Cloud Edge Node¶
A small Hetzner cloud server (CX11 or similar) acts as the sole public entry point. It holds the public IP and terminates HTTPS. It does not run heavy compute workloads.
| Component | Details |
|---|---|
| Provider | Hetzner Cloud (CX11 or CX21 tier) |
| Public IP | Static IPv4. DNS A-record for the application domain points here. |
| Reverse proxy | Nginx or Caddy. Terminates TLS, forwards to on-prem FastAPI via Netbird. |
| Netbird role | Peer in the Netbird mesh. Routes to 10.42.0.0/16 via the netbird-1a LXC routing peer. |
| Object storage | Hetzner Object Storage bucket in same region. Workers write Parquet files here directly using S3 API credentials. |
Why a relay server?
The on-premises cluster has no inbound port forwarding and sits behind a residential or business firewall. The Hetzner edge server provides a stable public endpoint without requiring any changes to the on-prem firewall or exposing the cluster directly.
Netbird overlay configuration¶
Netbird creates a WireGuard-based mesh between all peers. The netbird-1a LXC container acts as a routing peer, advertising the entire on-prem supernet. The Hetzner edge peer gains access to all on-prem VLANs through a single route advertisement.
# netbird-1a LXC: advertise the on-prem supernet
netbird up \
--setup-key <SETUP_KEY> \
--advertise-routes 10.42.0.0/16 \
--allow-server-ssh
# Hetzner edge server: peer joins mesh normally
netbird up --setup-key <SETUP_KEY>
CheckMK monitoring
A CheckMK instance on the Hetzner edge can reach on-prem hosts via the Netbird overlay using the routing-peer pattern above. Install only the CheckMK agent on on-prem hosts; no Netbird client is required on every machine.