diff --git a/website/content/docs/configuration/worker/pki-worker.mdx b/website/content/docs/configuration/worker/pki-worker.mdx index 943a53a7a1..4d04c4c418 100644 --- a/website/content/docs/configuration/worker/pki-worker.mdx +++ b/website/content/docs/configuration/worker/pki-worker.mdx @@ -78,6 +78,29 @@ kms "aead" { workers. These fields are only valid for [KMS Workers][]. `name` and `description` can only be set for PKI workers through the API. +# Multi-Hop WorkersHCP Only + +You can use the `initial_upstreams` field to configure PKI workers to either connect directly to the control plane +or to other workers, when set to the worker's `public_addr`. + +A multi-hop configuration is when two or more workers are connected, and there are multiple “hops” from a worker to +the controller. There are no limits on the amount of workers allowed in a multi-hop configuration. + +The multi-hop configuration introduces the concepts of “upstream” and “downstream” workers. If you view controllers +as the “top” of a multi-hop chain, downstream workers reside below a worker in the chain, while upstream workers reside +above a worker in the chain. For example, in the diagram below, Worker 2’s upstream is Worker 1, and its +downstream is Worker 3. + +![multi-hop workers](/img/multi-hop-workers.png) + +You can deploy multi-hop workers in scenarios where inbound network traffic is not allowed. A worker in a private +network can send outbound communication to its upstream worker, and create a reverse proxy to establish a session. + +You can configure [target worker filters][] with multi-hop workers to allow for fine-grained control on which workers handle +ingress and egress for session traffic to a [target][]. Ingress worker filters determine which +workers you connect with to initiate a session, and egress worker filters determine which workers are +used to access targets. + # Complete Configuration Example ```hcl @@ -118,6 +141,8 @@ kms "aead" { ``` [kms workers]: /docs/configuration/worker/kms-worker +[target]: /docs/concepts/domain-model/targets +[target worker filters]: /docs/concepts/filtering/worker-tags ## Tutorial diff --git a/website/public/img/multi-hop-workers.png b/website/public/img/multi-hop-workers.png new file mode 100644 index 0000000000..a8a12f6994 Binary files /dev/null and b/website/public/img/multi-hop-workers.png differ