Cloud Endpoint Service — primer¶
Help Center primer for the TLSStress.Art Cloud SDWAN On-Ramp Endpoint Service. Pairs with ADR 0023.
What it is¶
A multi-PoP IaaS that your bench dials out to over IPSec, providing realistic SDWAN test endpoints in 8 geographic regions. Replaces local synthetic endpoints with traffic flowing through real public Internet paths.
When to use¶
- SDWAN realism — testing latency / loss / jitter through actual public Internet (synthetic local endpoints can't simulate this)
- Multi-region tests — bench dials a São Paulo PoP for latency matrix that mirrors customer's WAN topology
- iperf3 baseline — definitive iperf3 server for SDWAN throughput tests (resolves the K6-vs-iperf3 baseline question)
When NOT to use¶
- Air-gap deployments — no Internet from bench to cloud (use self-hosted endpoint container instead, PR-20)
- Lab-only validation — local mode is faster + cheaper
- Customer's WAN is private (MPLS-only with no Internet path)
Service tiers¶
| Tier | Tests/month | PoPs available | Throughput cap | Pricing |
|---|---|---|---|---|
| Free | 1 / 5min | 1 (nearest) | 50 Mbps | $0 |
| Pro | 100/month | 4 (your region) | 500 Mbps | $X / test |
| Team+ | 1000/month | all 8 globally | 5 Gbps | $Y / test |
| Enterprise | unlimited | dedicated PoP | 25 Gbps | quote |
Stripe metering per IPSec session-second.
PoP locations (initial 8)¶
| Code | Location |
|---|---|
| SAO01 | São Paulo, BR |
| GRU01 | São Paulo (alt), BR |
| BSB01 | Brasília, BR |
| IAD01 | US East, Virginia |
| FRA01 | Frankfurt, DE |
| AMS01 | Amsterdam, NL |
| SIN01 | Singapore, SG |
| SYD01 | Sydney, AU |
How to use¶
Bench side (no install — built into v5.x bench)¶
- Open the bench dashboard → Test Plan builder
- Pick test kind =
sdwan-cor - In the SDWAN config, set
remote-endpointmode to cloud - Pick a PoP (auto-suggests nearest based on bench geoIP)
- Cloud Endpoint Service creates an IPSec session + returns credentials
- Run the test — traffic flows: bench → IPSec → cloud PoP → iperf3 server → return
Self-hosted endpoint (air-gap, PR-20)¶
- Download the container:
docker pull tlsstressart/endpoint:v1 - Run on customer infra in their VPC (NOT bench)
- Bench dials it via IPSec like any other endpoint
- No Internet egress from bench — endpoint is private
Auth + auth¶
- API key issued at first cloud authorization
- Stored encrypted in bench secrets store
- Rotated quarterly (auto-rotation opt-in)
- Per-tenant credential isolation
What the cloud PoP provides¶
Each PoP runs a multi-tenant service mix: - StrongSwan IPSec tunnel terminator (one per active tenant session) - iperf3 fleet (multi-process, per-tenant ports) - H2 / H3 / QUIC test endpoints - DNS test server (for SDWAN DNS resolver latency) - NTP server (for SDWAN time-skew validation)
Common questions¶
Latency expectation from BR to São Paulo PoP? ~5-20ms RTT typical from major BR ISPs.
Will my data be inspected by the cloud? No — IPSec end-to-end. The cloud terminator decrypts ESP but iperf3 / H2 / H3 endpoints don't snoop payload.
Is there a data residency option? Enterprise tier offers dedicated PoP in customer-specified region with data-residency clause.
What happens if my PoP fails mid-test? Bench detects connection drop within 5s and surfaces an error. No auto-failover within a test — restart with a different PoP.
Compliance / SOC 2? Cloud Endpoint Service is on the SOC 2 Type II roadmap (per ADR 0018). Pre-SOC2 use is at-your-own-risk for production-sensitive workloads.
Related¶
- ADR 0023 — design lock
- Branch Office primer — sister test kind
- SDWAN/CoR primer — uses cloud endpoint as remote