Your first $5 top-up doubles to $10 — one-time, for every new account. Get Started
Krova CloudKrova Cloud
Security

The most isolated way to run a real server

Every Cube is an isolated microVM with its own kernel and a per-cube sandbox, no public IP of its own, and web traffic served through a hardened managed-TLS ingress. Here's exactly how that works — and why it's safer than a container or a typical VPS.

Its own kernel. A sandbox around every Cube.

A container shares one kernel across every tenant on the host — a single kernel bug can expose all of them. Krova Cloud is the opposite by design.

Its own kernel, per Cube

Every Cube boots its own kernel — never shared with another tenant or the host. One Cube's kernel bug can't reach yours.

Per-cube jailer sandbox

Each Cube's hypervisor runs inside a jailer sandbox — its own unprivileged user, chroot, and PID namespace. A hypervisor escape lands in that sandbox, not as root on the host.

KVM isolation, hardened host

KVM-enforced VM isolation (the same virtualization behind AWS Lambda), the most restrictive seccomp filters, and cross-VM memory-dedup side channels disabled.

KROVA — A KERNEL PER CUBECONTAINERS — ONE SHARED KERNELYour app + dataGuest userspace · your rootOwn kernel · Linux 6.11 per CubeKVM + jailer sandboxHost serverapp 1app 2app 3one shared host kernelhost server1 kernel bug → every tenant exposedEscape lands in an unprivileged sandbox — never host root.
INTERNETvisitors+ DDoS attacksKROVA INGRESSTLS · hidden originauto HTTPS · health-managedKROVA HOSTDDoS-mitigateddefault-deny fwCUBEprivate IPNO PUBLIC IPTraffic enters only at the hardened edge — cubes are never directly exposed.

No public IP. Nothing to attack.

Every other host hands your server a public IP — a fixed address the whole internet can scan and hammer. Krova Cloud doesn't.

No public IP, period

Your Cube has no public IP of its own. It lives on a private, NAT'd network — there's simply no address out there for botnets to find and probe.

Managed TLS, hidden origin

Web traffic on your custom domains enters through Krova Cloud's health-managed ingress tier: certificates are issued and renewed automatically, the origin stays hidden, and unhealthy nodes drop out of DNS on their own. Prefer Cloudflare in front? Orange-cloud your domain and it works instantly.

Only what you open

Nothing inbound is reachable unless you explicitly open a port, and every mapping can be locked to an IP allowlist behind a stateful default-deny firewall. Hosts add provider-grade network DDoS mitigation on top.

“Wait — don't I need a public IP?”

For almost anything you'd run on a server, no — and not having one is the upgrade. What makes your app reachable is your domain and the ports you choose to expose, not a fixed address bolted to the whole machine. Your websites and APIs go out worldwide over HTTPS through the Krova Cloud ingress; SSH, databases, and any other TCP service open through an IP-allowlistable port mapping, on demand. You get inbound access to exactly what you expose — without the public address the rest of the internet would spend all day scanning and attacking. Fewer doors, and all of them yours.

Automation

Provision with code. Run as many as you need.

Forget the AWS dance — VPC, subnet, security group, AMI, key pair, IAM role, launch template. A Krova Cloud Cube is one API call. Loop it to stand up as many as you want; each boots in milliseconds. No artificial cap — concurrency is unlimited on higher plans.

create-cube.sh
curl -X POST https://krova.cloud/api/v1/spaces/$SPACE/cubes \
  -H "X-API-KEY: $KROVA_KEY" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{
    "name": "web-1",
    "image": "ubuntu-24.04",
    "resources": { "vcpu": 2, "ramGb": 4, "diskGb": 40 },
    "sshPublicKey": "ssh-ed25519 AAAA...",
    "region": "eu-central"
  }'
Full v1 REST APIIdempotency keyscloud-init user-dataOpenAPI spec

Read the API reference →

PROVISION PROGRAMMATICALLYPOST /v1/cubes201 created · cube_1201 created · cube_2201 created · cube_3× as many as you needone request → one Cube · loop it · no cap

Run it where nothing's exposed.

Spin up an isolated Cube with no public IP and full root SSH in under a minute.