There are two server components, the cloud server and the internal or on-prem cluster.
The on-prem server, defines:
- an account
X
with a single userx
. - a leaf node configuration that maps a remote user leaf (and by extension leaf's account in the cloud) to account
X
Users from the X
account will be able to see all traffic through the specified remote. Note that the remotes is an array, you can specify and map multiple remote credentials (presumably to different accounts), into the same local account.
port: 5222
server_name: S1
cluster {
name: internal
listen: "127.0.0.1:5001"
}
host: "127.0.0.1"
http: "127.0.0.1:5002"
leafnodes: {
remotes = [
{ url: "nats://leaf:leaf@localhost:7422", account: "X" },
]
}
accounts: {
X: {
users: [
{ user: "x", password: "x" }
],
},
}
The cloud server (think of it as NGS) has multiple accounts. The user for account S
is the credentials used by the on-prem service. Note that it exports a single service. Which is imported by account U
.
When users of U
request to q
, the subject is mapped to q.u
, and delivered to clients of account S
. In this case the clients for S
are behind the leaf node.
port: 4222
server_name: S1
cluster {
name: internal
listen: "127.0.0.1:4001"
}
host: "127.0.0.1"
http: "127.0.0.1:4002"
leafnodes: {
port: 7422
}
accounts: {
U: {
users: [
{ user: "u", password: "u" }
],
imports: [
{ service: { account: "S", subject: "q.u"}, to: "q"}
]
},
S: {
users: [
{ user: "leaf", password: "leaf" }
],
exports: [
{ service: "q.*", accounts: ["U"] }
]
}
}
Start the cloud server: nats-server -c cloud.conf
.
Start the service server: nats-server -c internal.conf
.
A subscriber on the service side (connected via account X
:
nats sub -s nats://x:x@localhost:5222 ">"
To publish a message from account U:
nats pub -s nats://u:u@localhost:4222 q hello
The on prem server can also be a cluster of server.