Skip to content

Exit nodes

Supported versions

For multiple exit nodes, all Endpoints in an Organisation must be running 3.9.0 or above.

For a single exit node, all Endpoints in an Organisation must be running 3.7.0 or above.

What is an exit node?

IAM Policy

Connectivity between exit nodes and their peers remains subject to Connect's IAM Policy rules, which are configurable per Organisation.

An exit node is a Connect Endpoint that can act as a breakout point for all Internet traffic originating from other Endpoints within its Organisation.

This can be used to ensure that outbound Internet traffic is routed through the TAN via one or more fixed, known public IP addresses.

Traffic is encrypted between Endpoints and their exit node via the same mechanism as all other Connect traffic, which provides quantum-safe connectivity.

CyberHive Connect supports one or multiple exit nodes being configured. When a single exit node is configured, all of its peers route their Internet traffic through it. When multiple exit nodes are configured, each Endpoint dynamically selects one exit node to use.

Why have more than one exit node?

Having more than one exit node can provide higher network throughput, reliability, redundancy, scalability, and the flexibility to access the Internet securely from multiple regions.

Let's look at each of those benefits:

  • Higher network throughput: Multiple exit nodes reduce bottlenecks by providing multiple routes to the Internet. Each exit node handles less traffic and can therefore provide higher throughput with less packet loss. Latency-based exit node selection also ensures each Endpoint uses the exit node which will perform best for its networking conditions.

  • Reliability: Endpoints monitor their ability to access exit nodes, ensuring that connectivity continues* even when an exit node becomes unresponsive or is otherwise unreachable.

  • Redundancy: Exit nodes can be provisioned, updated, and taken offline whenever needed due to Connect's automatic exit node failover mechanism.

  • Scalability: The number of exit nodes available in an Organisation can be scaled up and down to suit the number of peer Endpoints.

  • Flexibility: Endpoints automatically select the best exit node to use, based on real-time latency measurements, so there is no need to reconfigure the Endpoint when travelling.

* See TAN Kill Switch for further information on how Connect can be configured to never bypass an exit node, even when it is unresponsive.

Get started

Configuring exit nodes is simple. See our how-to guide to get started.

Peer behaviour with an exit node

When an exit node is online within an Organisation, its peer Endpoints will route all Internet traffic through the TAN, even when their Internet connectivity is interrupted. This means that traffic cannot "leak" onto the Internet when Connect is running, no matter how spotty the Endpoint's Internet connectivity is.

Note that traffic will not be routed through the TAN when one or more of the following happens:

  • IAM Policy does not permit an Endpoint to access an exit node.
  • No exit node is online; this is subject to the TAN Kill Switch setting.
  • Connect is not running on a peer Endpoint.

Tip

The active exit node is displayed in the client UI status panel and network diagram. When multiple exit nodes are available, the one selected by the Endpoint is shown.

See Also