Product Architecture

Larktun can be described in four layers: SaaS control, tenant network control, relay, and endpoint execution. The goal is to deliver stable and lightweight remote access while keeping strict tenant isolation.

Architecture layers

• SaaS control layer: tenant lifecycle, identity verification, policy distribution, and audit aggregation
• Tenant network control layer: isolated network state, device inventory, and ACL state per tenant
• Relay layer: traffic forwarding fallback with shared, dedicated, or user-managed relay options
• Endpoint execution layer: encrypted path setup and ACL enforcement with low-memory background runtime

How tenant isolation is enforced

• Devices, user groups, and policy sets are maintained per tenant
• ACL evaluation is tenant-scoped with no cross-tenant inheritance
• Audit logs are archived per tenant for traceability and compliance reviews

Choosing relay strategy

• Shared relay: best for individual free users, quick validation, and small-team rollouts
• Dedicated relay: best for higher stability and predictable capacity
• User-managed relay: best for custom boundary, region, or compliance requirements

Stability and footprint design

• Prefer direct path first, then relay fallback when needed
• Keep path health monitoring and auto-reconnect enabled
• Maintain low endpoint memory footprint for long-running sessions

Interactive simulator

Interactive architecture simulator

Run login, direct path, and DERP relay flows directly inside the docs page, or open the full demo in a separate tab.

Open full demo

The embedded simulator currently uses Chinese UI labels, while the interaction flow is the same.

Architecture diagram

Continue reading

• Product Overview
• Core Concepts
• ACLs Introduction
• Routes Introduction
• Quick Start
• Deployment Modes and Configuration