Establishing P2P Connection in a Restricted AWS Environment
Hey all, I'm trying to deploy coder into a fairly restricted AWS environment and would appreciate some guidance.
We currently use Cloudflare Access for all internally hosted sites and will need to expose the Coder dashboard via Cloudflare Access. IIUC this is problematic as workstations will attempt to phone home via the
On the networking side we are running our coder server in a private subnet and are hoping to also deploy our workstations into a private subnet. Using the embedded derp relay we don't seem to be able to open an ssh connection using the CLI which I assume is due to NAT (could be totally wrong?). However, if I set
To try and condense that wall of text into some questions.
- Is it possible to run the embedded derp relay from a private subnet or would I need to instead run a custom relay that is publicly routable?
- Is derp the wrong approach here and we should be trying to run a publicly routable STUN server so we can promote the connection to P2P and avoid derp entirely?
- Do you have any suggestions on how we could improve this architecture?
We currently use Cloudflare Access for all internally hosted sites and will need to expose the Coder dashboard via Cloudflare Access. IIUC this is problematic as workstations will attempt to phone home via the
CODER_ACCESS_URLCODER_ACCESS_URL--headerOn the networking side we are running our coder server in a private subnet and are hoping to also deploy our workstations into a private subnet. Using the embedded derp relay we don't seem to be able to open an ssh connection using the CLI which I assume is due to NAT (could be totally wrong?). However, if I set
CODER_DERP_SERVER_ENABLECODER_DERP_CONFIG_URLhttps://controlplane.tailscale.com/derpmap/defaultTo try and condense that wall of text into some questions.
- Is it possible to run the embedded derp relay from a private subnet or would I need to instead run a custom relay that is publicly routable?
- Is derp the wrong approach here and we should be trying to run a publicly routable STUN server so we can promote the connection to P2P and avoid derp entirely?
- Do you have any suggestions on how we could improve this architecture?
