Pure Open Source · No Vendor Lock-in

Private Infrastructure
Services

Every service is built on upstream open-source technology, designed for sovereign operation, and delivered with full knowledge transfer to your engineering team. No proprietary layers. No ongoing licence fees. No lock-in.

Service 01

Private Cloud — OpenStack

A full private cloud built on upstream OpenStack — the same platform that powers the infrastructure of NASA, CERN, Deutsche Telekom, and dozens of national governments. Deployed on your hardware, in your data centre or co-location facility, administered entirely by your team.

OpenStack has been in production since 2012. It is not a new or unproven technology — it is the de facto standard for private cloud outside the hyperscaler ecosystem. SDcloud has deployed OpenStack continuously since the first major releases.

What the Deployment Covers

  • Hardware design and rack architecture review
  • Network topology: flat, VLAN, VXLAN, OVN overlay
  • Compute: Nova + KVM hypervisor, bare-metal Ironic
  • Storage: Ceph RBD (block), Ceph Object (S3-compatible), CephFS
  • Identity: Keystone with LDAP/AD integration
  • Dashboard: Horizon or Skyline, plus API access
  • High-availability control plane with no single point of failure
  • Monitoring: Prometheus + Grafana + alerting
  • Full operational runbooks and staff training

OpenStack Components Deployed

Compute

Nova · Ironic · Placement

Networking

Neutron · OVN · Octavia

Storage

Cinder · Manila · Swift

Identity & UI

Keystone · Horizon · Barbican

Image & DNS

Glance · Designate

Orchestration

Heat · Magnum

Licensing cost: Zero. OpenStack is Apache 2.0 licensed. There are no per-node fees, no per-core subscription costs, and no licence renewal cycles. The only cost is the engineering work to deploy, configure, and maintain it — which is exactly what SDcloud provides.

Kubernetes Stack

Kubernetes · Cilium eBPF · Helm 3 · Argo CD · Flux CD · Longhorn · Cert-Manager · External-DNS · Prometheus · Grafana · Loki · Tempo · Vault · KEDA · MetalLB

Why Cilium? Cilium uses Linux eBPF to provide network policy enforcement, observability, and load balancing at the kernel level — without iptables. It provides significantly better performance and security visibility than Calico or Flannel.

Service 02

Kubernetes & Container Platform

Production-grade Kubernetes on your private cloud or bare-metal — with Cilium eBPF networking, GitOps automation, full observability, and a platform engineering layer that your developers can actually use.

We build a complete internal developer platform: namespaced multi-tenancy, automated certificate management, secret management via Vault, a GitOps pipeline with Argo CD or Flux, and a full observability stack — all on open-source tooling with no SaaS dependencies.

Platform Capabilities

  • Multi-cluster federation for geo-redundancy and workload isolation
  • Cilium network policy: zero-trust L3/L4/L7 segmentation
  • GitOps: declarative cluster state, auditable change history
  • Secrets management: HashiCorp Vault with Kubernetes auth
  • Full observability: Prometheus, Grafana, Loki, Tempo
  • Automated image scanning and policy enforcement (Kyverno/OPA)
  • Kubernetes CIS benchmark hardening
Service 03

GPU Clusters & Private AI

Deploy large language models, run inference, and fine-tune on proprietary data — entirely within your own infrastructure. No API calls to OpenAI. No data leaving your perimeter.

Models like Meta's Llama, Mistral, Qwen, and Falcon now match or exceed commercial API-based models for many enterprise use cases — and they can be run on hardware you control. SDcloud designs and operates the infrastructure layer that makes this possible at enterprise and government scale.

Deployment Patterns

  • Inference cluster: GPU nodes with vLLM or Ollama, OpenAI-compatible API endpoint
  • Fine-tuning pipeline: Distributed training on proprietary data using FSDP or DeepSpeed
  • RAG infrastructure: Vector databases (Qdrant, Milvus, pgvector), document ingestion
  • Air-gapped AI: Complete offline operation, no internet dependency

AI Infrastructure Stack

Inference Engines

vLLM · Ollama · llama.cpp · TGI

Open-Weight Models

Llama 3.x · Mistral · Qwen 2.5 · Falcon

GPU & Orchestration

CUDA / ROCm · NVIDIA Operator · Ray · Kubeflow

Vector & RAG

Qdrant · Milvus · pgvector

Sovereignty risk: Every prompt sent to ChatGPT, Claude, Gemini, or Copilot is transmitted to and processed by infrastructure you do not control. For government, legal, financial, or classified workloads, this represents a significant information sovereignty breach.

