This feature is available as part of the Honeycomb Enterprise plan.
The following sections detail the recommended infrastructure components and their configurations for Secure Tenancy.
If you use one load balancer, Honeycomb will use it for both encrypting and decrypting data. You may use two load balancers to separate the encryption and decryption paths.
Configure the load balancer(s) with a signed certificate from a Certificate Authority, to serve as the entry point for encryption and decryption.
Configure these instances to allow incoming traffic from applications on the internal network(s) where they are running and so that end users can access the endpoint when tunneled in to the company VPN.
The domain name and SSL certificate should be publicly resolvable, but the endpoint can be on a non-publicly-routable IP accessible from within the VPN.
Your load balancers must support gRPC connections if you intend to use OpenTelemetry SDKs to instrument your applications.
The aforementioned load balancer will forward traffic to these. If possible, place the servers in separate availability zones.
The MySQL database should not be accessible by any programs other than the secure proxy.
Here is an example configuration using AWS technology:
If you’re planning to deploy using a higher level platform, such as OpenShift, Mesos, Kubernetes, and so on, please contact your Honeycomb representative to get additional, more specific guidance for your platform.
If you plan to use Kubernetes, the Helm guide details the recommended deployment options for Secure Tenancy infrastructure and Kubernetes.