Lane7 Blueprints
Zero Trust Application Networks Made Simple

Zero Trust Application Networks in Minutes. Blueprints are Free. Pay Only for the Security.
An animated abstract graphic of moving gears and data transfers with a central circular image depicting the Lane7 logo

Eliminate PKI, CAs, and mTLS complexity with Lane7 Blueprints. Download our composable Kubernetes architectures for free. You only pay a flat monthly rate for the active Workload Security Proxies (WoSPs) running in your environments

Core Issue #1: Stolen credentials
  • Credentials remain valid for hours or days, leaving systems vulnerable.
  • Are your certificate rotation cycles measured in days or months?
  • Has security become a bottleneck, leading to inadequate protection or delays?
  • Do you have thousands of API endpoints with static keys that can leak data?
alert sign icon
The "Certificate Management Crisis" is accelerating;
the maximum certificate lifespan will be reduced to 47 days by 2029 increasing the risk of certificate-related outages.
Core Issue #2: High complexity
  • Service meshes and Kubernetes implementations are complex.
  • Tired of complex manual configuration for every service endpoint?
  • Living through "YAML Hell" managing thousands of lines of code?
  • Is high operational overhead slowing down deployment velocity?
"Working with PKI certificates is on my Top 5 list of least favorite tasks. As a Software turned DevOps Engineer, I appreciate solutions that simplify complexity without compromising security. Hopr’s innovation does exactly that. It’s a smart, efficient approach that addresses real-world challenges"
Stephanie Phifer, Senior Software and Automation Engineer

Solve Both Critical Issues with One Solution
Lane7 Blueprints

Our Cloud Native AMTD preemptively protects Zero Trust Application Networks.
Your app networks are 'Secure by Default'.
.
A blue shield whose interior depicts stacks of containers with the number 7 and a lane along the centerline.

Stop configuring certs. Start shipping code.

See for yourself just how simple and fast it is to deploy Zero Trust application networks protected by Cloud Native AMTD. Choose any  blueprint in the Lane7 catalog, get a Free Trial license for its WoSPs, and deploy in less the app nextwork in leass than 30 minutes.
Try for FREE!
Read the Docs

Replaceable App Logic and Pre-configured Korvette-S WoSPs

Rigorous Access Control that repels threats
Post-quantum encryption of data in transit
An abstract graphic depicting a containerized application with a WoSP sidecar proxy
High frequency credential rotation that disrupts threats
The chain of trust is in the workload identity, not the Cert Authority
Learn About the Korvette
Learn more

Build Your 'Golden Path' Deployment

Choose from five "pod types" and compose a custom blueprint to create a Zero Trust Application Network of any size, any communication protocol, for any cloud environment, and your choice of two security modes.
Stylized blueprint of a pod with ingress and egress connections
Gateway, Intiator
Pods that 'trigger' the app activity. They have one egress endpoint.

Gateways are special "boundary pods"  that include 'pinhole access' that trigger on a 'POST' message.
A stylized blueprint image of a pod
Relay, Processor
Blueprint nodes (pods) that accept ingress traffic, process it and relay it via egress to another pod. They have one ingress and one egress endpoiint.
Stylized blueprint of a pod with ingress and egress connections
Distributor, Router
Pods that accept ingress traffic, process it, and then fan-out the egress traffic to multiple  pods. They have one ingress endpoint and multiple egress endpoints.
Stylized blueprint of a pod with ingress and egress connections
Aggregator
Pods that receive traffic from multiple ingress endpoints, process it, and send the result to a single egress endpoint.
Stylized blueprint of a pod with ingress and egress connections
Sink, Terminator
Pods that finish an app  activity. They have a single ingress and no egress

Sinks are special "boundary pods" that have a 'pinhole' to enable output access via a 'GET' message.

Transparent Pricing:
One License.
Infinite Composability. Speed.

  • One Customer License: You receive a single Hopr license upon account creation.
  • Deploy Anywhere: Use that same license across all your secrets.yaml files, whether you are testing locally in k3d, in dev, or in production across multi-cloud environments.
  • Automated Tracking: Our billing tracks active workloads each month so you only pay for what you use.
  • Fair Billing: If a WoSP checks in as active during the month, it incurs a fee. If it’s spun down, you don't pay.

