Please contact Sourcegraph directly via prefered contact method for more informations
As part of the Enterprise tier, Sourcegraph Cloud supports connecting customer code hosts on AWS using AWS Private Link and managed site-to-site VPN solution between GCP and AWS, so that access to a private code host is secure and without the need to expose code hosts to the public internet.
Sourcegraph Cloud is a managed service hosted on GCP. Sourcegraph creates a secure connection between customer AWS Virtual Private Cloud (AWS VPC) and a Sourcegraph-managed AWS account using AWS Private Link. Then, Sourcegraph maintains a secure connection between the Sourcegraph-managed AWS VPC and GCP Project via a managed highly available site-to-site VPN solution.
<iframe src="https://link.excalidraw.com/readonly/pjmgpdt6KPHiRvXRjHj9" width="100%" height="100%" style="border: none;"></iframe>Customer should reach out to their account manager to initiate the process. The account manager will work with the customer to collect the required information and initiate the process, including but not limited to:
- The DNS name of the private code host, e.g.,
github.internal.company.net. - The region of the private code host on AWS, e.g.,
us-east-1. - The type of the TLS certificate used by the private code host, one of self-signed by internal private CA, or issued by a public CA.
When a customer has private code hosts inside the AWS VPC and needs to expose it for Sourcegraph managed AWS VPC, customers can follow AWS Documentation. An example can be found from our handbook.
Sourcegraph will provide the Sourcegraph-managed AWS account ARN that needs to be allowlist in your VPC endpoint service, e.g., arn:aws:iam::$accountId:root.
The customer needs to share the following details with Sourcegraph:
- VPC endpoint serivce name in the format of
com.amazonaws.vpce.<REGION>.<VPC_ENDPOINT_SERVICE_ID>.
Upon receiving the detail, Sourcegraph will create a connection to the customer code host, and Sourcegraph will follow up with the customer to confirm the connection is established.
Once the connection is established, the customer can create the code host connection on their Sourcegraph Cloud instance.
Advantages of AWS Private Link include:
- connectivity to customer VPC is only available inside AWS network
- ability to select AWS Principal (AWS Account or more granular) that can connect to customer code host
- allows customer to control incoming connections
Advantages of the site-to-site GCP to AWS VPN include:
- encrypted connection between Sourcegraph Cloud and customer code host
- multiple tunnels to provide high availability between Cloud instance and customer code host
The customer has full control over the exposed service and they can may terminate the connection at any point.