b

    Bihag Kashikar

    6 months ago
    Hi Guys - I have a few questions on prefect cloud - the questions are after viewing the architecture picture on this https://docs.prefect.io/orchestration/ under section architecture overview authentication question - can prefect use auth0 for authentication of users ( real people not service accounts/users ) - any reference diagrams will be helpful network and traffic filtering related questions on prefect cloud hosted on GCP - 1) how does prefect cloud connect to gcp, looking at the picture on https://docs.prefect.io/orchestration/ under architecture section the agent 1,2 on gcp and connection to cloud api - is it over internet? any references on prefect cloud documentation stating this 2) on the same connection question, is traffic filtering possible using GCPs private access point option https://cloud.google.com/vpc/docs/private-service-connect, if yes, please any references of this prefect cloud documentation? This is just for my knowledge, and this is more of a documentation question than actual architecture involved here 😃 as similar hosted solutions like snowflake and elasticsearch, these two hosted solutions do have all the documentation of above 🙂 thank you in advance.
    Kevin Kho

    Kevin Kho

    6 months ago
    The connection question is easier to answer, the agent just needs HTTPS out and it polls Prefect Cloud every 10 seconds. As long as it can do that, your agent can deploy flows. You don’t need any inbound rules. For auth0, we do support SSO for enterprise customers so I am positive we support this.
    For Orion (Prefect 2.0), you will be able to host it but that is still in the near future
    b

    Bihag Kashikar

    6 months ago
    Okay so if its api call - if its deployed in australia-southeast1 gcp region then is there a specific CIDR range - for example, elasticsearch has similar concept tand they do it like this -> https://www.elastic.co/guide/en/cloud/current/ec-traffic-filtering-through-the-api.html
    Kevin Kho

    Kevin Kho

    6 months ago
    This is a filter on ingress but you won’t need any ingress open for the agent because it’s just an egress call
    The agent is purely outbound API calls and then we never send a request to it. When it finds a Flow to run, it executes it but within your environment, which is how we don’t see your data or code
    b

    Bihag Kashikar

    6 months ago
    so the calls are asynch ? on your note above, you mentioned its polls and in order for it to get response from polling, first it needs to gain access to agent service in confined in gcp vpc (ingress) and then to receive response (egress) hence its it a two way comms request/response . i might have got this wrong.
    Kevin Kho

    Kevin Kho

    6 months ago
    I think the calls are async, but I don’t think it matters so much? You are thinking the other way around I think. You are thinking Prefect Cloud pushes down work to the agent. It’s the agent that pulls work from Prefect Cloud (which is why HTTPS outbound i enough).
    b

    Bihag Kashikar

    6 months ago
    thanks
    im assuming the outbound calls are standard https port 443
    Kevin Kho

    Kevin Kho

    6 months ago
    Yes exactly. It “pulls” every 10 seconds and then finds something to run and then takes care of running it
    b

    Bihag Kashikar

    6 months ago
    thanks
    may be i should raise a documentation request 🙂 all good getting the required information through this way too. thanks again
    aha, i see it is already documented...all good
    ignore that
    Kevin Kho

    Kevin Kho

    6 months ago
    Ah what page did you see? Cuz I was about to give one also
    its on medium blog not on prefect documentation page - give me what you too 🙂
    Kevin Kho

    Kevin Kho

    6 months ago
    Ah ok I was gonna give this, which is kind of the same