AI Coding Agent Platforms
How can we provide secure dev environments in an air-gapped or classified network?
8 min read
Most government and regulated organizations hit the same wall: you need modern dev tooling, but your networks are air-gapped, classified, or tightly segmented. Shipping laptops around, imaging golden VMs, and maintaining VDI farms doesn’t scale—and it leaves too much source code on endpoints you can’t fully control.
Quick Answer: You provide secure dev environments in an air-gapped or classified network by running a self-hosted remote development platform inside your infrastructure, centralizing code on controlled compute, and defining every workspace as code with strict identity, network, and audit boundaries.
Quick Answer: Use a self-hosted remote development platform that runs fully inside your classified, air-gapped, or high-side network, keeps source code off laptops, and provisions governed workspaces on demand from standardized templates.
Frequently Asked Questions
How can we securely support developers inside air-gapped or classified networks?
Short Answer: Run a self-hosted remote development platform (like Coder) on your own infrastructure, and move development into centrally governed workspaces instead of local laptops or generic VDI.
Expanded Explanation:
In air-gapped and classified environments, the core problem is control: you need to keep source code and data inside accredited infrastructure while still giving developers fast, usable environments. The old model—locked-down laptops, thick VDI desktops, manual builds of “golden images”—creates drift, slow onboarding, and a large attack surface spread across endpoints.
A more controllable pattern is to centralize development inside your network. With Coder, you install the control plane on your own infrastructure (cloud, on-prem, or fully air-gapped) and represent dev workspaces as code using Terraform templates. Developers and approved AI coding agents connect over HTTPS or SSH to those workspaces, which live entirely inside your classified or restricted environment. Source code and data never leave your infrastructure, but developers get fast, consistent environments they access from their existing IDEs.
Key Takeaways:
- Centralize dev environments on your infrastructure; stop pushing full dev stacks to laptops or generic VDI.
- Use self-hosted remote dev with Terraform-defined workspaces to combine speed with tight security boundaries.
What steps are involved in deploying secure dev environments on an air-gapped network?
Short Answer: You deploy a self-hosted control plane inside the network, wire it to your identity and Kubernetes/VM fleets, define Terraform-based workspace templates, and then let developers self-serve governed environments.
Expanded Explanation:
For air-gapped or classified networks, you’re effectively building a dev platform like any other internal system—just with no external dependencies. Coder is designed for exactly this: you run the Coder control plane (coderd) in your own cluster or VMs, integrate with your existing OIDC-compatible identity provider (or offline identity pattern), and point it at the compute where dev workspaces should run (Kubernetes clusters, VM pools, or both).
From there, platform teams define “golden path” workspace templates in Terraform: OS images, CPU/RAM quotas, GPU access, base tooling, network policies, and storage mappings. Developers log in via your SSO, pick a template, and Coder provisions a workspace in seconds—fully inside your air-gapped or classified environment, with no outbound calls required once you’ve mirrored images and providers.
Steps:
-
Install Coder inside the air-gapped or classified network
- Deploy the
coderdcontrol plane to Kubernetes or VMs you control. - Ensure all container images and dependencies are mirrored into the network.
- Deploy the
-
Integrate identity and access controls
- Configure OIDC SSO (when available) or an approved identity pattern for the classified enclave.
- Define RBAC roles to govern who can create, modify, and access specific templates and workspaces.
-
Create Terraform-based workspace templates
- Define images, resource limits, network segments, storage, and allowed dev URLs as code.
- Publish templates to Coder so developers can self-provision workspaces in seconds.
What’s the difference between Coder and traditional VDI or “dev on a desktop” in classified environments?
Short Answer: VDI streams a generic desktop to each user; Coder provisions reproducible dev workspaces as code on your infrastructure, keeping source, tools, and policies centralized while letting devs keep their own IDE workflows.
Expanded Explanation:
Traditional VDI was built to emulate a physical desktop, not to solve environment drift or developer onboarding. You get a remote Windows/Linux desktop image, then layer tools on top. Every change risks configuration drift, updates are slow, and GPU-heavy or ML workloads are expensive to run at VDI scale. You also don’t get fine-grained control over specific dev environments or AI agent usage; it’s just a desktop with more constraints.
