Heads up! On October 1, we introduced Gitpod Flex. You can swap between documentation by using the switcher in the left navigation bar.

Gateway

The Gitpod Gateway is a network overlay system that connects and manages Gitpod environments securely. It uses the Nebula mesh network to provide a secure, scalable, and flexible solution for routing traffic between Gitpod components and external services.

Key benefits of the Gitpod Gateway include:

  • Secure communication between environments and external services.
  • Simplified network management in complex cloud environments.
  • Enhanced control over ingress and egress traffic.
  • Seamless integration with existing AWS infrastructure.

This document serves as a guide for system administrators and DevOps engineers responsible for deploying, managing, and maintaining a Gitpod Flex Gateway.

Architecture Overview

High-Level System Architecture

The Gitpod Gateway architecture consists of several key components working together to create a secure and efficient network overlay:

  • Gateway Server (ECS container)
  • Lighthouse nodes
  • Proxy nodes
  • Nebula network overlay
  • AWS infrastructure (ECS, EC2, DynamoDB, Route53, etc.)

Gateway Architecture diagram

Key Components

Gateway Server (ECS container)

The Gateway Server is the central management component of the system. It runs as an ECS container and performs the following tasks:

  • Manages Nebula certificates and network configuration.
  • Handles API requests for host creation and management.
  • Coordinates Lighthouse and Proxy nodes.
  • Maintains the network state in DynamoDB.

Lighthouse Nodes

Lighthouse nodes act as connection brokers and NAT traversal helpers in the Nebula network. They:

  • Facilitate peer discovery between Nebula nodes.
  • Assist in NAT traversal for nodes behind firewalls.
  • Serve as stable entry points for the mesh network.

Proxy Nodes

Proxy nodes handle incoming traffic to the Gitpod environment. They:

  • Terminate TLS connections.
  • Route traffic to appropriate workspaces based on hostname.
  • Implement access control policies.

Component Interaction

  1. The Gateway Server initializes the network configuration and stores it in DynamoDB.
  2. Lighthouse and Proxy nodes register with the Gateway Server upon startup.
  3. When creating a new environment, it requests network configuration from the Gateway Server.
  4. The Gateway Server issues Nebula certificates and provides network details to the environment.
  5. Environments connect to Lighthouse nodes to join the Nebula network.
  6. Proxy nodes route external traffic to reach the appropriate environment.

Was this helpful?