The most isolated way to run a real server
Every Cube is an isolated microVM with its own kernel and a per-cube sandbox, no public IP of its own, and web traffic served through a hardened managed-TLS ingress. Here's exactly how that works — and why it's safer than a container or a typical VPS.
Its own kernel. A sandbox around every Cube.
A container shares one kernel across every tenant on the host — a single kernel bug can expose all of them. Krova Cloud is the opposite by design.
Its own kernel, per Cube
Every Cube boots its own kernel — never shared with another tenant or the host. One Cube's kernel bug can't reach yours.
Per-cube jailer sandbox
Each Cube's hypervisor runs inside a jailer sandbox — its own unprivileged user, chroot, and PID namespace. A hypervisor escape lands in that sandbox, not as root on the host.
KVM isolation, hardened host
KVM-enforced VM isolation (the same virtualization behind AWS Lambda), the most restrictive seccomp filters, and cross-VM memory-dedup side channels disabled.
No public IP. Nothing to attack.
Every other host hands your server a public IP — a fixed address the whole internet can scan and hammer. Krova Cloud doesn't.
No public IP, period
Your Cube has no public IP of its own. It lives on a private, NAT'd network — there's simply no address out there for botnets to find and probe.
Managed TLS, hidden origin
Web traffic on your custom domains enters through Krova Cloud's health-managed ingress tier: certificates are issued and renewed automatically, the origin stays hidden, and unhealthy nodes drop out of DNS on their own. Prefer Cloudflare in front? Orange-cloud your domain and it works instantly.
Only what you open
Nothing inbound is reachable unless you explicitly open a port, and every mapping can be locked to an IP allowlist behind a stateful default-deny firewall. Hosts add provider-grade network DDoS mitigation on top.
“Wait — don't I need a public IP?”
For almost anything you'd run on a server, no — and not having one is the upgrade. What makes your app reachable is your domain and the ports you choose to expose, not a fixed address bolted to the whole machine. Your websites and APIs go out worldwide over HTTPS through the Krova Cloud ingress; SSH, databases, and any other TCP service open through an IP-allowlistable port mapping, on demand. You get inbound access to exactly what you expose — without the public address the rest of the internet would spend all day scanning and attacking. Fewer doors, and all of them yours.
Provision with code. Run as many as you need.
Forget the AWS dance — VPC, subnet, security group, AMI, key pair, IAM role, launch template. A Krova Cloud Cube is one API call. Loop it to stand up as many as you want; each boots in milliseconds. No artificial cap — concurrency is unlimited on higher plans.
curl -X POST https://krova.cloud/api/v1/spaces/$SPACE/cubes \
-H "X-API-KEY: $KROVA_KEY" \
-H "Idempotency-Key: $(uuidgen)" \
-d '{
"name": "web-1",
"image": "ubuntu-24.04",
"resources": { "vcpu": 2, "ramGb": 4, "diskGb": 40 },
"sshPublicKey": "ssh-ed25519 AAAA...",
"region": "eu-central"
}'Run it where nothing's exposed.
Spin up an isolated Cube with no public IP and full root SSH in under a minute.