Skip to main content

Casebook

Larktun showcase for secure networking scenarios

Covering home remote desktop, solo developer cloud access, home surveillance, multi-region server mesh, factory equipment networking, and collaborative operations with a consistent presentation structure.

Open docsBrowse blog
  • 06Core business scenarios
  • 03Access-control layers
  • 01Unified scenario framework
Larktun showcase case library visual

Methodology

A unified method for scenario planning and implementation

Define the boundary first

Start with who needs access, what device or service is targeted, and whether traffic crosses public networks.

Constrain permissions second

Encode ACLs, identity verification, and time windows in each case so connectivity stays controllable.

Quantify outcomes last

Use connection success rate, latency stability, and audit traceability to measure outcomes and support continuous optimization.

Scenarios

Six core business scenarios

Each case includes challenge, architecture, security controls, expected outcomes, and topology visualization.

01

Home remote work

Secure access to a home computer

When away from home, connect securely from a laptop to your home workstation for coding, design, and file work.

Challenge
Residential IP changes frequently, while port forwarding and DDNS increase attack surface and maintenance overhead.
Architecture
Home devices join a personal tenant; remote devices authenticate first, then connect over encrypted direct or relay paths with zero open inbound ports.
Outcome
Keeps remote desktop and file transfer available while significantly reducing home-network exposure.
Security controls
  • Allow only registered devices to reach home hosts
  • Enforce MFA and new-device verification
  • Automatically tighten access scope after sessions
Open implementation guide
Typical scale: 2-6 devices
  1. Remote endpoint passes identity checks
  2. Control plane pushes least-privilege policy
  3. Encrypted path connects to home workstation
02

Solo developer

Secure access to public-cloud servers

For personal projects on public-cloud VMs, SSH, DB maintenance, and releases must stay secure, auditable, and private.

Challenge
Exposing 22/3306 to the internet is risky, while full VPN stacks are heavy for solo projects.
Architecture
Cloud instances join the tenant as nodes; ACLs are pushed by identity and tags so only required operations paths are reachable.
Outcome
Cloud hosts remain minimally exposed, and solo operations become lightweight, secure, and stable.
Security controls
  • Expose SSH only to approved developer devices
  • Use temporary authorization windows for sensitive actions
  • Record every session into traceable audit logs
Open implementation guide
Secure access to public-cloud servers scenario image
Typical scale: 1-20 cloud instances
  1. Developer device signs in and matches role policy
  2. Control plane computes host ACL and routing
  3. SSH and deployment paths are established with least privilege
03

Home surveillance

Secure remote access to home surveillance

View NVR and camera feeds from mobile devices without exposing surveillance admin ports to the public internet.

Challenge
Many home camera stacks rely on opaque third-party relay services with unclear privacy and permission boundaries.
Architecture
NVR and gateway join an isolated surveillance subnet; family devices authenticate by identity and access only required streaming ports.
Outcome
Enables remote monitoring and alert response while reducing camera exposure to internet scans.
Security controls
  • Tier surveillance permissions by family member role
  • Require step-up confirmation for risky configuration actions
  • Send real-time alerts for abnormal sign-ins
Open implementation guide
Secure remote access to home surveillance scenario image
Typical scale: 3-30 surveillance endpoints
  1. Mobile device initiates surveillance access request
  2. Identity and policy checks issue scoped access token
  3. Read-only stream path is established with continuous auditing
04

Multi-region server mesh

Mesh servers across regions

Bring East China, North China, and overseas servers into one controllable private mesh for release, logging, and cross-region ops.

Challenge
Public routing jitter and fragmented policies lead to unstable cross-region access and difficult troubleshooting.
Architecture
Deploy regional relays and policy nodes with tag-based routing and health checks so operations traffic can pick healthier paths automatically.
Outcome
Cross-region connectivity becomes more stable with unified control over release and operations paths.
Security controls
  • Use regional ACLs to limit lateral movement
  • Enable path health checks and failover
  • Observe latency and packet loss across regions
Open implementation guide
Mesh servers across regions scenario image
Typical scale: 5-200 servers
  1. Regional nodes join the same mesh by tags
  2. Policy engine selects paths by link health
  3. Traffic fails over automatically when a path degrades
05

Industrial networking

Connect factory equipment securely

Onboard PLCs, edge gateways, and industrial PCs into a secure mesh so HQ and field engineers can diagnose remotely.

Challenge
Industrial and office networks must stay isolated, downtime windows are short, and on-site troubleshooting is expensive.
Architecture
Use industrial gateways as trust boundaries and enforce protocol-level ACLs by device tags to expose only essential maintenance paths.
Outcome
Cuts on-site trips and downtime while meeting industrial security compliance requirements.
Security controls
  • Separate HQ, field, and vendor roles with RBAC
  • Capture full audit trails for critical operations
  • Automatically enable/disable policy by maintenance window
Open implementation guide
Connect factory equipment securely scenario image
Typical scale: 1-10 factory sites
  1. Devices connect through industrial gateways to the control plane
  2. Protocols and ports are opened by workstation-level policy tiers
  3. Remote diagnostics are fully logged for traceability
06

Collaborative operations

Multi-team and third-party operator access

HQ teams, contractors, and customer engineers collaborate on the same environment without shared accounts or over-permissioning.

Challenge
Cross-org collaboration is frequent, boundaries are hard to enforce, and permission revocation is often delayed after project closure.
Architecture
Group identities by organization and role, then grant short-lived access by service tags and time windows with automatic revocation.
Outcome
Improves cross-team delivery speed with clearer audit accountability for long-running managed projects.
Security controls
  • One-time approvals with short-lived access tokens
  • Session traceability with anomaly alerts
  • Revoke permissions and device trust on offboarding
Open implementation guide
Multi-team and third-party operator access scenario image
Typical scale: 10-300 managed nodes
  1. Partners join tenant groups based on role
  2. Approval issues least-privilege policy and time window
  3. Access paths are revoked automatically when work ends

A continuously evolving library of industry use cases

Built on a consistent structure, this page supports solution communication, implementation planning, and operations optimization.

Product introductionVisit larktun.com