@@ -162,3 +162,109 @@ offer the fastest developer experience.
162162- Session persistence (sticky sessions) can be disabled as_ coderd_ instances
163163 are stateless.
164164- WebSocket and long-lived connections must be supported.
165+
166+ ###Multi-cloud architecture
167+
168+ By distributing Coder workspaces across different cloud providers, organizations
169+ can mitigate the risk of downtime caused by provider-specific outages or
170+ disruptions. Additionally, multi-cloud deployment enables organizations to
171+ leverage the unique features and capabilities offered by each cloud provider,
172+ such as region availability and pricing models.
173+
174+ ![ Architecture Diagram] ( ../images/architecture-multi-cloud.png )
175+
176+ ####Components
177+
178+ The deployment model comprises:
179+
180+ - ` coderd ` instances deployed within a single region of the same cloud provider,
181+ with replicas strategically distributed across availability zones.
182+ - Workspace provisioners deployed in each cloud, communicating with` coderd `
183+ instances.
184+ - Workspace proxies running in the same locations as provisioners to optimize
185+ user connections to workspaces for maximum speed.
186+
187+ Due to the relatively large overhead of cross-regional communication, it is not
188+ advised to set up multi-cloud control planes. It is recommended to keep coderd
189+ replicas and the database within the same cloud-provider and region.
190+
191+ Note: The_ multi-cloud architecture_ follows the deployment principles outlined
192+ in the_ multi-region architecture_ . However, it adapts component selection based
193+ on the specific cloud provider. Developers can initiate workspaces based on the
194+ nearest region and technical specifications provided by the cloud providers.
195+
196+ #####Workload resources
197+
198+ ** Workspace provisioner**
199+
200+ - _ Security recommendation_ : Create a long, random pre-shared key (PSK) and add
201+ it to the regional secret store, so that local_ provisionerd_ can access it.
202+ Remember to distribute it using safe, encrypted communication channel. The PSK
203+ must also be added to the_ coderd_ configuration.
204+
205+ ** Workspace proxy**
206+
207+ - _ Security recommendation_ : Use` coder ` CLI to create
208+ [ authentication tokens for every workspace proxy] ( ../admin/workspace-proxies.md#requirements ) ,
209+ and keep them in regional secret stores. Remember to distribute them using
210+ safe, encrypted communication channel.
211+
212+ ** Managed database**
213+
214+ - For AWS:_ Amazon RDS for PostgreSQL_
215+ - For Azure:_ Azure Database for PostgreSQL - Flexible Server_
216+ - For GCP:_ Cloud SQL for PostgreSQL_
217+
218+ #####Workload supporting resources
219+
220+ ** Kubernetes platform (optional)**
221+
222+ - For AWS:_ Amazon Elastic Kubernetes Service_
223+ - For Azure:_ Azure Kubernetes Service_
224+ - For GCP:_ Google Kubernetes Engine_
225+
226+ See how to deploy
227+ [ Coder on Azure Kubernetes Service] ( https://github.com/ericpaulsen/coder-aks ) .
228+
229+ Learn more about[ security requirements] ( ../install/kubernetes.md ) for deploying
230+ Coder on Kubernetes.
231+
232+ ** Load balancer**
233+
234+ - For AWS:
235+ - _ AWS Network Load Balancer_
236+ - Level 4 load balancing
237+ - For Kubernetes deployment: annotate service with
238+ ` service.beta.kubernetes.io/aws-load-balancer-type: "nlb" ` , preserve the
239+ client source IP with` externalTrafficPolicy: Local `
240+ - _ AWS Classic Load Balancer_
241+ - Level 7 load balancing
242+ - For Kubernetes deployment: set` sessionAffinity ` to` None `
243+ - For Azure:
244+ - _ Azure Load Balancer_
245+ - Level 7 load balancing
246+ - Azure Application Gateway
247+ - Deploy Azure Application Gateway when more advanced traffic routing
248+ policies are needed for Kubernetes applications.
249+ - Take advantage of features such as WebSocket support and TLS termination
250+ provided by Azure Application Gateway, enhancing the capabilities of
251+ Kubernetes deployments on Azure.
252+ - For GCP:
253+ - _ Cloud Load Balancing_ with SSL load balancer:
254+ - Layer 4 load balancing, SSL enabled
255+ - _ Cloud Load Balancing_ with HTTPS load balancer:
256+ - Layer 7 load balancing
257+ - For Kubernetes deployment: annotate service (with ingress enabled) with
258+ ` kubernetes.io/ingress.class: "gce" ` , leverage the` NodePort ` service
259+ type.
260+ - Note: HTTP load balancer rejects DERP upgrade, Coder will fallback to
261+ WebSockets
262+
263+ ** Single sign-on**
264+
265+ - For AWS:
266+ [ AWS IAM Identity Center] ( https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html )
267+ - For Azure:
268+ [ Microsoft Entra ID Sign-On] ( https://learn.microsoft.com/en-us/entra/identity/app-proxy/ )
269+ - For GCP:
270+ [ Google Cloud Identity Platform] ( https://cloud.google.com/architecture/identity/single-sign-on )