Blueprints are Always Free

We don’t charge you for architectural templates. All Lane7 Blueprints are free to download. You only pay for the Korvette-S WoSP license to secure your workloads.
Mechanical design blueprint drawwing of the various pod types in Lane7 blueprints
Blueprints, composed of different pod types, are easily deployed as Zero Trust Application Networks
Feature
Cost / Details
All Lane7 Blueprints
$0 (Free Forever)
Active WoSP License
$35 per month (or less) per active workload
License Management
One license per customer for all WoSP deployments
Usage Tracking
We charge only for WoSP's that perform 'sessions' in a month.

Lane7 Simplifies Strong Security

We've taken the complexity and friction out of deploying secure application networks accross all cloud environments.
Networking the Application
WoSPs enable application networking at Layer 7 or Layer 4 of the OSI stack and add stronger security against application layer attacks
An image showing text that is an example of YAML code on a dark background
Blueprints are easily composed from YAML files
Replaceable App Business Logic
Blueprints provide an application network where the business logic can be customized while preserving the communication and security operations of the WoSP.
Ensure Zero Trust Access to Apps
Zero Trust identity verification and ephemeral secrets add an AMTD to app networks making attacks nearly impossible. Think of this as threat repellent for workloads.
Secure by Design
Authorization is designed into the blueprint. Apps are authorized by the blueprint design, which prevents unauthorized access.
WoSPs + Web Apps = Secure by Default
HTTP apps are simpler to build than HTTPS, and WoSP sidecars add stronger security. Blueprints secure HTTP apps and REST APIs by default.

DevOps and Platform Engineers can Deploy a Zero Trust Application Network
in Minutes

a screenshot image of a Command Line Interface with docker and kubernetes commands
  • Replace the business logic in the blueprint app with yours.
  • Containerize your customized app with the blueprint Dockerfile.
  • Create the kubernetes cluster and import your app container image.
  • Verify the container image is available
  • Deploy the blueprint manifests into the cluster
  • Verify and monitor the app logs

Lane7 Blueprint Benefits

Improved Security Posture
Networked applications are protected by Cloud Native AMTD with Zero Trust identity verification. Both authorization and authentication are secure by default.
Decreased Time to Value
Application networks can be deployed within minutes rather than weeks or months.
Easy Configuration and Deployment
Low-friction, pre-configured deployments remove the complexity and errors often experienced by DevOps.
Reduced Architectural Overhead
Reduced use of costly external services such as cert manager, key management, and secrets vaults.
Customized App Business Logic
Each blueprint includes an application with code sections clearly marked for business logic customization.

Lane7 Blueprint Catalog

Choose a blueprint - Customize the apps - Delopy in <30 min.

Catalog Filters
Security Mode
Environment
Protocol
Pod Count
Clear FilterClear FilterClear FilterClear Filter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Armored Ferry: Secure API Gateway

A highly secure, point-to-point relay operating as a client and server. Best for external-facing entry points requiring per-request AMTD key rotation at Layer 7.

View the YAML
white 'X' icon
schema_version: '2.0'
blueprint:
  generated_by: lane7-compose v2.1
  network:
    id: simple-relay
    name: Simple 2-Pod Relay
    deployment_scope: single-cluster
    protocol: http
  pods:
  - id: gateway
    template: http-initiator
    functional_label: api-gateway
    namespace: simple-relay-gateway-ns
    cluster: cluster-1
    egress_targets:
    - simple-relay-processor-svc.simple-relay-processor-ns.svc.cluster.local
    boundary: false
  - id: processor
    template: http-terminator
    functional_label: backend-processor
    namespace: simple-relay-processor-ns
    cluster: cluster-1
    egress_targets: []
    boundary: false
  connections:
  - from: gateway
    to: processor
  wosp_count: 2
Try for FREE!
Armored Car
Single Cluster
HTTP1/REST
2 Pods

Fast Ferry: WebSocket Streaming Relay

A persistent, low-latency TCP tunnel for real-time telemetry or chat. Secures bi-directional streaming data at Layer 4 without sacrificing throughput.

