undefined | Better HN

0 pointstptacek5y ago0 comments

Because then there would be some service exposed to the Internet (not over WireGuard; if you have WireGuard, you don't need a jump box) whose job it would be to hop 6PN networks. The only thing we have in our infra now that controls access to 6PN is eBPF code; we keep the system simple so we can reason about it.

0 comments

bluesign5y ago

Fair point, but isn’t this also losing “who connected to this server in my organization and when” information.

tptacekOP5y ago

We pipe logs from our instances to users (all logs, including your app's); you can see them in `flyctl`. (Certificate issuance is also logged in our API, and these certs are very short-lived).

j / k navigate · click thread line to collapse

0 pointstptacek5y ago0 comments

0 comments

bluesign5y ago

Fair point, but isn’t this also losing “who connected to this server in my organization and when” information.

tptacekOP5y ago

We pipe logs from our instances to users (all logs, including your app's); you can see them in `flyctl`. (Certificate issuance is also logged in our API, and these certs are very short-lived).

j / k navigate · click thread line to collapse