Choosing Your Deployment: Qplane vs Qtap

When deploying Qpoint, you have two main options: Qplane (cloud-managed control plane) or Qtap (self-managed with YAML configuration). This guide helps you decide which deployment model fits your requirements.

Quick Decision Matrix

Factor

Qplane (Cloud-Managed)

Qtap (Self-Managed)

Setup Time

10 minutes

5-50 minutes (depends on complexity)

Management

Centralized dashboard

YAML configuration files

Infrastructure

Managed control plane

No control plane needed

Data Storage

Your choice (can use S3)

Configuration

Web UI

YAML files (version controlled)

Multi-Environment

Built-in support

Manual coordination

Air-Gapped Deployments

Not supported

Fully supported

Team Collaboration

Built-in RBAC

Via GitOps workflows

Best For

Teams wanting managed solution

Teams needing full control

Understanding the Components

Qtap: The eBPF Agent

Qtap is the core eBPF agent that runs on your Linux hosts (bare metal, VMs, or containers). It:

Captures network traffic at the kernel level using eBPF
Provides process-aware visibility (knows which process made each request)
Sees inside TLS/HTTPS before encryption happens
Can run standalone or connected to Qplane

Every deployment needs Qtap agents - it's the component that actually captures traffic.

Qplane: The Control Plane (Optional)

Qplane is an optional cloud-managed control plane that provides:

Centralized configuration management
Dashboard for visualization and exploration
Multi-environment orchestration
Team collaboration features

Qplane is optional - Qtap agents work perfectly without it, configured via YAML files.

Choose Qplane If You Want:

1. Centralized Management

Problem Qtap Alone: Managing YAML config files across dozens of hosts/environments Qplane Solution: Single web UI to configure all agents across all environments

2. Quick POC or Evaluation

Problem Qtap Alone: Requires understanding YAML structure and options Qplane Solution: 10-minute guided setup with dashboard for immediate insights

3. Multi-Environment Visibility

Problem Qtap Alone: Each environment logs separately; correlating is manual Qplane Solution: Unified view across dev, staging, prod with environment filtering

4. Team Collaboration

Problem Qtap Alone: Sharing YAML configs and log outputs via Slack/email Qplane Solution: Role-based access, shared dashboards, built-in collaboration

5. Dynamic Configuration

Problem Qtap Alone: Config changes require updating YAML + agent restart Qplane Solution: Push config changes to agents dynamically via web UI

Choose Qtap (Standalone) If You Want:

1. Air-Gapped or Isolated Environments

Benefit: No external connectivity required; agents run completely offline

Use Case: Government, finance, healthcare with strict network isolation requirements

Qtap operates entirely within your infrastructure without any outbound connections. Perfect for environments where internet access is restricted or prohibited for security/compliance reasons.

2. GitOps Workflows

Benefit: Configuration is version-controlled code, with CI/CD and rollback

Use Case: Platform teams managing infrastructure as code

YAML configurations integrate seamlessly with Git-based workflows. Track changes, review via pull requests, automate deployments with CI/CD pipelines, and roll back configurations with git revert. Configuration becomes auditable infrastructure-as-code.

3. Building Block for Custom Observability Solutions

Benefit: Use Qtap as a data plane in your own observability architecture

Use Case: Teams building custom monitoring, security, or compliance platforms

Qtap serves as a powerful data collection layer that feeds into your own systems. Route captured traffic to your data lake, SIEM, custom analytics platform, or internal dashboards. Full control over how traffic data is processed, stored, and analyzed.

Examples:

Feed Qtap output to your existing log aggregation pipeline (Fluent Bit, Logstash)
Build custom analytics on top of Qtap's structured JSON output
Integrate with internal security tools and compliance systems
Create domain-specific observability tailored to your business needs

Migration Between Deployment Models

Start with Qtap → Add Qplane Later

When: Self-managed becomes complex as you scale to many environments

Process:

Sign up for Qplane
Connect existing Qtap agents to Qplane (change agent connection settings)
Reconfigure stacks and plugins in Qplane UI
Gradually migrate management to Qplane UI

Note: You'll need to manually recreate your Qtap YAML configurations in the Qplane UI, as automatic import is not yet supported.

Start with Qplane → Move to Qtap

When: Production requirements change (e.g., need air-gapped deployment)

Process:

Export YAML configuration snapshot from Qplane dashboard
Deploy Qtap agents with the exported YAML config
Disconnect agents from Qplane

Note: Qplane provides YAML configuration snapshots that can be used directly with standalone Qtap agents. This makes migration straightforward - just export and deploy.

Common Misconceptions

"Qplane stores my traffic data"

False. Qplane only stores:

Agent configuration
Connection metadata (which process called which endpoint)
Dashboard state and queries

Sensitive HTTP/HTTPS payload data is stored where YOU configure (typically your S3 bucket), whether using Qplane or standalone Qtap.

"Qtap standalone can't scale"

False. Qtap scales horizontally to thousands of agents. The difference is how you manage them:

Qplane: Centralized web UI
Qtap: Configuration management tools (Ansible, Terraform, Kubernetes ConfigMaps)

"I have to choose one permanently"

False. You can switch between deployment models as your needs change:

Qplane → Qtap: Export YAML snapshots from Qplane and use directly with standalone agents
Qtap → Qplane: Connect agents to Qplane and manually recreate configurations in the UI

Migration from Qplane to Qtap is straightforward with configuration export. Migration from Qtap to Qplane requires manual reconfiguration (import not yet supported).

Real-World Examples

Startup Evaluating Qpoint

Situation: 10-person engineering team, want to try Qpoint Recommendation: Qplane - Get running in 10 minutes, explore with dashboard, decide later Path: POC Kick Off Guide

Enterprise with Compliance Requirements

Situation: Healthcare company, HIPAA compliance, data cannot leave infrastructure Recommendation: Qtap standalone with S3 storage in your VPC Path: Complete Guide: Hello World to Production

Platform Team Managing 100+ Microservices

Situation: Large org, many environments (dev/staging/prod), multiple teams Recommendation: Qplane for centralized visibility and team collaboration Path: POC Kick Off Guide

Security Team for Incident Response

Situation: Need to capture traffic during security incident, ephemeral setup Recommendation: Qtap standalone (minimal setup, no account needed) Path: Production Debugging

Next Steps

Ready to get started?

Qplane (Cloud-Managed): POC Kick Off Guide
Qtap (Self-Managed): Complete Guide: Hello World to Production
Just Exploring: Production Debugging (30-second setup, no commitment)

Still have questions?

Architecture Overview - Understand how the components fit together
How It Works - Technical deep dive into eBPF and TLS visibility
Use Cases - See how other teams use Qpoint

PreviousSelf-Managed (YAML)NextWhy another Agent?

Last updated 2 days ago