View the YAML
white 'X' icon
schema_version: '2.0'
blueprint:
  generated_by: lane7-compose v2.2
  network:
    id: ws-simple-relay
    name: Simple WebSocket 2-Pod Relay
    deployment_scope: single-cluster
    protocol: websocket
  pods:
  - id: gateway
    template: ws-initiator
    functional_label: ws-api-gateway
    namespace: ws-simple-relay-gateway-ns
    cluster: cluster-1
    egress_targets:
    - ws-simple-relay-processor-svc.ws-simple-relay-processor-ns.svc.cluster.local
    boundary: false
  - id: processor
    template: ws-terminator
    functional_label: ws-backend-processor
    namespace: ws-simple-relay-processor-ns
    cluster: cluster-1
    egress_targets: []
    boundary: false
  connections:
  - from: gateway
    to: processor
  wosp_count: 2
Try for FREE!
Armored Tunnel
Single Cluster
WebSocket
2 Pods

Fast International Ferry: WebSocket Streaming

Pre-configured for cross-cloud LoadBalancer discovery. Securely stream real-time, bi-directional data across regional boundaries via a persistent Layer 4 tunnel.

View the YAML
white 'X' icon
schema_version: '2.0'
blueprint:
  generated_by: lane7-compose v2.2
  network:
    id: ws-xcluster
    name: WebSocket Cross-Cluster Bi-Pod
    deployment_scope: multi-cluster-local
    protocol: websocket
  pods:
  - id: initiator
    template: ws-initiator
    functional_label: Initiator
    namespace: ws-xcluster-initiator-ns
    cluster: cluster-1
    egress_targets:
    - ws-xcluster-terminator-svc.ws-xcluster-terminator-ns.svc.cluster.local
    boundary: false
  - id: terminator
    template: ws-terminator
    functional_label: Terminator
    namespace: ws-xcluster-terminator-ns
    cluster: cluster-2
    egress_targets: []
    boundary: false
  connections:
  - from: initiator
    to: terminator
  wosp_count: 2
  ws_config:
    idle_timeout: 240.0
Try for FREE!
Armored Tunnel
Multi-cluster
WebSocket
2 Pods

International Ferry: Cross-cloud Relay

Seamless point-to-point routing across regional boundaries or cloud providers. Automatically handles LoadBalancer IP discovery to establish a secure, low-latency tunnel between external clusters.

View the YAML
white 'X' icon
schema_version: '2.0'
blueprint:
  generated_by: lane7-compose v2.2
  network:
    id: grpc-xcluster
    name: gRPC Cross-Cluster Bi-Pod
    deployment_scope: multi-cluster-local
    protocol: grpc
  pods:
  - id: gateway
    template: grpc-gateway
    functional_label: Gateway
    namespace: grpc-xcluster-gateway-ns
    cluster: cluster-1
    egress_targets:
    - grpc-xcluster-processor-svc.grpc-xcluster-processor-ns.svc.cluster.local
    boundary: true
  - id: processor
    template: grpc-sink
    functional_label: Processor
    namespace: grpc-xcluster-processor-ns
    cluster: cluster-2
    egress_targets: []
    boundary: false
  connections:
  - from: gateway
    to: processor
  wosp_count: 2
  grpc_config:
    message_count: 10
    message_interval_ms: 100.0
    initial_stream_window_size: 65536
    initial_connection_window_size: 1048576
Try for FREE!
Armored Tunnel
Multi-cluster
HTTP2/gRPC
2 Pods
A 3-pod network styled as a blueprint

Armored Trawler: Result Collector

A fan-in architecture that waits for parallel upstream processes and aggregates the data into a single payload. Fully protected by Layer 7 encryption.

