Connectivity Models
Purpose: For platform engineers, explains network connectivity patterns including bastion-based access, VPN tunnels, and direct connectivity.
Bastion-Based Access
Most common pattern for secure environments.
Firewall Requirements:
- Inbound: SSH (22) to bastion only
- Internal: All traffic between bastion and cluster
- Outbound: None (air-gap) or limited (connected)
VPN Tunnel
For remote access to on-premises clusters.
Firewall Requirements:
- Inbound: VPN port (500/4500 IPSec, 51820 WireGuard)
- Internal: Full access once connected
- Outbound: As required
Direct Connectivity
For cloud deployments with public endpoints.
Firewall Requirements:
- Inbound: HTTPS (443) to load balancer
- Authentication: OIDC via Keycloak
- Outbound: As required
Choosing a Model
| Requirement | Bastion | VPN | Direct |
|---|---|---|---|
| Air-Gap Compatible | ✅ | ❌ | ❌ |
| Remote Access | Limited | ✅ | ✅ |
| Audit Trail | ✅ | ✅ | ✅ |
| Complexity | Low | Medium | Low |