Per conversations with the foundation, the network is being developed in multiple phases.

Phase 1 - Current

• Single IP whitelisted
  • Means running P-Rep behind a NAT is not possible unless all traffic is pushed over NAT
  • Need to build custom NAT with iptables for both incoming and outgoing (basically a router)

Phase 2 & 3

• Multiple IP addresses possible for whitelisting
  • Means we can whitelist both a NAT IP for outboud and NLB for inbound
  • NLB would then point to nginx / citizen nodes target groups on ASG
• Layer 7 traffic transition
  • Means we can move away from NLB into ALB and WAF
• Use of vault as secrets store
  • Everyone will need GPG keys to unseal cluster
  • Modify entrypoint on docker-container to pull secrets at run time to unseal container
• Database backend to store blockchain