View the YAML
white 'X' icon
schema_version: "2.0"
blueprint:
  generated_by: lane7-compose v2.1
  network:
    id: fan-in-2to1
    name: "Fan-In Network (2-->1)"
    deployment_scope: single-cluster
    protocol: http
  pods:
    - id: source-a
      template: http-gateway
      functional_label: primary-ingest
      namespace: fan-in-2to1-source-a-ns
      cluster: cluster-1
      egress_targets:
        - fan-in-2to1-aggregator-svc.fan-in-2to1-aggregator-ns.svc.cluster.local
      boundary: true
    - id: source-b
      template: http-initiator
      functional_label: secondary-ingest
      namespace: fan-in-2to1-source-b-ns
      cluster: cluster-1
      egress_targets:
        - fan-in-2to1-aggregator-svc.fan-in-2to1-aggregator-ns.svc.cluster.local
      boundary: false
    - id: aggregator
      template: http-fan-in
      functional_label: result-collector
      namespace: fan-in-2to1-aggregator-ns
      cluster: cluster-1
      egress_targets: []
      boundary: false
  connections:
    - from: source-a
      to: aggregator
    - from: source-b
      to: aggregator
  wosp_count: 3
Try for FREE!
Armored Car
Single Cluster
HTTP1/REST
3 Pods
3-pod serial relay app network blueprint

Armored Convoy: Serial Relay Pipeline

A sequential pipeline perfect for inserting transformation, enrichment, or audit-logging middleware between a gateway and a sink. Includes TLS Pinhole access.

View the YAML
white 'X' icon
schema_version: '2.0'
blueprint:
  generated_by: lane7-compose v2.1
  network:
    id: tri-pod-serial
    name: 3-Pod Serial Chain
    deployment_scope: single-cluster
    protocol: http
  pods:
  - id: gateway
    template: http-initiator
    functional_label: api-gateway
    namespace: tri-pod-serial-gateway-ns
    cluster: cluster-1
    egress_targets:
    - tri-pod-serial-middleware-svc.tri-pod-serial-middleware-ns.svc.cluster.local
    boundary: false
  - id: middleware
    template: http-relay
    functional_label: auth-middleware
    namespace: tri-pod-serial-middleware-ns
    cluster: cluster-1
    egress_targets:
    - tri-pod-serial-backend-svc.tri-pod-serial-backend-ns.svc.cluster.local
    boundary: false
  - id: backend
    template: http-terminator
    functional_label: backend-processor
    namespace: tri-pod-serial-backend-ns
    cluster: cluster-1
    egress_targets: []
    boundary: false
  connections:
  - from: gateway
    to: middleware
  - from: middleware
    to: backend
  wosp_count: 3
Try for FREE!
Armored Car
Single Cluster
HTTP1/REST
3 Pods
A 4-pod application fan-out network

Armored Trimaran: Secure Application Router

An intelligent fan-out architecture that distributes incoming requests to parallel downstream services. Ideal for secure load balancing or broadcast routing with impenetrable, per-request AMTD protection.

View the YAML
white 'X' icon
schema_version: '2.0'
blueprint:
  generated_by: lane7-compose v2.1
  network:
    id: fan-out-demo
    name: Fan-Out Network (1 to 2)
    deployment_scope: single-cluster
    protocol: http
  pods:
  - id: gateway
    template: http-initiator
    functional_label: api-gateway
    namespace: fan-out-demo-gateway-ns
    cluster: cluster-1
    egress_targets:
    - fan-out-demo-fanout-svc.fan-out-demo-fanout-ns.svc.cluster.local
    boundary: false
  - id: fanout
    template: http-fan-out
    functional_label: message-router
    namespace: fan-out-demo-fanout-ns
    cluster: cluster-1
    egress_targets:
    - fan-out-demo-service-a-svc.fan-out-demo-service-a-ns.svc.cluster.local
    - fan-out-demo-service-b-svc.fan-out-demo-service-b-ns.svc.cluster.local
    boundary: false
  - id: service-a
    template: http-terminator
    functional_label: service-alpha
    namespace: fan-out-demo-service-a-ns
    cluster: cluster-1
    egress_targets: []
    boundary: false
  - id: service-b
    template: http-terminator
    functional_label: service-beta
    namespace: fan-out-demo-service-b-ns
    cluster: cluster-1
    egress_targets: []
    boundary: false
  connections:
  - from: gateway
    to: fanout
  - from: fanout
    to: service-a
  - from: fanout
    to: service-b
  wosp_count: 4
Try for FREE!
Armored Car
Single Cluster
HTTP1/REST
4 Pods

Armored Carrier - Parallel Processing Cluster

A complete, turnkey pipeline for complex orchestration that automatically dispatches parallel tasks and aggregates the results, all within a sealed Zero Trust environment.

