Message Broker (WAMP)
The WAMP message broker is the communication backbone of IronFlock. Every component — edge devices, central services, virtual devices, the AI system, and the web UI — connects to the broker and communicates through it.
Why WAMP
WAMP (Web Application Messaging Protocol) combines two communication patterns in a single protocol:
- Publish/Subscribe (pub/sub) — A device publishes sensor data to a topic; dashboards, the FleetDB Service, and alarm evaluators subscribe and receive it in real time
- Remote Procedure Calls (RPC) — The AI service calls a function on an edge device; the backend triggers an OTA update; an operator sends a command to a machine
This dual pattern means IronFlock doesn’t need separate systems for real-time data streaming and request-response operations. One protocol, one connection, both patterns.
How Components Connect
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Edge │ │ Virtual │ │ Web UI │
│ Device │ │ Device │ │ (Browser) │
└──────┬───────┘ └──────┬───────┘ └──────┬───────┘
│ WSS │ WSS │ WSS
└────────────────────┼────────────────────┘
│
┌───────┴───────┐
│ WAMP Broker │
└───────┬───────┘
│
┌────────────────────┼────────────────────┐
│ WSS │ WSS │ WSS
┌──────┴───────┐ ┌──────┴───────┐ ┌──────┴───────┐
│ Backend │ │ FleetDB │ │ AI │
│ Service │ │ Service │ │ Service │
└──────────────┘ └──────────────┘ └──────────────┘All connections use WSS (WebSocket Secure) — encrypted, persistent, bidirectional connections over TLS.
Project Isolation via Realms
The broker enforces strict isolation between projects using WAMP realms:
- Each project-app combination gets its own realm — a completely isolated messaging namespace
- Messages published in one realm are invisible to all other realms
- Devices in Project A cannot see or interact with devices in Project B
- Even the same app installed in two different projects operates in separate realms
Authentication
Every connection to the broker requires authentication:
| Component | Auth Method |
|---|---|
| Edge devices | WAMP-CRA (Challenge-Response) with per-device secrets |
| Backend services | WAMP-CRA with system credentials |
| Web UI clients | OIDC-based session tokens |
| AI service | System credentials with scoped access |
Unauthorized clients cannot join a realm, subscribe to topics, or call procedures.
Real-Time Data Flow
Here’s how a sensor reading flows from a device to a dashboard:
- Device app reads a sensor value and publishes it to a WAMP topic in the project realm
- WAMP broker routes the message to all subscribers in that realm
- FleetDB Service receives the message, writes it to TimescaleDB, and evaluates alarm rules
- Web UI receives the same message and updates the dashboard chart in real time
This entire flow happens with sub-second latency — the dashboard updates as fast as the data arrives.
RPC for Device Control
The broker also enables direct control of edge devices:
- Operator clicks “Restart App” in the web UI
- Backend calls an RPC on the device agent through the broker
- Device agent receives the call, restarts the container, and returns the result
- Web UI displays the confirmation
The same mechanism powers physical AI — when the AI assistant invokes a function on a device, it’s an RPC call through the broker.
Scalability
The WAMP broker operates as a cluster in production deployments:
- Multiple broker nodes handle concurrent connections
- Load is distributed across nodes
- Devices maintain persistent connections with automatic reconnection on failure
- The broker handles thousands of concurrent device connections with low-latency message delivery
On-Premises Deployment
In on-premises deployments, the WAMP broker runs on your infrastructure alongside the other central services. The protocol and isolation guarantees remain identical — the only difference is the network path (local instead of internet).
See On-Premises Deployment for details.