Control Plane logo


Control Plane Solutions for the Public Sector

Control Plane is a Cloud Infrastructure Virtualization and Optimization Platform (CIVOP) designed to eliminate vendor lock-in while optimizing performance, cost, and security. Founded by VMware’s former Chief Cloud Architect and Kubernetes contributors, Control Plane enables seamless workload portability across single cloud, multi-cloud, hybrid, and on-prem environments

Core Value Propositions

Workload Portability & Cloud-Agnostic Compute 

Control Plane enables organizations to deploy workloads to any single cloud, multi-cloud, hybrid, or on-prem environment without modifications. 

  • Global Virtual Cloud (GVC™) – True workload portability across clouds, enabling seamless migration and scaling. 
  • Cloud-Agnostic Deployment – No refactoring needed when shifting workloads across AWS, GCP, Azure, or on-prem. 
  • Automatic Geo-Routing & Failover – Ensures ultra-low latency, an SLA of 99.999% availability, and intelligent workload distribution. 

Cost Optimization: 60-80% Savings 

Even though Control Plane dramatically reduces runtime costs, the real savings come from the time you get back—less time spent managing infrastructure, debugging issues, and optimizing workloads means faster innovation and delivery. 

  • Capacity AI™ – Dynamically adjusts CPU and memory based on real-time usage, eliminating over-provisioning. Organizations typically see a 60-80% reduction in cloud compute costs. 
  • Fractional CPU Billing – Only pay for what you use—maximize efficiency without wasted resources. 
  • Eliminates Extra Cloud Costs – Avoid unnecessary expenses like NAT gateways, load balancers, observability, and orchestration overhead. ​​​​​​​
  • Faster Time-to-Market – Less time spent on infrastructure headaches means more time for building and shipping products. ​​​​​​​
  • Fewer Engineering Hours Spent on Ops – Automate scaling, deployment, and security to reduce DevOps burden and operational toil. 

Developer Productivity & Aggregated Observability 

  • Developer Sandbox & Environment Cloning – Instantly spin up isolated, production-like environments for testing, QA, and debugging, with the ability to clone entire workloads on demand. ​​​​​​​
  • Full Support for UI, CLI, API, Terraform, Pulumi, CI/CD – Automate everything with infrastructure-as-code and seamless DevOps tooling. ​​​​​​​
  • Intelligent Auto-Scaling – Capacity AI™ dynamically adjusts CPU/memory in real time for optimal performance and cost efficiency. ​​​​​​​
  • Self-Healing Infrastructure – Automatic failure detection & recovery to ensure high availability and reliability across workloads. ​​​​​​​
  • Lightning-Fast Deployments – Reduce deployment times with incremental rollouts, blue-green deployments, and canary releases. ​​​​​​​
  • Live Debugging & Remote Logs – Instantly access real-time logs, traces, and runtime execution details for fast issue resolution. ​​​​​​​​​​​​​​​​​​​​

    Pre-Built Observability & Monitoring Options
  • Option 1: Centralized Logging -  Built-in logging, metrics, and tracing. 
  • Option 2: Grafana Dashboards - Pre-configured alerts and dashboards. 
  • Option 3: Third-Party Exports - Ship logs to Datadog, Coralogix, Splunk, Amazon S3, etc.

Security & Compliance 

  • Fine-Grained Access Control – Role-based policies across cloud resources. ​​​​​​​
  • Tamper-Proof Audit Trail – Secure logging for compliance and forensic analysis. ​​​​​​​
  • Secrets Management & IAM Governance – Secure API keys, certificates, credentials. 
  • Certified ComplianceSOC 2 Type II, PCI DSS Level 1, GDPR, HIPAA, and more. 
  • Universal Cloud Identity™ (UCI™)Patented technology that allows workload identities to group permissions across AWS, GCP, and Azure, enabling workloads to consume cloud services without credentials. This makes workloads fully portable—e.g., running on-prem while using AWS RDS without credentials—and allows developers to mix and match services across clouds as if they have merged
  • Cloud Wormhole® – Enables secure consumption of private network resources that are not exposed to the internet, such as RDS within a VPC or private data center. networks. Provides seamless private connectivity across environments. 
  • Private Networking Support – Seamless integration with AWS PrivateLink, Azure Private Link, Google Cloud Private Service Connect, and other private networking options to ensure internal traffic never touches the public internet. 
  • Zero Trust Network Access (ZTNA) – Identity-aware access controls for microservices and distributed teams. 
What's Included in the Platform
  • Container Registry & Image Management 

    Private unlimited container registry – Private Container Registry with unlimited storage at no cost. 

    Use any private container registry – While Control Plane provides a free container registry, customers can utilize any private or public container registries in addition or instead of the Control Plane provided registry. 

  • Scaling & Resource Optimization 

    Scale to zero – Optionally scale workloads to zero replicas after a period of no traffic. 