View the YAML
white 'X' icon
schema_version: '2.0'
blueprint:
  generated_by: lane7-compose v2.4
  network:
    id: hexapod-fan
    name: "Hexapod Fan-Out / Fan-In \u2014 Single Cluster"
    deployment_scope: single-cluster
    protocol: http
    wasm_filter: xtra7
  pods:
  - id: gateway
    template: http-gateway
    functional_label: api-gateway
    effective_protocol: http
    namespace: hexapod-fan-gateway-ns
    cluster: cluster-1
    egress_targets:
    - hexapod-fan-router-svc.hexapod-fan-router-ns.svc.cluster.local
    boundary: true
  - id: router
    template: http-fan-out
    functional_label: fan-out-router
    effective_protocol: http
    namespace: hexapod-fan-router-ns
    cluster: cluster-1
    egress_targets:
    - hexapod-fan-processor-a-svc.hexapod-fan-processor-a-ns.svc.cluster.local
    - hexapod-fan-processor-b-svc.hexapod-fan-processor-b-ns.svc.cluster.local
    boundary: false
  - id: processor-a
    template: http-relay
    functional_label: processor-branch-a
    effective_protocol: http
    namespace: hexapod-fan-processor-a-ns
    cluster: cluster-1
    egress_targets:
    - hexapod-fan-aggregator-svc.hexapod-fan-aggregator-ns.svc.cluster.local
    boundary: false
  - id: processor-b
    template: http-relay
    functional_label: processor-branch-b
    effective_protocol: http
    namespace: hexapod-fan-processor-b-ns
    cluster: cluster-1
    egress_targets:
    - hexapod-fan-aggregator-svc.hexapod-fan-aggregator-ns.svc.cluster.local
    boundary: false
  - id: aggregator
    template: http-fan-in
    functional_label: fan-in-aggregator
    effective_protocol: http
    namespace: hexapod-fan-aggregator-ns
    cluster: cluster-1
    egress_targets:
    - hexapod-fan-sink-svc.hexapod-fan-sink-ns.svc.cluster.local
    boundary: false
  - id: sink
    template: http-sink
    functional_label: result-sink
    effective_protocol: http
    namespace: hexapod-fan-sink-ns
    cluster: cluster-1
    egress_targets: []
    boundary: true
  connections:
  - from: gateway
    to: router
  - from: router
    to: processor-a
  - from: router
    to: processor-b
  - from: processor-a
    to: aggregator
  - from: processor-b
    to: aggregator
  - from: aggregator
    to: sink
  wosp_count: 6
Try for FREE!
Armored Car
Single Cluster
HTTP1/REST
6 Pods

Armored Carrier: Zero Trust AI Pipeline

A sealed, AMTD-protected microservices mesh for your AI agents. Pre-configured with a bounded ReAct orchestration loop, parallel LLM/tool execution legs, and NLP aggregation to structurally defeat prompt injection and unauthorized lateral movement.

