OpenClaw on GCP: A Secure Multi-Tenant AI Agent Platform with MicroVM Isolation

Introduction

As AI agents grow in capability, security, isolation, observability, and control need to be built into the underlying infrastructure for their operations. Multiple tenant workspaces running in a shared infrastructure are efficient from the perspective of cost efficiency, but pose significant challenges to the design. In this case, the problem lies in the ability to isolate tenants sufficiently while still enjoying the performance and high density that containers offer.

Traditional containers provide a way to run workloads that are relatively efficient but which are hosted on the same host kernel. If used internally in a system, it might work. In multi-tenancy scenarios, where the tenants are able to run tools, execute scripts or even have access to file systems and connect to the outside world, relying solely on containers becomes a vulnerability. It would make more sense to use a microVM that provides strong workload isolation while still offering efficiency. Firecracker is an implementation of microVMs based on VM technology with isolation guarantees and container performance characteristics.

The concept is easy to grasp: each tenant gets isolated resources (its own kernel, file system, disk volume, network boundaries). All tenancy processes including provisioning, scheduling, monitoring, backups, restores, authentication, and tenant management happen in the shared control plane, while the runtime remains isolated from the control plane itself.