Networking
Teabar provisions isolated networks for each environment, ensuring security and preventing cross-environment traffic. This guide covers network architecture, firewall configuration, and DNS management.
Network Architecture
Each environment gets its own isolated network:
┌────────────────────────────────────────────────────────────────┐
│ Environment Network │
│ 10.0.0.0/16 │
│ │
│ ┌──────────────────┐ ┌────────────────────────────────┐ │
│ │ Infrastructure │ │ Participant Subnet │ │
│ │ 10.0.1.0/24 │ │ 10.0.10.0/24 │ │
│ │ │ │ │ │
│ │ ┌──────────────┐ │ │ ┌─────┐ ┌─────┐ ┌─────┐ │ │
│ │ │ K8s Control │ │ │ │ P1 │ │ P2 │ │ P3 │ │ │
│ │ │ Plane │ │ │ │ VM │ │ VM │ │ VM │ │ │
│ │ └──────────────┘ │ │ └─────┘ └─────┘ └─────┘ │ │
│ │ │ │ │ │
│ │ ┌──────────────┐ │ └────────────────────────────────┘ │
│ │ │ Workers │ │ │
│ │ └──────────────┘ │ │
│ └──────────────────┘ │
│ │
│ ┌──────────────┐ │
│ │ Firewall │ │
│ └──────┬───────┘ │
└─────────────────────────────┼──────────────────────────────────┘
│
▼
InternetNetwork Configuration
Basic Configuration
apiVersion: teabar.dev/v1
kind: Blueprint
metadata:
name: my-workshop
spec:
infrastructure:
provider: hetzner
location: fsn1
network:
cidr: 10.0.0.0/16
subnets:
- name: infrastructure
cidr: 10.0.1.0/24
description: Control plane and shared services
- name: participants
cidr: 10.0.10.0/24
description: Participant workspacesProvider-Specific Configuration
spec:
infrastructure:
provider: hetzner
location: fsn1
network:
cidr: 10.0.0.0/16
zone: eu-central # eu-central, us-east, us-west
subnets:
- name: main
cidr: 10.0.0.0/24Firewall Rules
Default Rules
Teabar creates sensible default firewall rules:
spec:
infrastructure:
firewall:
# Inbound rules
ingress:
- name: ssh
port: 22
protocol: tcp
source: 0.0.0.0/0
description: SSH access
- name: http
port: 80
protocol: tcp
source: 0.0.0.0/0
description: HTTP traffic
- name: https
port: 443
protocol: tcp
source: 0.0.0.0/0
description: HTTPS traffic
- name: internal
port: 1-65535
protocol: tcp
source: 10.0.0.0/16
description: Internal network traffic
# Outbound rules
egress:
- name: all-outbound
port: 1-65535
protocol: all
destination: 0.0.0.0/0
description: Allow all outboundRestrictive Configuration
For high-security environments:
spec:
infrastructure:
firewall:
# Only allow web traffic from gateway
ingress:
- name: gateway-only
port: 443
protocol: tcp
source: gateway.teabar.dev
description: Gateway access only
- name: internal
port: 1-65535
protocol: tcp
source: 10.0.0.0/16
# Restricted outbound
egress:
- name: https-only
port: 443
protocol: tcp
destination: 0.0.0.0/0
- name: dns
port: 53
protocol: udp
destination: 0.0.0.0/0
- name: internal
port: 1-65535
protocol: all
destination: 10.0.0.0/16Per-Resource Firewalls
Apply different rules to different resources:
resources:
# Database with restricted access
- name: database
type: vm
spec:
size: cx31
firewall:
ingress:
- port: 5432
source: 10.0.0.0/16
description: PostgreSQL from internal only
egress:
- port: 443
destination: 0.0.0.0/0
description: HTTPS for updates
# Web server with public access
- name: webserver
type: vm
spec:
size: cx21
firewall:
ingress:
- port: 80
source: 0.0.0.0/0
- port: 443
source: 0.0.0.0/0Load Balancers
Layer 4 Load Balancer
TCP/UDP load balancing:
resources:
- name: tcp-lb
type: loadbalancer
spec:
type: tcp # Layer 4
algorithm: round_robin # round_robin, least_connections
targets:
- resource: webserver
services:
