Skip to main content
Cloud

NetBox Cloud Connectivity Architecture Diagram (Mermaid)

This is the accurate, 100% validated connectivity architecture diagram for NetBox Cloud.

Full Architecture Diagram

Simplified Flow Diagram

Diode Data Ingestion Flow

Infrastructure Layer Diagram

Port Reference

PortProtocolDirectionPurpose
443HTTPSCustomer → NetBox CloudWeb UI, API, gRPC
443HTTPSBrowser ↔ SSO ProviderAuthentication
443HTTPSNetBox Cloud → SSOValidation
443HTTPSNetBox Cloud → WebhooksEvent delivery
22SSHOrb Container → DevicesDevice config (NAPALM)
161SNMPOrb Container → DevicesDevice discovery
443HTTPSOrb Container → vCentervSphere integration

Internal Ports (Not Customer-Facing)

PortServicePurpose
8080NetBox InstanceInternal application port
8080Diode HTTP AuthInternal authentication
8082Diode IngesterInternal gRPC service
8083Diode ReconcilerInternal gRPC service

Note: All internal ports are accessed externally via HTTPS (443) through the NLB and NGINX Ingress Controller.

Architecture Layers Explained

1. Load Balancing Layer (AWS NLB)

  • Entry point for all external traffic
  • DNS resolution via Route53
  • Regional deployment for high availability
  • Port 443 listener for HTTPS traffic
  • Distributes traffic to NGINX Ingress Controllers

2. Ingress Layer (NGINX Ingress Controller)

  • TLS Termination: Decrypts HTTPS traffic
  • Hostname Routing: Routes based on DNS hostname
  • Virtual Hosts: Manages multiple customer instances
  • Path Routing: Directs traffic to correct services
  • Certificate Management: Handles SSL/TLS certificates

3. Application Layer (NetBox + Diode)

  • NetBox instances running on internal port 8080
  • Diode services for data ingestion (if enabled)
  • Multi-tenant isolation via namespaces
  • Internal service-to-service communication

Key Architectural Decisions

  1. All External Traffic Uses Port 443

    • Simplified firewall rules for customers
    • Industry standard HTTPS port
    • Supports both HTTP/2 (web) and gRPC

  2. TLS Terminates at NGINX Ingress

    • Centralized certificate management
    • Enables hostname-based routing
    • Internal traffic can be HTTP (encrypted at network layer)

  3. Two-Tier Load Balancing

    • AWS NLB for network-layer distribution
    • NGINX for application-layer routing
    • Provides both performance and flexibility

  4. Internal Ports Not Exposed

    • Services use internal ports (8080, 8082, 8083)
    • Only accessible within AWS infrastructure
    • Customer only needs to know about port 443

Security Architecture

Usage in Documentation

This Mermaid diagram can be embedded in Docusaurus documentation and will render as an interactive, scalable diagram. It provides the same information as the PNG/SVG but with the advantage of being:

  • ✅ Always accurate (maintained as code)
  • ✅ Accessible and screen-reader friendly
  • ✅ Scalable and responsive
  • ✅ Easy to update (just edit the Mermaid code)
  • ✅ Version controlled with documentation

To use in documentation, simply include the Mermaid code block in any markdown file.

Related Topics
AdministrationAPIAuthenticationDiscoveryNetBoxOperations
Last updated on