Coder focuses only on development environments. Workspaces are defined and versioned as Terraform: base image, packages, language runtimes, GPU, network, and storage. Platform teams standardize a small set of templates, then developers and AI coding agents self-provision workspaces in seconds. Because Coder is self-hosted, code and data stay on your infrastructure—whether that’s a classified cloud, on-prem hardware, or an air-gapped enclave. Organizations like the U.S. Department of Defense use this pattern to replace or complement VDI and to strengthen national defense with secure, centralized cloud development.
Comparison Snapshot:
- Option A: VDI / Desktop images
- Generic remote desktop, slow to update, fragile for complex dev toolchains, expensive at GPU scale.
- Option B: Coder self-hosted remote dev
- Purpose-built dev workspaces defined as code, fast onboarding, standardized and auditable, with local IDE freedom.
- Best for:
- VDI: office productivity and broad desktop access.
- Coder: development environments where you need strong control over compute, access, and context—especially in air-gapped or classified networks.
How do we actually implement secure, governed workspaces for developers and AI agents?
Short Answer: Define workspaces as Terraform templates, enforce access with OIDC SSO and RBAC, run Coder’s control plane inside your network, and enable AI coding agents through Coder’s AI Bridge with full auditing.
Expanded Explanation:
Implementation is about treating dev environments like any other critical infrastructure: code-defined, governed, and monitored. With Coder, you create Terraform templates that specify everything a workspace should be allowed to do—images, CPU/RAM/GPU, network reachability, storage mounts, and dev URL access levels. You then enforce who can use which templates with RBAC, and you keep all compute inside your own clouds or data centers.
For AI, Coder’s AI Bridge runs inside the coderd control plane. It proxies calls from developers and AI coding agents to your chosen LLM providers and records prompts, token usage, tool calls, and model reasoning as auditable records. In a classified context, you can point AI Bridge to models that exist only inside your enclave, set strict retention windows, and send structured logs to your SIEM. Developers and agents work side-by-side in the same secure environment, but you stay in control of what they can access and how they’re audited.
What You Need:
- A self-hosted Coder control plane (
coderd) on your infrastructure- Running on Kubernetes or VMs inside your air-gapped or classified network.
- Connected to your internal Git, artifact, and secret management systems.
- Governed templates, identity, and auditing
- Terraform workspace templates with no embedded secrets (use provider auth instead).
- OIDC SSO, RBAC roles, dev URL policies, and AI Bridge configured with retention and structured logging into your existing SIEM.
How does this improve security and productivity compared to our current approach?
Short Answer: You reduce your attack surface and eliminate “works on my machine” drift while onboarding developers and AI agents in minutes instead of weeks—all without pushing code or model context outside your infrastructure.
Expanded Explanation:
The big security win in an air-gapped or classified network is centralization. Instead of scattered toolchains and partial clones of critical repos on dozens or hundreds of laptops, everything runs on governed infrastructure you already control and accredit. Source code and sensitive data never leave your environment; developers and AI agents simply attach to workspaces via HTTPS/SSH from the IDEs they already use. For security teams, that’s a smaller attack surface and a cleaner story at accreditation time.
On the productivity side, automated provisioning means new hires and rotating teams get a working environment in minutes. Government and defense organizations report onboarding speed improvements of 4x and VDI cost reductions of up to 90% when they move to standardized remote dev patterns. Platform teams define a few golden templates; developers self-serve and can switch between projects without waiting on manual imaging or ticket queues. AI coding agents can be introduced alongside humans in the same governed workspaces, with clear audit trails for every request and tool invocation.
Why It Matters:
- Security & governance impact:
- Keeps code and data inside your air-gapped or classified network, off developer laptops and vendor SaaS.
- Provides auditable, policy-driven environments that align with classification and accreditation requirements.
- Productivity & cost impact:
- Onboards developers in minutes, not days or weeks, even on government-furnished equipment.
- Replaces or complements expensive VDI by running focused dev workspaces on right-sized compute, including GPU pools for ML.
Quick Recap
Providing secure dev environments in an air-gapped or classified network is about moving away from fragile desktops and VDI, and toward centrally governed, remote development workspaces you own end-to-end. With Coder self-hosted on your infrastructure, you define every workspace as Terraform, integrate with your identity stack, and keep code and data inside your controlled networks. Developers and AI coding agents get fast, consistent environments; platform and security teams gain strong boundaries, auditability, and lower operational drag.