Satellite Mode¶
CyberHive Connect has several "Satellite Mode" features designed to optimise operations in situations that involve high latency and constrained bandwidth.
Most of these features are enabled by default, as they make sense in all scenarios.
This document describes these features and covers recommended settings to obtain the best performance.
Pre-generation of Endpoint Keys¶
Key Validity Period¶
Although the peer-to-peer phase of key rotation is very efficient, it does also involve sending updates to the Connect control service once completed.
For satellite mode it is recommended to set the key validity period to a high value. Depending on your use case, we would recommend setting this to a whole number of days.
The key validity period is managed in the Connect control service at the organisation level, which defines the configuration for each mesh network, and can be changed at any time.
Configuration Fetch Interval¶
The client will fetch configuration from the Connect control service at start up, and at regular intervals thereafter.
For satellite mode it is recommended to set the configuration fetch interval to a high value. Depending on your use case, we would recommend setting according to the maximum acceptable duration for discovery of new peers. Note that the configuration fetch interval should not exceed one-third of the key validity period.
The configuration fetch interval is managed in the Connect control service at the organisation level, which defines the configuration for each mesh network, and can be changed at any time.
In future releases the client may automatically be notified when configuration changes are required using a long-lived connection to the server.
Client Event Logging¶
The client will send event logs to the Connect control service in response to events such as key rotation, address discovery and so on.
For satellite mode it is recommended to enable event suppression.
The event suppression setting is managed in the Connect control service at the organisation level, which defines the configuration for each mesh network, and can be changed at any time.
STUN¶
The client implements STUN protocol to enable NAT traversal.
For satellite mode it is possible to disable STUN and explicitly configure the external IP address and port of the Connect Endpoint.
The STUN setting is configured on the client instance via the CONNECT_STUN environment variable.
Limit Peer-to-Peer Connections¶
Connect can be configured to build a full peer-to-peer mesh where every client in an organisation can talk to each other.
Typically, this is not appropriate for a client connected across satellite connectivity.
Instead, configure access control groups in the Connect control service to build a hub-and-spoke topology.
DNS Caching¶
The client uses the OS name resolution. If the Connect control service has a long TTL then DNS lookups will be infrequent.
CyberHive SaaS uses a TTL of 86400 (1 day). Use an appropriate TTL if hosting your own Connect control service.
HTTP Connection Re-use¶
The client upgrades to HTTP/2 and re-uses the TCP connection where possible.
CyberHive SaaS implements HTTP/2. Ensure HTTP/2 is available if hosting your own Connect control service.
HTTP Content Encoding¶
The client accepts gzip, brotli, and deflate compression.
CyberHive SaaS supports sending compressed responses. Ensure compression support is in place if hosting your own Connect control service.
ETag¶
To avoid redundant transfer of duplicate data, the client tracks the ETag header value of the configuration API response provided by the Connect control service.