Synadia Platform
Architecture
Components
- Synadia Control Plane
- HTTP(S) Server - Control Plane API and UI
- Control Plane NATS Server - used for Synadia Private Link connections and to stream events to Web Users
- Databases
- PostgreSQL - stores all Control Plane application data, secrets are encrypted using KMS key
- Prometheus - stores all time-series monitoring data for NATS Systems
- Both PostgreSQL and Prometheus will run embedded by default in Single Replica Mode, but must be externally hosted and managed in HA Mode
- Optional Components
- HTTP(s) Load Balancer - used to load balance between Control Plane replicas (required for HA Mode)
- SSO Provider - used to authenticate users, supports all OIDC providers including Okta, Google, and Microsoft AAD
- KMS Service - used to encrypt secrets stored in Control Plane, supports AWS KMS, Azure KeyVault, Google KMS, and HashiCorp Vault
- Synadia Private Link - connects NATS Servers behind a firewall to Control Plane
Security
Production deployments should configure a TLS Certificate on the User-Facing HTTPS Server.
Internal components and databases communicate using in-process connections or application-managed managed mutual TLS certificates that are rotated automatically every 30 days.
Ports and Interfaces
| Server | Interface | Port | Protocol | Authentication | Description |
|---|---|---|---|---|---|
| HTTP Server | All | 8080 | HTTP | Session, Bearer Token, NATS JWT | Redirects to port 8443 if TLS is enabled |
| HTTPS Server | All | 8443 | HTTPS | Session, Bearer Token, NATS JWT | Requires TLS configuration |
| Control Plane NATS | All | 6222 | NATS+TLS | App-managed mTLS | Used for clustering with other Control Plane replicas |
| Control Plane NATS | localhost | 4222 | NATS+TLS | App-managed mTLS | Only used internally |
| Control Plane NATS | localhost | 8082 | HTTPS | App-managed mTLS | Only used internally |
| Internal Auth Server | localhost | 8081 | HTTPS | App-managed mTLS | Only used internally |
| Internal Metrics Server | localhost | 7777 | HTTPS | App-managed mTLS | Only used internally |
| Internal PostgreSQL | localhost | 5432 | Postgres+TLS | App-managed mTLS | Only used internally |
| Internal Prometheus | localhost | 9090 | HTTPS | App-managed mTLS | Only used internally |
Backup / Restore Procedures
Single Replica Mode
Backup
- Stop Synadia Control Plane to get a consistent snapshot
- Copy the
data_dirto an external location - Start Synadia Control Plane
Restore
- Stop Synadia Control Plane
- Restore the
data_dirfrom the desired backup - Start Synadia Control Plane
HA Mode uses the same Docker Image as Single Replica mode, but requires some common configuration and external components to achieve high availability:
- All instances must be configured to use the same KMS Key
- External HTTP(S) Load Balancer
- External PostgreSQL Database
- External Prometheus Server
Highly Available (HA) Mode
Backup
- Ensure that you have stored a copy of your KMS Key in a safe location
- Backup the external PostgreSQL Database
- Backup the external Prometheus Database
Restore
- Stop all Synadia Control Plane Replicas
- Ensure that the KMS Key configured matches the one used at the time of your backup
- Restore the external PostgreSQL Database from the desired backup
- Restore the external Prometheus Database from the desired backup
- Start all Synadia Control Plane Replicas