Neuwerk

System Overview

The Neuwerk is split into a dataplane for enforcement and a control plane for policy, DNS, management, and replication.

Neuwerk is built around a strict boundary:

  • the dataplane handles packets, forwarding state, NAT, and enforcement
  • the control plane handles management, DNS proxying, cluster replication, and higher-layer services

That split is the main idea to keep in mind while reading the rest of the docs. If a feature needs DNS parsing, cluster state, or management APIs, it belongs in the control plane. If a feature decides whether packets are dropped, forwarded, translated, or steered, it belongs in the dataplane.

The Four Main Runtime Pieces

A running Neuwerk is made up of four major pieces:

  1. cluster services, when clustering is enabled
  2. the management HTTP runtime
  3. the service runtime for DNS proxying and TLS interception
  4. the dataplane runtime

Those parts cooperate, but they do not collapse into one request path. That is why the Neuwerk can serve a management API, answer DNS queries aimed at the Neuwerk itself, and enforce client traffic without treating all of it as the same kind of workload.

Why The Split Matters

This design keeps the packet engine simpler and more predictable.

Operator impact:

  • DNS policy is enforced through the control-plane DNS proxy, not by teaching the dataplane to parse DNS itself
  • clustering replicates control-plane state, not active dataplane flow state
  • TLS interception is a service-plane feature that is enabled only when policy and CA material require it

Deployment Shapes

The same architectural boundary stays in place in every deployment shape:

  • single-node deployments keep all authoritative state on local disk
  • clustered deployments replicate control-plane state across nodes
  • every node still enforces its own traffic locally

High availability therefore improves control-plane continuity. It does not turn the dataplane into a distributed shared engine.

Where To Go Next

  • Read Traffic Flows to see which traffic classes are handled by which runtime.
  • Read Dataplane to understand enforcement decisions.
  • Read Control Plane to understand management, DNS, and clustering behavior.