terraform Overlay + CI Shim
Spoke Gateway, Kubernetes CRD manifests, CI pipeline shim, WebGroup and DCF rule pack, ConfigMap CA injection. One terraform apply on any existing EKS, AKS, or GKE cluster. Deploys in under 20 minutes.
Attack simulation
Lab recording. A supply-chain-compromised package inside the LibreChat dependency tree attempts to beacon to an attacker-controlled domain. The DCF default-deny rule fires before the TCP handshake completes. CoPilot FlowIQ logs the attempt with full pod identity and rule attribution.
Available soonTrusted by enterprise security teams
SOC 2 Type II
Independently audited
ISO 27001
Certified
500+ enterprises
Including 10% of the Fortune 500
Zero data-plane access
Aviatrix never touches your traffic
Documented before you find them in production.
Lab-validated limitations and workarounds for the LibreChat on Kubernetes architecture. Published upfront so your POC matches the docs.
Shim requires CI access to librechat.yaml
The pipeline shim must have read access to the application config at CI time. For teams using secrets-injected config, the shim can read from a mounted secret or secrets manager call. The Terraform overlay does not depend on a specific shim invocation method.
TLS decryption requires Controller 9.0+ and ConfigMap CA
URL-path visibility in CoPilot requires Controller 9.0 and the Aviatrix MITM CA loaded via ConfigMap as NODE_EXTRA_CA_CERTS. No image rebuild required. On Controller 8.2, SNI-based domain filtering is fully enforced and activates automatically on upgrade to 9.0.
URL-path enforcement deferred to v1.1
Transparent decryption in v1 gives URL-path visibility in CoPilot. URL-path enforcement rules (deny specific API routes on a permitted FQDN) require URL WebGroup GA. This does not weaken the v1 containment story — all egress is governed at the FQDN level. Do not promise for v1.
Obot VCA dependency for combined architecture demo
The Obot VCA contains the MCP hosting platform; this VCA contains the chat front-end and LLM provider egress. Both need to ship before the combined architecture can be demonstrated end-to-end. Do not promise the combined story before both blueprints are deployed.
Stacks with the Obot VCA
Complete enterprise AI chat — two VCAs, one enforcement plane
The Obot VCA contains the MCP hosting platform; this VCA contains the chat front-end and LLM provider egress. When Obot is your MCP platform, LibreChat's MCP client points at the Obot gateway — the shim detects this pattern and emits a single internal WebGroup entry for the Obot endpoint. Together the two VCAs cover the complete enterprise AI chat architecture: chat UI, LLM provider governance, and MCP tool server hosting, each with its own containment layer on the same enforcement plane.
The containment layer is built.
The policy pack is on GitHub.
Run the CI shim against your actual librechat.yaml. The output is your policy — not a sample, not a template.
NEW TO AVIATRIX
Start with Enterprise — VCAs included free
Subscribe on AWS or Azure Marketplace, deploy Enterprise in under 15 minutes, then deploy this VCA on top. 30-day free trial — VCAs included.
Subscribe through AWS or Azure Marketplace · 30-day free trial · No contract
ALREADY ON ENTERPRISE
Pull the Terraform from GitHub
Full Terraform overlay, CI shim, WebGroup and DCF policy pack. Deploys on any existing EKS, AKS, or GKE cluster in under 20 minutes. Destroy cleanly with one command.
Get the Terraform →Controller 8.2+ · 1 Spoke Gateway per cluster · No image rebuild · No sidecar