- name: https
listenPort: 443
targetPort: 8080
protocol: tcp
healthCheck:
protocol: tcp
port: 8080
interval: 10s
timeout: 5s
unhealthyThreshold: 3Layer 7 Load Balancer
HTTP/HTTPS load balancing with routing:
resources:
- name: http-lb
type: loadbalancer
spec:
type: http # Layer 7
certificate:
type: auto # auto (Let's Encrypt) or custom
# For custom:
# secretName: tls-cert
targets:
- resource: webserver
services:
- name: https
listenPort: 443
targetPort: 8080
protocol: https
# HTTP to HTTPS redirect
redirectHttp: trueProvider-Specific Load Balancers
resources:
- name: lb
type: loadbalancer
spec:
type: http
location: fsn1
targets:
- resource: webserver
services:
- listenPort: 443
targetPort: 8080
protocol: https
# Hetzner-specific
hetzner:
type: lb11 # lb11, lb21, lb31DNS Management
Automatic DNS
Teabar automatically creates DNS records for environments:
<service>.<environment>.<org>.teabar.dev
Examples:
app.my-workshop.acme.teabar.dev
gitlab.my-workshop.acme.teabar.devCustom DNS Records
Create additional DNS records:
resources:
- name: custom-dns
type: dns
spec:
zone: workshop.example.com # Your domain
records:
- name: "@"
type: A
value: "{{ .Resources.lb.ip }}"
ttl: 300
- name: "www"
type: CNAME
value: "@"
ttl: 300
- name: "api"
type: A
value: "{{ .Resources.api-server.public_ip }}"
ttl: 300Provider-Specific DNS
resources:
- name: dns
type: dns
spec:
provider: hetzner-dns
zone: workshop.example.com
records:
- name: "@"
type: A
value: "{{ .Resources.lb.ip }}"Configure Hetzner DNS token:
teactl org provider set hetzner-dns --token <HETZNER_DNS_TOKEN>Wildcard DNS
For dynamic subdomains:
resources:
- name: wildcard-dns
type: dns
spec:
zone: workshop.example.com
records:
- name: "*"
type: A
value: "{{ .Resources.ingress.ip }}"
ttl: 300Floating IPs
Static public IPs that persist across VM recreation:
resources:
- name: static-ip
type: floating-ip
spec:
location: fsn1
- name: webserver
type: vm
spec:
size: cx21
floatingIp: static-ipPrivate Connectivity
VPN Access
For secure private access:
spec:
infrastructure:
vpn:
enabled: true
type: wireguard
server:
port: 51820
subnet: 10.100.0.0/24
# Auto-generate client configs
clients:
generatePerParticipant: trueGet VPN configuration:
teactl access vpn my-env --participant p1 > wireguard.confPeering (Enterprise)
Connect to existing networks:
spec:
infrastructure:
peering:
- name: corporate-network
type: vpc-peering # or vnet-peering for Azure
targetVpcId: vpc-abc123
targetCidr: 172.16.0.0/16Network Policies
For Kubernetes clusters, define network policies:
resources:
- name: k8s
type: cluster
spec:
distribution: talos
cni: cilium
networkPolicies:
# Default deny all
- name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
# Allow DNS
- name: allow-dns
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53Troubleshooting
Check Network Status
# View environment network details
teactl env get my-workshop --show-network
# Test connectivity
teactl access ssh my-workshop --vm webserver
ping database.internalCommon Issues
“Connection timed out”
- Check firewall rules allow the traffic
- Verify the target is in the same network or has routing
“Name resolution failed”
- Ensure DNS is configured correctly
- Check if using private hostnames that resolve internally only
“Load balancer unhealthy”
- Verify health check endpoint is responding
- Check backend service is running on the correct port
View Network Logs
teactl env logs my-workshop --component network