CNCF and Synadia Align on Securing the Future of the NATS.io Project. Read the joint press release.
NATS Docs
NATS.ioNATS by ExampleGitHubSlackTwitter
  • Welcome
  • Release Notes
    • What's New!
      • NATS 2.11
      • NATS 2.10
      • NATS 2.2
      • NATS 2.0
  • NATS Concepts
    • Overview
      • Compare NATS
    • What is NATS
      • Walkthrough Setup
    • Subject-Based Messaging
    • Core NATS
      • Publish-Subscribe
        • Pub/Sub Walkthrough
      • Request-Reply
        • Request-Reply Walkthrough
      • Queue Groups
        • Queueing Walkthrough
    • JetStream
      • Streams
      • Source and Mirror Streams
        • Example
      • Consumers
        • Example
      • JetStream Walkthrough
      • Key/Value Store
        • Key/Value Store Walkthrough
      • Object Store
        • Object Store Walkthrough
      • Headers
    • Subject Mapping and Partitioning
    • NATS Service Infrastructure
      • NATS Adaptive Deployment Architectures
    • Security
    • Connectivity
  • Using NATS
    • NATS Tools
      • nats
        • nats bench
      • nk
      • nsc
        • Basics
        • Streams
        • Services
        • Signing Keys
        • Revocation
        • Managed Operators
      • nats-top
        • Tutorial
    • Developing With NATS
      • Anatomy of a NATS application
      • Connecting
        • Connecting to the Default Server
        • Connecting to a Specific Server
        • Connecting to a Cluster
        • Connection Name
        • Authenticating with a User and Password
        • Authenticating with a Token
        • Authenticating with an NKey
        • Authenticating with a Credentials File
        • Encrypting Connections with TLS
        • Setting a Connect Timeout
        • Ping/Pong Protocol
        • Turning Off Echo'd Messages
        • Miscellaneous functionalities
        • Automatic Reconnections
          • Disabling Reconnect
          • Set the Number of Reconnect Attempts
          • Avoiding the Thundering Herd
          • Pausing Between Reconnect Attempts
          • Listening for Reconnect Events
          • Buffering Messages During Reconnect Attempts
        • Monitoring the Connection
          • Listen for Connection Events
          • Slow Consumers
      • Receiving Messages
        • Synchronous Subscriptions
        • Asynchronous Subscriptions
        • Unsubscribing
        • Unsubscribing After N Messages
        • Replying to a Message
        • Wildcard Subscriptions
        • Queue Subscriptions
        • Draining Messages Before Disconnect
        • Receiving Structured Data
      • Sending Messages
        • Including a Reply Subject
        • Request-Reply Semantics
        • Caches, Flush and Ping
        • Sending Structured Data
      • Building Services
      • JetStream
        • JetStream Model Deep Dive
        • Managing Streams and consumers
        • Consumer Details
        • Publishing to Streams
        • Using the Key/Value Store
        • Using the Object Store
      • Tutorials
        • Advanced Connect and Custom Dialer in Go
    • Running Workloads on NATS
      • Getting Started
        • Installing Nex
        • Building a Service
        • Starting a Node
        • Deploying Services
        • Building a Function
        • Deploying Functions
      • Host Services
        • Javascript | V8
      • Nex Internals
        • Architecture Overview
        • Node Process
        • Nex Agent
        • No Sandbox Mode
        • Root File System
        • Control Interface
      • FAQ
  • Running a NATS service
    • Installing, running and deploying a NATS Server
      • Installing a NATS Server
      • Running and deploying a NATS Server
      • Windows Service
      • Flags
    • Environmental considerations
    • NATS and Docker
      • Tutorial
      • Docker Swarm
      • Python and NGS Running in Docker
      • JetStream
      • NGS Leaf Nodes
    • NATS and Kubernetes
    • NATS Server Clients
    • Configuring NATS Server
      • Configuring JetStream
        • Configuration Management
          • NATS Admin CLI
          • Terraform
          • GitHub Actions
          • Kubernetes Controller
      • Clustering
        • Clustering Configuration
        • v2 Routes
        • JetStream Clustering
          • Administration
          • Troubleshooting
      • Super-cluster with Gateways
        • Configuration
      • Leaf Nodes
        • Configuration
        • JetStream on Leaf Nodes
      • Securing NATS
        • Enabling TLS
        • Authentication
          • Tokens
          • Username/Password
          • TLS Authentication
            • TLS Authentication in clusters
          • NKeys
          • Authentication Timeout
          • Decentralized JWT Authentication/Authorization
            • Account lookup using Resolver
            • Memory Resolver Tutorial
            • Mixed Authentication/Authorization Setup
        • Authorization
        • Multi Tenancy using Accounts
        • OCSP Stapling
        • Auth Callout
      • Logging
      • Enabling Monitoring
      • MQTT
        • Configuration
      • Configuring Subject Mapping
      • System Events
        • System Events & Decentralized JWT Tutorial
      • WebSocket
        • Configuration
    • Managing and Monitoring your NATS Server Infrastructure
      • Monitoring
        • Monitoring JetStream
      • Managing JetStream
        • Account Information
        • Naming Streams, Consumers, and Accounts
        • Streams
        • Consumers
        • Data Replication
        • Disaster Recovery
        • Encryption at Rest
      • Managing JWT Security
        • In Depth JWT Guide
      • Upgrading a Cluster
      • Slow Consumers
      • Signals
      • Lame Duck Mode
      • Profiling
  • Reference
    • FAQ
    • NATS Protocols
      • Protocol Demo
      • Client Protocol
        • Developing a Client
      • NATS Cluster Protocol
      • JetStream wire API Reference
    • Roadmap
    • Contributing
  • Legacy
    • nats-account-server
Powered by GitBook
On this page
  • Architecture Overview
  • Workload NATS vs Control NATS
  • Workload NATS
  • Control NATS
  • Nex Components
  • Internal (Hidden) NATS

