A corporate network connected cluster deployment integrates SystemLink with your the private network infrastructure of your organization, ensuring secure access and secure integration with on-premises systems.

A corporate network connected cluster deployment integrates SystemLink Enterprise with the existing network infrastructure of your organization through private connectivity. This architecture is suitable for organizations that need to:

  • Provide access to internal users
  • Integrate with on-premises systems
  • Maintain SystemLink within corporate security boundaries

What is a Corporate Network Connected Deployment?

In a corporate network connected deployment, users access SystemLink through the private network of your organization rather than the public internet. The connection between your corporate network and the cloud-hosted Kubernetes cluster uses private connectivity solutions such as VPN, AWS Direct Connect, or Azure ExpressRoute. All SystemLink infrastructure including cluster nodes, databases, and services remain in private subnets without direct internet exposure.

Architecture Overview

A typical corporate network connected SystemLink deployment uses the following network architecture:

  • Private subnets: Host Kubernetes cluster nodes, databases, load balancers, and all SystemLink services with no direct internet access
  • Private connectivity: VPN, AWS Direct Connect, or Azure ExpressRoute provides encrypted connection between corporate network and cloud VPC/VNet
  • NAT Gateway: Provides outbound internet connectivity for cluster nodes to download updates and pull container images, or use VPC/VNet endpoints for private connectivity to cloud services
  • Internal load balancer: Routes traffic from corporate network to SystemLink services using private IP addresses
Note The following is a reference architecture. Your organization might implement corporate network connectivity using different components or different configurations based on your specific requirements and specific cloud platform.

Stages of a typical traffic flow:

  1. User on corporate network connects to internal DNS name. For example systemlink.example.com.
  2. Corporate DNS resolves to the private IP address of the internal load balancer in the cloud VPC/VNet
  3. Traffic flows over VPN or dedicated connection to the cloud
  4. Internal load balancer forwards traffic to the Kubernetes ingress controller in a private subnet
  5. Ingress controller routes requests to the appropriate SystemLink service pods
  6. Services respond back through the same path

For detailed subnet architecture and configuration, refer to AWS VPC or Azure VNet.

Hybrid Architectures

Organizations can implement hybrid architectures that combine public and private access patterns to meet specific security and specific accessibility requirements.

For example, using Public web UI with private Salt Master. Here you expose web UI and API endpoints publicly for internet access while keeping the Salt Master load balancer on a private endpoint, restricting Salt minion connections to systems within the corporate network

When implementing hybrid architectures, apply security measures appropriate to each access pattern.

Security Requirements

NI recommends the following security measures for corporate network connected deployments, which differ from internet-facing deployments.

NI recommends using TLS for traffic between corporate users and SystemLink:

  • Certificate acquisition: Use certificates from your corporate certificate authority, managed certificates from your cloud provider (AWS Certificate Manager, Azure Key Vault Certificates), or obtain certificates from a trusted public certificate authority
  • TLS termination: NI recommends configuring TLS termination at the load balancer for simplified certificate management

NI recommends configuring the following security controls for private connectivity:

  • Security groups: Configure security groups (AWS) or network security groups (Azure) to allow traffic only from corporate network IP ranges
  • Route tables: Configure route tables to direct corporate network traffic through VPN or dedicated connection
  • Private endpoints: Use AWS PrivateLink or Azure Private Link to access cloud services (S3, ECR, Key Vault) without traversing the internet

Private Connectivity Options

Multiple private connectivity options are available to connect your corporate network to the cloud-hosted SystemLink cluster. Choose based on your organizational network architecture.

Some of the common connectivity options include:

  • VPN connections: AWS Site-to-Site VPN or Azure VPN Gateway for encrypted connectivity over the internet
  • Dedicated connections: AWS Direct Connect or Azure ExpressRoute for dedicated private network connections with higher bandwidth and lower latency
  • Centralized connectivity hubs: AWS Transit Gateway or Azure Virtual WAN for managing complex multi-VPC/VNet environments
  • VPC/VNet peering: Direct connections between cloud virtual networks for cloud-to-cloud connectivity
  • Third-party solutions: Multi-cloud networking platforms like Aviatrix for unified management across cloud providers

DNS Configuration

Create DNS records for SystemLink endpoints in your corporate DNS or cloud-hosted private DNS zone such as Route 53 Private Hosted Zones on AWS, Azure Private DNS on Azure. Refer to Layer 7 (Application) Ingress for web UI and API configuration, and Layer 4 (TCP) Ingress for Salt Master configuration. For OIDC redirect URI configuration, refer to Identity and Access Management.