The Four Dimensions¶
Every Lane7 Blueprint is defined along four dimensions. When browsing the catalog, these are the filter axes. When composing a custom blueprint, these are the design choices.
Security Mode¶
Two modes — choose based on connection type:
| Mode | Technical Name | Key Rotation | Best For |
|---|---|---|---|
| Armored Car | xtra7 | Per HTTP request | HTTP1/REST APIs, external-facing gateways |
| Armored Tunnel | xtra4 | Per TCP session | WebSocket, gRPC, persistent connections |
For HTTP APIs that handle sensitive data or face the public internet, Armored Car gives the strongest per-transaction protection — a new workload identity is issued for every request. For streaming connections where connection teardown between requests isn't possible, Armored Tunnel gives equivalent protection at the session level.
Tip
If you're unsure: HTTP blueprints use Armored Car. WebSocket and gRPC blueprints use Armored Tunnel. The catalog filter reflects this automatically.
Environment¶
| Scope | Description | When to Use |
|---|---|---|
| Single Cluster | All pods in one Kubernetes cluster | Most use cases; simpler networking and DNS |
| Multi-cluster | Pods across 2+ separate clusters | Cross-region, cross-cloud, or org boundary requirements |
Multi-cluster blueprints require LoadBalancer IPs to be known at deploy time. The processor-side cluster must be deployed first. See Multi-Cluster Guide for setup details including k3d port mappings and cloud static IP provisioning.
Protocol¶
| Protocol | Templates | Use Case |
|---|---|---|
| HTTP1/REST | http-* | Standard APIs, webhooks, microservices |
| HTTP2/gRPC | grpc-* | Bi-directional streaming, low-latency RPC |
| WebSocket | ws-* | Real-time telemetry, chat, event streaming |
| HTTP + WebSocket | Mixed | AI pipelines with streaming inference or tool legs |
| HTTP + gRPC | Mixed | External HTTP callers with an internal gRPC mesh |
Protocol is set at the network level and can be overridden per pod. HTTP + WebSocket mixing is handled natively by xtra4 — no special templates needed. HTTP + gRPC mixing requires bridge templates (http-grpc-gateway + grpc-http-sink) because xtra4 tunnels raw bytes and cannot translate between HTTP/1.1 and gRPC/HTTP2 framing. All mixed-protocol blueprints require Armored Tunnel (xtra4); Armored Car (xtra7) is HTTP-only.
Scale (Pod Count)¶
Each pod equals one WoSP unit and one subscription unit. More pods mean more processing hops and more distinct stages in the network.
| Pod Count | Blueprints |
|---|---|
| 2 pods | Armored Ferry, Fast Ferry, Fast International Ferry, International Ferry |
| 3 pods | Armored Trawler, Armored Convoy |
| 4 pods | Armored Trimaran |
| 6 pods | Armored Carrier (Parallel Processing Cluster), Armored Carrier (Zero Trust AI Pipeline) |
Catalog range: 2–6 pods. Custom blueprints can be larger.
Note
Pricing is per active WoSP workload, not per blueprint. A 6-pod blueprint uses 6 WoSP units while it is running. See Commercial Licensing for committed minimum options.
Decision guide¶
| If you need... | Choose... |
|---|---|
| Per-request AMTD on HTTP APIs | Armored Car + HTTP1/REST |
| Real-time streaming with Zero Trust | Armored Tunnel + WebSocket |
| Cross-cloud or cross-region connectivity | Multi-cluster environment |
| Parallel processing with result aggregation | Fan-out + Fan-in topology |
| AI agent security with prompt injection prevention | Armored Carrier AI Pipeline |