Hi Guys - I have a few questions on prefect cloud - the questions are after viewing the architecture picture on this https://docs.prefect.io/orchestration/ under section architecture overview authentication question - can prefect use auth0 for authentication of users ( real people not service accounts/users ) - any reference diagrams will be helpful network and traffic filtering related questions on prefect cloud hosted on GCP - 1) how does prefect cloud connect to gcp, looking at the picture on https://docs.prefect.io/orchestration/ under architecture section the agent 1,2 on gcp and connection to cloud api - is it over internet? any references on prefect cloud documentation stating this 2) on the same connection question, is traffic filtering possible using GCPs private access point option https://cloud.google.com/vpc/docs/private-service-connect, if yes, please any references of this prefect cloud documentation? This is just for my knowledge, and this is more of a documentation question than actual architecture involved here :-) as similar hosted solutions like snowflake and elasticsearch, these two hosted solutions do have all the documentation of above 🙂 thank you in advance.

The connection question is easier to answer, the agent just needs HTTPS out and it polls Prefect Cloud every 10 seconds. As long as it can do that, your agent can deploy flows. You don’t need any inbound rules. For auth0, we do support SSO for enterprise customers so I am positive we support this.

Okay so if its api call - if its deployed in australia-southeast1 gcp region then is there a specific CIDR range - for example, elasticsearch has similar concept tand they do it like this -> https://www.elastic.co/guide/en/cloud/current/ec-traffic-filtering-through-the-api.html

This is a filter on ingress but you won’t need any ingress open for the agent because it’s just an egress call

so the calls are asynch ? on your note above, you mentioned its polls and in order for it to get response from polling, first it needs to gain access to agent service in confined in gcp vpc (ingress) and then to receive response (egress) hence its it a two way comms request/response . i might have got this wrong.

I think the calls are async, but I don’t think it matters so much? You are thinking the other way around I think. You are thinking Prefect Cloud pushes down work to the agent. It’s the agent that pulls work from Prefect Cloud (which is why HTTPS outbound i enough).

thanks

Yes exactly. It “pulls” every 10 seconds and then finds something to run and then takes care of running it

thanks

Ah what page did you see? Cuz I was about to give one also

Ah ok I was gonna give this, which is kind of the same