Core Concepts

Architecture

How Cascade, Cascadia, and the Aftora edge network fit together.

On this page

Architecture

Cascade is designed around a clear separation between the control plane (the panel) and the data plane (your servers). Your customer data and workloads always stay on your hardware.

Overview

Cascade Panel hosted by Aftora, or self hosted Cascadia RPC HTTPS WebSocket v v Node 1 Node 2 Node 3 Cascadia Cascadia Cascadia Your hardware data never leaves your servers

Components

Cascade Panel

The panel is the control plane. It provides:

  • The web UI for managing workloads, clients, billing, and nodes
  • The API consumed by the Cascadia daemons
  • The billing engine (invoicing, payment processing, dunning)
  • The client portal (your customers' self-service interface)

The panel is hosted and managed by Aftora — there is nothing for you to install or operate on the control plane side.

Cascadia Daemon

Cascadia (cascadiad) is a lightweight Go binary that runs on each of your node servers. It:

  • Receives workload instructions from the panel over an encrypted WebSocket connection
  • Executes workloads locally using the appropriate backend (Docker, LXC, direct process, etc.)
  • Reports resource usage and health metrics back to the panel in real time
  • Handles graceful workload migration when a node goes offline

Cascadia never accepts inbound connections — it always initiates the connection to the panel. This means no inbound firewall rules are needed.

Aftora Edge Network (Cascadia Edge)

Cascadia Edge is Aftora's global edge network. It provides:

  • Routing — Intelligent routing of traffic to your nodes with automatic failover
  • DDoS protection — L3/L4 and L7 mitigation at the edge before traffic reaches your servers
  • SSL termination — Automated certificate issuance and renewal for all workloads
  • Anycast DNS — Global DNS with sub-10ms propagation

Your customers' traffic passes through the edge, but the data is served from your hardware.

Data flow

Web hosting request

User Cascadia Edge DDoS + SSL Your Node Web server process

Game server connection

Player Cascadia Edge DDoS + route Your Node Game process

Billing / client portal

Client browser Cascade Panel UI Billing engine Your Node

Security model

  • All panel ↔ node communication is encrypted (TLS 1.3)
  • Node registration tokens are single-use and expire after 24 hours
  • Each node has a unique cryptographic identity — panel access is revocable per-node
  • Workloads run in isolated environments (containers, VMs, or chroot depending on type)
  • Secrets (database passwords, API keys) are encrypted at rest and never logged

Multi-node topology

Cascade supports multiple nodes from day one. Common topologies:

Single node — All workloads on one server. Good for getting started.

Workload-separated — Dedicated nodes per workload type (web, game, database). Improves performance isolation.

Geographic distribution — Nodes in different regions. Cascade routes new workloads to the closest available node.

High availability — Two nodes in the same region with workload mirroring. Cascade handles failover automatically.