- Introduction
- Getting started
- Configuration
- Dev Container
- Automations
- Editors
- VS Code
- Cursor
- JetBrains
- Zed
- Gitpod Desktop
- Self-Hosted Runner
- AWS
- Azure
Coming soon
- GCP
Coming soon
- Linux
Coming soon
- Source Control
- GitHub
- GitLab
Coming soon
- Bitbucket
Coming soon
- Integrations
- Port sharing
- Personal access tokens
- Administration
- Organizations
- Projects
- Billing
- Reference
- CLI
Gateway
The Gitpod Gateway is a network overlay system that connects and manages Gitpod environments securely. It uses the Nebula mesh network to provide a secure, scalable, and flexible solution for routing traffic between Gitpod components and external services.
Key benefits of the Gitpod Gateway include:
- Secure communication between environments and external services.
- Simplified network management in complex cloud environments.
- Enhanced control over ingress and egress traffic.
- Seamless integration with existing AWS infrastructure.
This document serves as a guide for system administrators and DevOps engineers responsible for deploying, managing, and maintaining a Gitpod Flex Gateway.
Architecture Overview
High-Level System Architecture
The Gitpod Gateway architecture consists of several key components working together to create a secure and efficient network overlay:
- Gateway Server (ECS container)
- Lighthouse nodes
- Proxy nodes
- Nebula network overlay
- AWS infrastructure (ECS, EC2, DynamoDB, Route53, etc.)
Key Components
Gateway Server (ECS container)
The Gateway Server is the central management component of the system. It runs as an ECS container and performs the following tasks:
- Manages Nebula certificates and network configuration.
- Handles API requests for host creation and management.
- Coordinates Lighthouse and Proxy nodes.
- Maintains the network state in DynamoDB.
Lighthouse Nodes
Lighthouse nodes act as connection brokers and NAT traversal helpers in the Nebula network. They:
- Facilitate peer discovery between Nebula nodes.
- Assist in NAT traversal for nodes behind firewalls.
- Serve as stable entry points for the mesh network.
Proxy Nodes
Proxy nodes handle incoming traffic to the Gitpod environment. They:
- Terminate TLS connections.
- Route traffic to appropriate workspaces based on hostname.
- Implement access control policies.
Component Interaction
- The Gateway Server initializes the network configuration and stores it in DynamoDB.
- Lighthouse and Proxy nodes register with the Gateway Server upon startup.
- When creating a new environment, it requests network configuration from the Gateway Server.
- The Gateway Server issues Nebula certificates and provides network details to the environment.
- Environments connect to Lighthouse nodes to join the Nebula network.
- Proxy nodes route external traffic to reach the appropriate environment.