Code hosts on AWS without public access
As part of the Enterprise tier, Sourcegraph Cloud supports connecting customer private resources on AWS using AWS Private Link and managed site-to-site VPN solution between GCP (where Sourcegraph Cloud instances are hosted) and AWS, so that access to the private resource is secure and without the need to expose it to the public internet.
How it works
Sourcegraph Cloud is a managed service hosted on GCP. Sourcegraph creates a secure connection between customer AWS Virtual Private Cloud (AWS VPC) and a Sourcegraph-managed AWS account using AWS Private Link. Then, Sourcegraph maintains a secure connection between the Sourcegraph-managed AWS VPC and GCP Project via a managed highly available site-to-site VPN solution.
Steps
Initiate the process
Customers should reach out to their account manager to initiate the process. The account manager will work with the customer to collect the required information and initiate the process, including but not limited to:
- The DNS name of the private code host, e.g. github.internal.company.netor private artifact registry, e.g.artifactory.internal.company.net.
- The region of the private resource on AWS, e.g. us-east-1.
- The type of TLS certificate used by the private resource: either self-signed by an internal private CA or issued by a public CA.
- The VPC endpoint service name in the format of com.amazonaws.vpce.<REGION>.<VPC_ENDPOINT_SERVICE_ID>. Learn more from create the VPC Endpoint Service.
Create the VPC Endpoint Service
When a customer has private resources inside the AWS VPC and needs to expose it for Sourcegraph managed AWS VPC, customers can follow AWS Documentation. An example can be found from our handbook.
Sourcegraph will provide the Sourcegraph-managed AWS account ARN that needs to be allowlisted in your VPC endpoint service, e.g., arn:aws:iam::$accountId:root. It must be allowlisted by customer before the connection can be established. Note: The AWS account is created exclusively for individual Cloud customers and not shared with others.
The customer needs to share the following details with Sourcegraph:
- VPC endpoint service name in the format of com.amazonaws.vpce.<REGION>.<VPC_ENDPOINT_SERVICE_ID>.
Upon receiving the details, Sourcegraph will create a connection to the customer's private resource. The customer may need to manually accept the connection request depending on their acceptance settings. Sourcegraph will follow up with the customer to confirm the connection is established.
Create the private resource connection
Once the connection to private code host is established, the customer can create the code host connection on their Sourcegraph Cloud instance.
Verify artifact registries are working
Once the connection to private artifact registry is established, customer might then verify that auto-indexing is working with the private artifact registry by configuring auto-indexing
FAQ
Why AWS Private Link?
Advantages of AWS Private Link include:
- connectivity to customer VPC is only available inside AWS network
- ability to select AWS Principal (AWS Account or more granular) that can connect to customer code host
- allows customer to control incoming connections
Why site-to-site VPN connection between GCP to AWS?
Advantages of the site-to-site GCP to AWS VPN include:
- encrypted connection between Sourcegraph Cloud and customer code host
- multiple tunnels to provide high availability between Cloud instance and customer code host
How can I restrict access to my private resource?
The customer has full control over the exposed service and they may terminate the connection at any point.
What are the next steps when artifact registry connectivity is working?
Only if the private artifact registry is protected by authentication, the customer will need to:
- create executor secrets containing credentials for Sourcegraph to access the private artifact registry - how to configure executor secrets
- update auto-indexing inference configuration to create additional files from executor secrets for given programming language - how to configure auto-indexing
Can I use self-signed TLS certificate for my private resources?
Yes. Please work with your account team to add the certificate chain of your internal CA to site configuration at experimentalFeatures.tls.external.certificates.
What is the disaster recovery plan?
For customers with a disaster recovery plan that can failover the private resource deployment to another region, we recommend the customer to provision VPC endpoint services in the failover region and share the details with Sourcegraph during the onboarding process. In the event of an incident, the customer can reach out to support and request Sourcegraph to failover the connection to the failover region.
For disaster recovery plan of Sourcegraph Cloud, please reach out to your account team for more information.