Skip to main content

Detailed text description: VPN host-to-site architecture

This page describes the VPN host-to-site architecture diagram.

Overview

The diagram illustrates how Codesphere workspace services connect to a private network through IPsec VPN in a host-to-site model.

Main components

  1. Codesphere workspace replicas:
  • Each workspace service replica acts as an independent VPN client.
  • Replicas run separately and establish their own tunnels.
  1. Public VPN gateway:
  • The remote gateway is reachable via a static public IP address.
  • It accepts incoming IPsec connections from workspace replicas.
  1. Private network:
  • Internal services such as databases or APIs are reachable behind the gateway.
  • Access is limited to configured peer subnets.

Connectivity behavior

  1. One tunnel per replica:
  • Each replica creates its own encrypted tunnel.
  • Multiple concurrent tunnels may exist at the same time.
  1. Traffic routing:
  • Only configured private subnet traffic is routed through the VPN.
  • General platform or internet traffic is not intended to be routed through the tunnel.
  1. Isolation model:
  • This is not a site-to-site network bridge.
  • It is host-to-site connectivity aligned with multi-tenant isolation boundaries.

Key takeaway

Codesphere workspaces connect securely to private infrastructure using per-replica VPN client tunnels, enabling controlled private subnet access without merging full network sites.