Air-Gapped Deployment
Fully isolated infrastructure with no internet connectivity. Every component — models, data, inference, tooling — runs inside a closed network with no external access.
What Air-Gapped Means
An air-gapped deployment has no network connection to the outside world. No internet, no cloud APIs, no external DNS. Everything the system needs — models, data, updates — enters through controlled physical or one-way transfer mechanisms.
No outbound connections
The system cannot reach external APIs, model providers, package registries, or any internet endpoint. All inference happens locally on hardware you control.
No inbound connections
Nothing from the outside can reach the system. No webhooks, no remote management, no cloud sync. Access is physical or through a tightly controlled jump host on the isolated network.
Physical transfer only
Model weights, software updates, and data enter via verified physical media — encrypted USB drives, optical media, or hardware security modules with strict chain-of-custody procedures.
Security Surface
Air-gapping eliminates entire categories of network-based attacks but introduces unique operational security challenges. The attack surface shifts from network to physical and supply chain.
Supply Chain — Model Integrity
Model weights must be downloaded externally and transferred in. If the transfer media is compromised — poisoned weights, backdoored model files, tampered checksums — the entire system is built on a corrupted foundation with no way to phone home for verification.
Supply Chain — Software Updates
All software — OS patches, framework updates, dependency upgrades — must be transferred manually. A compromised update package that passes verification could introduce vulnerabilities with no network-based detection or rollback.
Insider Threat
With no network exfiltration path, the primary data loss vector becomes authorised personnel. Anyone with physical access to the air-gapped environment can potentially extract data via removable media, modified hardware, or covert channels.
Prompt Injection
Open-source models in air-gapped environments have no provider-side guardrails. Prompt injection attacks may be more effective, and there's no ability to leverage cloud-based safety APIs or real-time model updates to patch vulnerabilities.
Stale Models & Data
Without internet access, models can't be updated automatically. Knowledge cutoffs become hard limits. Security patches for inference servers, frameworks, and dependencies require manual transfer — creating windows of known vulnerability.
Covert Channel Exfiltration
Advanced adversaries may attempt data exfiltration through side channels — electromagnetic emissions, acoustic signals, power line modulation, or timing attacks on shared resources.
Architecture Considerations
Model Selection
Only open-source or licensed models that can be downloaded and transferred. No cloud-only models (Claude, GPT, Gemini) are available in a true air-gapped environment. Llama, Mistral, Qwen, and DeepSeek are the primary options.
Inference Infrastructure
Self-hosted inference servers (vLLM, Ollama, TGI) running on local GPU clusters. All compute is on-premise. You size hardware for peak load since there's no cloud burst capacity.
Internal Package Mirror
A local mirror of all required package registries — PyPI, npm, container registries, model repositories. Updated via secure transfer on a defined schedule. No pip install from the internet.
Data Ingestion
All external data enters through controlled transfer points with inspection, scanning, and validation. Internal data pipelines operate normally within the air-gapped network. RAG knowledge bases are populated via secure bulk transfers.
Monitoring & Logging
All observability stays internal. No cloud logging services, no external alerting. You run your own monitoring stack — Prometheus, Grafana, ELK, or equivalent — entirely on the isolated network.
Update Cadence
Establish a regular secure transfer schedule for model updates, security patches, and knowledge base refreshes. The gap between external availability and internal deployment is a managed risk.
Why Air-Gapped?
Maximum Data Protection
No data can leave the network — period. No accidental API calls, no telemetry, no DNS leaks. The strongest guarantee of data sovereignty available.
Regulatory Compliance
Required for classified government systems, certain healthcare environments, financial trading systems, and any context where data handling regulations mandate physical isolation.
Zero External Dependencies
The system operates independently of any external service. No provider outages, no API rate limits, no billing surprises, no policy changes affecting your operations.
Attack Surface Minimisation
Eliminating network connectivity removes the vast majority of attack vectors. No remote exploitation, no C2 callbacks, no data exfiltration over the network.
When Air-Gapping Isn't the Right Call
Air-gapped deployments carry significant operational overhead. They're the right choice for specific threat models — not a default recommendation.
You need frontier model capabilities
If your use case requires Claude, GPT-4, or Gemini-level reasoning, air-gapping isn't viable. Open-source models are excellent but don't match frontier models on complex tasks. Consider on-premise with a selective API approach instead.
Rapid iteration is critical
The secure transfer overhead slows development cycles significantly. If you're in an early prototyping phase, start with a cloud or on-premise deployment and migrate to air-gapped once the system is stable.
You don't have the operational capacity
Air-gapped environments require dedicated infrastructure teams, physical security controls, and rigorous transfer procedures. Without the personnel and processes to support it, the security benefits erode quickly.
Need an air-gapped AI deployment?
I help plan and build isolated AI infrastructure — from model selection and hardware sizing to secure transfer procedures and ongoing operations.