Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Holly Hall
on 15 January 2024

Managing software in complex network environments: the Snap Store Proxy


As enterprises grapple with the evolving landscape of security threats, the need to safeguard internal networks from the broader internet is increasingly important. In environments with restricted internet access, it can be difficult to manage software updates in an easy, reliable way. When managing devices in the field, change management and compliance policies can introduce even more complexity to the update process. You can solve these challenges using snaps and the Snap Store Proxy.

What are snaps?

Snaps are containerised software packages that work across a wide range of Linux distributions. They are secure, highly portable and isolated from the underlying system, ideal for a broad range of use cases across desktops, servers, cloud and IoT. 

Automatic updates are a central feature of snaps, ensuring that users always benefit from the latest version of software and improving security through rapid patching of vulnerabilities. Using the Snap Store, snaps can be published via a low-friction process and automatically updated on users’ systems.These updates ordinarily require an unrestricted network connection.

Updating snaps in restricted networks

Restricted networks either do not have access to the wider internet or the access that they have is limited to certain connections. Isolating networks is important in an enterprise environment for both security and convenience reasons.

However, when considering software updates, it can often be complex to manage the flow of data across different networks. It is important to have confidence in the technology that is used to deliver updates, to ensure that all security vulnerabilities are patched frequently in any network environment.

To solve this issue, we have created the Snap Store Proxy – an on-premise edge proxy to the global Snap Store. The Proxy is a software that users can run in their DMZ (a designated part of the network that is allowed external internet access) to proxy requests from their devices behind the firewall, to the Store. 

The Snap Store Proxy – how it works

The Snap Store Proxy makes it possible to run snaps from within sub-networks and from behind corporate firewalls. Additionally, the Snap Store Proxy creates a local cache of downloaded files, which could potentially be quite large, speeding up any further downloads and minimising bandwidth usage. 

Simple diagram showing how the Snap Store Proxy intercepts and re-writes the response from the upstream store, potentially pointing to a different version.

Integrity of the downloaded snap files is guaranteed through hashing signatures that are built into the design of snaps and implemented in snapd and the Snap Store. The Snap Store Proxy does not alter these signatures, ensuring that the chain of trust is always complete. You can read more about snaps and their design in the documentation.

In some situations, devices must run in a completely air gapped environment. This means that there is no connection to the internet. In these cases, it is still crucial for software to receive software and feature updates to keep devices patched and secure. However due to the lack of internet connection, it may be more difficult to deliver upgrades. The Snap Store Proxy can be operated in offline mode, meaning that snap updates can be sideloaded and manually transferred to the device. This allows software on air gapped devices to remain secure, up-to-date and feature-rich.

Align with enterprise policies through release management

Updating software can be problematic in environments that have external influences in change control and management. This is relevant in regulated industries such as manufacturing or pharmaceuticals. Complete control over updates and management of software is required in these environments, along with an auditable, provable record of any changes. With its override capability, the Snap Store Proxy allows configured devices to remain on a specified revision, no matter what revision has been released upstream.

The Snap Store Proxy grants enterprises greater control over software updates, offering a solution that balances security, compliance, and operational efficiency in diverse network environments.

Read the full whitepaper

Find out more

Contact us about your project 

Related posts


Rhys Knipe
12 June 2024

Space pioneers: Lonestar gears up to create a data centre on the Moon

Canonical announcements Article

Why establish a data centre on the Moon? Find out in our blog. ...


Rhys Knipe
5 November 2024

What is IoT device management?

Internet of Things Article

IoT device management refers to processes or practices used to deploy, monitor and maintain IoT devices. As organizations scale up their IoT efforts, a solid device management approach is essential to running a secure, streamlined fleet of devices.  The proliferation of connected devices worldwide (projected to reach 18.8 billion in 2024) ...


gbeuzeboc
25 September 2024

TurtleBot3 OpenCR firmware update from a snap

IoT Article

The TurtleBot3 robot is a standard platform robot in the ROS community, and it’s a reference that Canonical knows well, since we’ve used it in our tutorials. As a matter of fact, we use it to demonstrate some of our work, such as distributing a ROS stack through snaps. This robot embeds two boards, a ...