Establishing P2P Connection in a Restricted AWS Environment
Hey all, I'm trying to deploy coder into a fairly restricted AWS environment and would appreciate some guidance.
We currently use Cloudflare Access for all internally hosted sites and will need to expose the Coder dashboard via Cloudflare Access. IIUC this is problematic as workstations will attempt to phone home via the
On the networking side we are running our coder server in a private subnet and are hoping to also deploy our workstations into a private subnet. Using the embedded derp relay we don't seem to be able to open an ssh connection using the CLI which I assume is due to NAT (could be totally wrong?). However, if I set
To try and condense that wall of text into some questions.
- Is it possible to run the embedded derp relay from a private subnet or would I need to instead run a custom relay that is publicly routable?
- Is derp the wrong approach here and we should be trying to run a publicly routable STUN server so we can promote the connection to P2P and avoid derp entirely?
- Do you have any suggestions on how we could improve this architecture?
We currently use Cloudflare Access for all internally hosted sites and will need to expose the Coder dashboard via Cloudflare Access. IIUC this is problematic as workstations will attempt to phone home via the
CODER_ACCESS_URL which is blocked by our Cloudflare auth requirements. I seem to have gotten around this by deploying an internal load balancer and setting my CODER_ACCESS_URL to that instead. My workstation can then phone home on our internal network and they seem to register okay. On my CLI I am then able to authenticate and run commands against the external Cloudflare endpoint by including a Cloudflare token using the --header flag. This all seems to work okay.On the networking side we are running our coder server in a private subnet and are hoping to also deploy our workstations into a private subnet. Using the embedded derp relay we don't seem to be able to open an ssh connection using the CLI which I assume is due to NAT (could be totally wrong?). However, if I set
CODER_DERP_SERVER_ENABLE to false and CODER_DERP_CONFIG_URL to https://controlplane.tailscale.com/derpmap/default I am able to establish a SSH session from my CLI but cannot convert that to a P2P connection. I'd prefer to avoid relaying via Tailscale's infrastructure if possible so I was hoping to get some suggestions on how I should approach this.To try and condense that wall of text into some questions.
- Is it possible to run the embedded derp relay from a private subnet or would I need to instead run a custom relay that is publicly routable?
- Is derp the wrong approach here and we should be trying to run a publicly routable STUN server so we can promote the connection to P2P and avoid derp entirely?
- Do you have any suggestions on how we could improve this architecture?
