SDR connectivity

Self-Deployed Runtime uses a runtime service deployed within your network that acts as a bridge between Atlan Cloud and your data sources. The runtime maintains an outbound HTTPS connection to Atlan Cloud and connects locally to your data sources over your internal network.

The runtime extracts only structural metadata: schemas, tables, columns, and their relationships. Business data remains in your source systems and is never extracted or stored in Atlan.

How connections work

The runtime sits within your network perimeter, deployed on Docker Compose or a Kubernetes cluster. The runtime maintains a persistent outbound HTTPS connection to Atlan Cloud. This connection is always initiated from your network, never inbound from the internet.

When you create a crawler workflow, Atlan Cloud sends metadata extraction requests to the runtime over this outbound connection. The runtime processes these requests, connects to your data sources over your local network, and returns the results to Atlan Cloud. Your data sources never expose ports to the internet. All connections are initiated from within your network.

Connection pattern consistency

The connection pattern remains the same regardless of which connector application you're using:

• Outbound to Atlan Cloud: HTTPS connection over the internet
• To data sources: Connections over your local network (within your network perimeter)

Whether you're running a PostgreSQL connector, an Oracle connector, an SAP connector, or any other connector application, the runtime uses the same connectivity pattern to communicate with Atlan Cloud.

Security and data protection

Self-Deployed Runtime protects your data through multiple security layers:

• Metadata extraction, not data replication: Atlan extracts only structural metadata: schemas, tables, columns, and their relationships. The actual business data in your tables remains in your source systems. For example, if you have a CUSTOMERS table with customer records, Atlan discovers the table structure and column definitions. It never queries or stores the customer records themselves.

• Read-only operations: All operations are read-only. The connector can't modify data, create or drop objects, or change any configuration. The permissions you grant control exactly what the connector can access.

• Credential encryption: Connection credentials are encrypted at rest and in transit. Credentials never leave your network perimeter. The runtime retrieves them from your enterprise-managed secret vaults (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, or Kubernetes Secrets) only when needed. Atlan Cloud never receives or stores them.

• Network isolation: Your data sources gain complete network isolation from the internet. The data sources only accept connections from the runtime within your local network. The runtime itself only makes outbound HTTPS connections to Atlan Cloud, which your network team can control through firewall rules. All data transmission uses TLS 1.2 encryption over HTTPS, protecting metadata from interception during transit.

See also

• Direct connectivity: Alternative connectivity model for data sources available from the internet
• Self-Deployed Runtime architecture: Core components and data flow of the runtime service
• Install Self-Deployed Runtime: Choose your deployment platform and install Self-Deployed Runtime