Hey all! So I’ve recently redesigned our networks architecture, and figured I’d share as some may find it interesting!
So cohost is a collective operated by the 7 Circles network (cohost and 7 circles are one in the same, cohost is the group, 7 circles is the network) ok got it? great!
The reason I mention the above is the foundations of the cohost network are based in BGP, we use public address space in all our regions and sites, and this meant in the beginning, we didn’t have any tunnels or protection guarding the actual traffic between regional sites. This was fine initially, given everything we host uses encryption anyway. However eventually, the thought came to mind as to why don’t we protect the actual traffic and headers between the sites also!
After doing some planning, we decided to use wireguard with an open allowedIPs list to use BGP inside the tunnels, allowing us to use dynamic routing inside the tunnels! The benefit here is traffic going between sites on cohost is now encrypted with the tunnel, in addition to any protection the service already had, be it TLS in-flight, https for web traffic, etc.
Unfortunately I don’t have any cool info on how I got the tunnels up in a mesh, I did this by hand, by generating the keys and loading the tunnels on each of the edge routers for our sites. The new design looks more like the below though!
The new design is using a mesh of wireguard tunnels with BGP sessions to exchange routes between the core sites, meaning the only traffic that could feasibly be seen in open air would be traffic headed outside the 7 Circles network!
Thus completes the current design of the network!