diff --git a/docs/cloud/private_connectivity_sourcegraph_connect.mdx b/docs/cloud/private_connectivity_sourcegraph_connect.mdx index ec09ca9bb..b0d233e75 100644 --- a/docs/cloud/private_connectivity_sourcegraph_connect.mdx +++ b/docs/cloud/private_connectivity_sourcegraph_connect.mdx @@ -1,22 +1,18 @@ -# Private Resources on on-prem data center via Sourcegraph Connect agent +# Private Resources in On-Prem Data Centers via Sourcegraph Connect Agent -This feature is in the Experimental stage. Please contact Sourcegraph directly via [preferred contact method](https://about.sourcegraph.com/contact) for more information. +This feature is in the Experimental stage. [Contact us](https://about.sourcegraph.com/contact) for more information. -As part of the [Enterprise tier](https://sourcegraph.com/pricing), Sourcegraph Cloud supports connecting private resources on any on-prem private network by running Sourcegraph Connect tunnel agent in customer infrastructure. +As part of the [Enterprise tier](https://sourcegraph.com/pricing), Sourcegraph Cloud supports connecting to resources in the customer's private network by deploying the Sourcegraph Connect tunnel agent in the customer's network. ## How it works -Sourcegraph will set up a tunnel server in a customer dedicated GCP project. Customer will start the tunnel agent provided by Sourcegraph with the provided credential. After start, the agent will authenticate and establish a secure connection with Sourcegraph tunnel server. +Sourcegraph Connect consists of three components: -Sourcegraph Connect consists of three major components: +Tunnel server: a centralized broker between clients and agents, managed by Sourcegraph. It authenticates agents and clients, enforces ACLs, sets up mTLS, and proxies encrypted traffic between clients and agents. Sourcegraph deploys each customer's tunnel server into its own dedicated GCP project. -Tunnel agent: deployed inside the customer network, which uses its own identity and encrypts traffic between the customer code host and client. Agent can only communicate with permitted customer code hosts inside the customer network. Only agents are allowed to establish secure connections with tunnel server, the server can only accept connections if agent identity is approved. +Tunnel agent: deployed inside the customer's network, has its own identity, proxies and encrypts traffic between the code host and tunnel client. The agent can only communicate with permitted private resources inside the customer's network. The customer starts the tunnel agent with the credentials provided by Sourcegraph, then the agent authenticates and establishes a secure connection with the tunnel server. Only agents are allowed to establish secure connections with the tunnel server, and the server only accepts a connection if the agent's identity is approved. -Tunnel server: a centralized broker between client and agent managed by Sourcegraph. Its purpose is to set up mTLS, proxy encrypted traffic between clients and agents and enforce ACL. - -Tunnel client: forward proxy clients managed by sourcegraph. Every client has its own identity and it cannot establish a direct connection with the customer agent, and has to go through tunnel server. - -[link](https://link.excalidraw.com/readonly/453uvY8infI8wskSecGJ) +Tunnel client: forward proxy clients managed by Sourcegraph, added to the customer's Sourcegraph Cloud instance. Every client has its own identity and it cannot establish a direct connection with the customer agent, and has to go through tunnel server.