Was this helpful?

Edit on GitHub
Export as PDF
  1. Using NATS
  2. Running Workloads on NATS
  3. Nex Internals

Architecture Overview

PreviousNex InternalsNextNode Process

Last updated 1 year ago

Was this helpful?

While the vast majority of the functionality of Nex can be found inside the single nex binary, Nex is actually a suite of tools and components that all collaborate to give you the power to deploy and manage workloads using your existing NATS infrastructure.

Architecture Overview

The following diagram provides an illustration of the Nex system architecture and how all of the various componenents interoperate. It might seem a bit daunting at first, so we'll cover each part of the diagram in detail next.

Workload NATS vs Control NATS

Before we even get into discussing the various components, there's some context we need to provide first. Quite possibly one of the most important concepts to understand is the distinction between the NATS system used by a workload and the NATS system used by Nex. It is crucial to understand this in order to properly (and securely) configure your systems for use in production.

Workload NATS

The connection(s) used by workloads are just that. If you're taking pre-existing services and deploying them to Nex, then you'll know that these workloads need their own NATS connections and, depending on the application, often have very specific connection and security requirements.

This connection stays the same whether the code is running within or outside of Nex.

The situation is easy for services because they rely on environment variables and, most importantly, are allowed to create their own connections to NATS servers (within the constraints of CNI configuration).

Control NATS

All Nex nodes are remotely controllable. This is the key to the imperative-style control that we've mentioned a few times. When a Nex node is brought up, it requires a NATS connection. This connection is exclusively for command and control operations. As such, when you're planning on how to structure accounts, signing keys, and operators, you should keep this in mind. Even though Nex is quite secure, you still don't want untrusted code to have unfettered access to control connections.

All control operations take place on a topic namespace that starts with the $NEX prefix, making it easy to isolate and control access.

Unless you're running in a test or development environment, the connections used by workloads should never overlap with connections used by the control interface. You don't necessarily need private servers, but you should be able to guarantee traffic isolation.

Nex Components

There are a number of key Nex components contained in the preceding diagram, and each is discussed in detail in this section.

Internal (Hidden) NATS

There's yet another NATS connection in this diagram that we thought it best to leave until the end of the discussion to avoid unnecessary confusion. This is the internal NATS connection that is used by the Nex node and the agent to communicate.

This connection is not used by application code, nor is it used by remote control code. It is only used internally and is only bound to an IP address usable on that local device. In other words, even if you wanted to use this NATS connection remotely, you shouldn't be able to.

In most cases, unless you're contributing to this part of the code, it's probably easiest to ignore this connection.

In most applications like this, especially those inspired by the guidelines, your code gets its connection data from environment configuration. For example, it might pick up the server URL(s) from the NATS_SERVER environment variable.

Functions play a more passive role in their NATS connection. Rather than creating their own NATS connections, they rely on provided by the Nex node to communicate with limited NATS resources such as key-value and object store buckets and publication subjects. This connection is also dictated by the initial parameters to the workload deployment.

12 factor
host services
Node Process
Nex Agent
Root File System
Control Interface
architecture diagram