View the YAML
white 'X' icon
schema_version: '2.0'
blueprint:
  generated_by: lane7-compose v2.4
  network:
    id: agentic-ai
    name: "Agentic AI Blueprint \u2014 6-Pod Zero Trust"
    deployment_scope: single-cluster
    protocol: http
    wasm_filter: xtra4
  pods:
  - id: ai-gateway
    template: http-gateway
    functional_label: ai-request-gateway
    effective_protocol: http
    namespace: agentic-ai-ai-gateway-ns
    cluster: cluster-1
    egress_targets:
    - agentic-ai-ai-orchestrator-svc.agentic-ai-ai-orchestrator-ns.svc.cluster.local
    boundary: true
  - id: ai-orchestrator
    template: ai-orchestrator
    functional_label: mcp-task-dispatcher
    effective_protocol: http
    namespace: agentic-ai-ai-orchestrator-ns
    cluster: cluster-1
    egress_targets:
    - agentic-ai-llm-gateway-svc.agentic-ai-llm-gateway-ns.svc.cluster.local
    - agentic-ai-tool-executor-svc.agentic-ai-tool-executor-ns.svc.cluster.local
    boundary: false
  - id: llm-gateway
    template: llm-gateway
    functional_label: llm-inference-adapter
    effective_protocol: websocket
    namespace: agentic-ai-llm-gateway-ns
    cluster: cluster-1
    egress_targets:
    - agentic-ai-nlp-processor-svc.agentic-ai-nlp-processor-ns.svc.cluster.local
    boundary: false
  - id: tool-executor
    template: tool-executor
    functional_label: agentic-tool-caller
    effective_protocol: websocket
    namespace: agentic-ai-tool-executor-ns
    cluster: cluster-1
    egress_targets:
    - agentic-ai-nlp-processor-svc.agentic-ai-nlp-processor-ns.svc.cluster.local
    boundary: false
  - id: nlp-processor
    template: nlp-processor
    functional_label: response-aggregator
    effective_protocol: http
    namespace: agentic-ai-nlp-processor-ns
    cluster: cluster-1
    egress_targets:
    - agentic-ai-ai-results-sink-svc.agentic-ai-ai-results-sink-ns.svc.cluster.local
    boundary: false
  - id: ai-results-sink
    template: http-sink
    functional_label: results-dispatcher
    effective_protocol: http
    namespace: agentic-ai-ai-results-sink-ns
    cluster: cluster-1
    egress_targets: []
    boundary: true
  connections:
  - from: ai-gateway
    to: ai-orchestrator
  - from: ai-orchestrator
    to: llm-gateway
  - from: ai-orchestrator
    to: tool-executor
  - from: llm-gateway
    to: nlp-processor
  - from: tool-executor
    to: nlp-processor
  - from: nlp-processor
    to: ai-results-sink
  wosp_count: 6
Try for FREE!
Armored Tunnel
Single Cluster
HTTP + WebSocket
6 Pods
Read the Docs

Valuable Security Features

Each blueprint includes the following security features for every application in its network
A blue shield whose interior depicts stacks of containers with the number 7 and a lane along the centerline.
Rigorous Access Control
Apps are authorized to connect by blueprint design, and this eliminates the risk of unauthorized access.  
Fully Protected Data in Transit
Data shared among workloads is protected with end-to-end encryption over the entire route without early termination.
Automated Moving Target Defense
App-to-app access credentials are hopped (rotated) at a high frequency to preempt attacks and disrupt threat reconnaissance.
True Zero Trust
Meet Zero Trust identity trust principles through frequent verification of ephemeral workload identities and micro-segmentation.
Complete API Threat Rejection
All unauthorized access is immediately rejected, which fully protects API endpoints from abuse of stolen keys and data leakage.
Future-proof to Emerging Threats
Hopr's innovations are invulnerable to quantum attacks and AI-driven attacks.

Need More Information?

Download our white paper to learn more about the value of Lane7 Blueprints and how Platform Engineers and DevOps can easily and quickly network apps with assured trust and without complexity.
Read the White Paper
Case StudiesHow It WorksUnique FeaturesPricingContact usSecurityWeb Retriever OSSAboutPrivacy policiesTerms of service
Hopr provides true Zero Trust access control for workloads and APIs, powered by a Cloud Native Automated Moving Target Defense.

We use ephemeral machine identities, credential hopping, and application-layer post quantum end-to-end encryption of data in transit.

And Hopr verifies identity trust at every API transaction and eliminates the risks from static credentials across clouds, clusters, and organizations.

And Hopr's novel Korvette-S Workload Security Proxy (WoSP) is simple and fast to deploy into a Zero Trust application network using a FREE Lane7 Blueprint.
Copyright 2021-2026 | Hopr Corporation
CHIPS™, MAID™, SEE™, and Cloud Native AMTD™
are protected by US Patents and patents pending.