Service 04

Enterprise Networking

Software-defined networking, zero-trust access, encrypted inter-site connectivity, and BGP routing — all built on open-source networking stacks that eliminate the need for Cisco, Juniper, or Fortinet licensing.

Networking Services

  • SD-WAN: Software-defined WAN with automatic failover and encrypted overlays
  • Zero-Trust Access: Device trust, identity-based access, micro-segmentation
  • BGP Routing: Full BGP with FRRouting — peering, ECMP, route filtering, anycast
  • WireGuard VPN: High-performance encrypted mesh between sites and users
  • Network Observability: NetFlow, sFlow, and eBPF-based monitoring

Networking Stack

Routing & Switching

VyOS · FRRouting · BIRD 2 · OVS / OVN

Firewall & Security

nftables · Suricata · Zeek · OPNsense

VPN & Tunnelling

WireGuard · StrongSwan · OpenVPN

Observability

Hubble · ntopng · Graylog

Service 05

Government & Defense Cloud

Air-gapped, classified-ready private cloud infrastructure for defense agencies, intelligence units, and critical national security operations — deployed entirely on hardware you own, with zero internet dependency.

Defense and national security workloads have requirements that no hyperscaler can meet: complete physical isolation, hardware-level supply chain control, strict data residency, multi-level security classifications, and audit trails that survive legal challenge.

Defense-Grade Capabilities

  • Full air-gap deployment: No internet, offline package mirrors, disconnected CI/CD
  • Multi-level security (MLS): Classification zones, mandatory access controls, data diodes
  • Supply chain integrity: Hardware provenance, firmware locking, SBOM tracking
  • Tamper-evident audit logging: Signed audit trails, SIEM, PAM with session recording
  • HSM integration: Hardware key management, classified CA hierarchy
  • Private AI for classified workloads: Air-gapped GPU clusters for LLM inference

Defense Security Stack

Access & Identity

HashiCorp Vault · Keycloak · FreeIPA / LDAP · PKI / HSM

Threat Detection

Suricata IDS/IPS · Zeek · Wazuh SIEM · OpenSearch

Isolation & Hardening

SELinux · AppArmor · gVisor · seccomp

Audit & Compliance

Teleport PAM · auditd · OpenSCAP · CIS Benchmarks

Jurisdiction matters: US hyperscalers — AWS GovCloud, Azure Government, Google Public Sector — all operate under US jurisdiction and are subject to CLOUD Act requests, NSLs, and FISA Section 702. For non-US defense agencies, this is a disqualifying factor.

Common Questions

Service FAQ

Do you offer managed support contracts?
Yes. We offer ongoing managed infrastructure support for clients who have completed a deployment engagement. Support contracts cover monitoring, incident response, patch management, and capacity planning. All support is delivered by the same engineers who built the infrastructure.
What hardware do you recommend?
SDcloud is hardware-vendor neutral. We design for commodity x86-64 hardware and can work with Dell, HPE, Lenovo, Supermicro, or any server vendor your organisation has an existing relationship with.
How long does a private cloud deployment take?
A greenfield OpenStack deployment on pre-provisioned hardware typically takes 6-12 weeks to reach production-ready state, including network design, HA control plane, storage configuration, identity integration, and initial training.
Can you work alongside our existing team?
Yes — and this is the preferred model. We work best as a technical partner embedded alongside your existing infrastructure team. Your team participates in the deployment and gains hands-on capability throughout the engagement.
Do you have experience with air-gapped environments?
Yes. We have deployed infrastructure in air-gapped environments — including disconnected package mirrors, offline model repositories for AI workloads, and isolated network segments with unidirectional data diodes.
What makes you different from a standard systems integrator?
Most systems integrators resell products from their vendor partners. SDcloud earns revenue only from engineering work we do for clients. We have no proprietary platform to sell, no OEM agreements, and no commercial relationships with software vendors.

Talk to Engineers, Not Account Managers

When you contact SDcloud, you speak directly with infrastructure engineers who have deployed the technology you're asking about.

Get in Touch View Platform Stack