    Vertical auto scaling – For CPU and RAM based on actual workload consumption with user-defined minimums and maximums. 

    Horizontal auto scaling – Using selected scaling strategies that include: requests per second, concurrent requests, CPU utilization, memory %, CPU and memory, or any Prometheus metric. 

    Fractional CPU utilization/billing – Ability to run workloads with as little as 25 millicores (a millicore is 1 thousandth of a CPU core). 

    Capacity AI™ – Automatic vertical scaling, that controls CPU and RAM optimal utilization - so you do not have to pay for idle resources. 

    Location-Specific Overrides – Allows customization of scaling and resource management settings for workloads in specific geographic locations to enhance performance for targeted audiences. 

  • Networking & Traffic Management

    TLS termination – Certificate enrollment, distribution to all locations and automatic renewal. Ability to set TLS version and cipher suites. 

    DNS geo-routing – Control Plane distributed DNS infrastructure points requesters to their nearest (latency wise) healthy compute cluster. 

    Custom domains – Workloads can respond on an apex domain, subdomain, and also be routed to using path-based routing. Path based routing can be prefix matches or regex. 

    Mutual TLS everywhere – Perfectly tuned Istio service mesh which among many benefits, supports mutual TLS across service communication, allowing developers to leverage Envoy and Istio's features without requiring deep expertise. 

    Direct Load Balancer – Allows exposing workload ports directly through a cloud load balancer in each location where the workload is running, providing efficient traffic distribution. 

    Geo Location Headers – Adds headers containing geographic information to incoming HTTP requests, providing data about the origin of the request, including ASN, city, country, and region. 

    Native support for AWS Private Link 

    Native support for GCP Private Service Connect (psc) 

  • Observability & Monitoring 

    Aggregated Logs – Provides built-in Loki for log aggregation, enabling efficient storage and querying of logs from multiple sources. Log can be concurrently streamed to external systems. 

    Aggregated Metrics – Offers built-in Prometheus for metrics aggregation, allowing for monitoring and alerting on various system and application metrics. Metrics can be streamed to external systems. 

    Aggregated tracing with Falco, visualized by Grafana – Built-in Tango with automatic open telemetry based collection automatically configured using Istio and Envoy proxies. 

    Built-in Grafana for Observability Visualization – Includes built-in Grafana for visualizing observability data, providing dashboards and alerts for system and application monitoring. 

    Observability integration with third party products – Includes: CloudWatch, Coralogix, Datadog, Elastic, Fluentd, Logz.io, S3, Stackdriver, Syslog. 

    User defined dashboard for metrics, tracing and logs 

    User defined alerts – Users can be notified of alert conditions using PagerDuty, Teams, Slack, Email and many other channels. 

    Custom Metrics – Collect custom metrics from any running workload with a Prometheus endpoint. 

  • Security & Access Control

    Secrets Management – Multiple strongly-typed secrets are provided, these include Opaque secrets, TLS certificates, Docker secrets, dictionary, AWS, Azure connector, Azure SDK, ECR, GCP, Keypair, NATS account, Username & Password. 

    Policy based access control – All objects are subject to fine-grained access control policy to govern what actions certain principals can perform. Group membership can be driven by attributes and group memberships in any external identity provider. 

    SAML support – Full SAML2 SSO support at no additional cost. Integrate with any identity provider like Auth0, Okta, etc. 

    SSO with multiple identity providers – Authenticate with Google, Office365, GitHub or any SAML2 provider. 

    Built-in Falco for Threat Detection – Integrates Falco for real-time threat detection, monitoring the behavior of containers and applications to detect anomalous activity. 

    Audit Trail – Provides a tamper-proof audit trail service for both Control Plane and custom workload actions, enhancing security and compliance. 

    JWT authentication – Turn on JWT authentication for any workload. Application firewall – Control granular inbound and outbound rules. 

  • Workload & Compute Management

    Stateful workloads – Stateful workloads support individually addressable replicas. They are typically used in conjunction with volume sets. 

    Stable Replica Identities – Assigns permanent identities to each replica in a stateful workload, ensuring consistent network identities and stable storage attachments, which is crucial for applications requiring persistent state. 

    Volume sets – A collection of storage volumes that can be linked to one or more workloads, supporting features like autoscaling, snapshots, and performance classes. 

    Marketplace – A collection of pre-defined helm charts for quickly deploying often stateful workloads such as Postgres, Redis, Kafka, Ollama, MySQL, etc. 

    Universal Cloud Identity™– Patented unique technology - allowing a set of permissions on any cloud to be grouped into a workload identity - and assigned to one or more workloads, in order to not require code to deal with credentials and make workloads portable (e.g. use RDS even when running on premises - without credentials). This capability allows developers to mix & match ANY service of AWS, GCP, and Azure as if the clouds have merged. 

    Cloud Wormhole® – Enables secure consumption of private network resources not exposed to the internet, such as RDS within a VPC or in a private data center network.