Merge pull request #211 from flipt-io/gm/cloud-architecture

feat(cloud/architecture): add initial outline around cloud archiecture

.vale/styles/Flipt/spelling-exceptions.txt

@@ -67,4 +67,7 @@ uncomment
 uncompromised
 URIs
 yaml
-zipkin
+zipkin
+NATs
+hyperscaler
+Reverst

cloud/architecture/overview.mdx

@@ -2,3 +2,79 @@
 title: Technical Details
 description: Learn the technical details of how Flipt Hybrid Cloud works
 ---
+
+This page details how Flipt Cloud is built to provide a simple and scalable solution for accessing and securing your internal, self-hosted deployments of Flipt.
+
+Flipt comes baked with lots of critical features for scale and security, including:
+
+- Ability to scale horizontally
+- HTTPS/TLS support
+- Configurable authentication mechanisms (Static Token, OIDC, GitHub, JWT and Kubernetes)
+- API and UI with session management and termination
+
+These capabilities are super important for deploying Flipt into your infrastructure and making it secure for your users.
+However, enabling and integrating these features isn't free of complexities, infrastructure, and time investment.
+In order to take advantage of these, you're likely going to have to perform one or many of the following:
+
+- Enable networking and routing to your Flipt instance
+- Issue and assign an (internal or external) DNS name for your Flipt
+- Add a load-balancer to distribute load across your instances of Flipt
+- Issue TLS certificates and manage their rotation over time
+- Manually configure OAuth client credentials for your SSO provider for OIDC authentication
+- Deploy and manage a database for Flipt to store session credentials in
+
+<img
+  className="block dark:hidden"
+  src="/images/cloud/architecture/common-infrastructure-light.svg"
+/>
+<img
+  className="hidden dark:block"
+  src="/images/cloud/architecture/common-infrastructure-dark.svg"
+/>
+
+Flipt Cloud replaces all these steps with a few clicks and some API credentials.
+
+## Flipt the Problem on its Head
+
+Flipt Cloud reverses the ingress problem so that your deployments of Flipt dial out to us instead.
+This approach is commonly referred to as _reverse tunneling_.
+Tunneling in this way has some advantages for applications, as they can be deployed in environments without a stable IP address (e.g. behind restrictive NATs).
+For Flipt, this means you can safely expose Flipt from inside a major cloud provider, a modern hyperscaler or simply from your own laptop on your home network.
+
+<img
+  className="block dark:hidden"
+  src="/images/cloud/architecture/architecture-overview-light.svg"
+/>
+<img
+  className="hidden dark:block"
+  src="/images/cloud/architecture/architecture-overview-dark.svg"
+/>
+
+When you register your instance in this way with Flipt Cloud, we issue you with a stable subdomain under flipt.cloud (e.g. production-megacorp.flipt.cloud).
+Using this DNS name, requests for your instances will flow though our API gateways, load-balancers and then only reach your instances once fully authenticated.
+This entire process is performed over secure TLS connections from your end users back to your instances.
+All of which is done without you having to provide TLS certificates, and without having to manage rotation.
+
+## Tunnel Registration
+
+Your connections are made using an API key credential obtained from our Flipt Cloud UI, or via the `flipt cloud login` sub-command of the Flipt CLI.
+This credential is used in an initial handshake to identify your Flipt Cloud organization and the logical instance your Flipt is joining.
+
+<img
+  className="block dark:hidden"
+  src="/images/cloud/architecture/handshake-light.svg"
+/>
+<img
+  className="hidden dark:block"
+  src="/images/cloud/architecture/handshake-dark.svg"
+/>
+
+Once registered and associated with Flipt Cloud, your Flipt instance is added to our remote load balancer pool for your logical instance.
+Now when you visit your new Flipt Cloud instance subdomain, your requests are routed to the instances deployed on your infrastructure.
+
+The majority of the tunneling functionality we perform is now open-source in our project [Reverst](https://github.com/flipt-io/reverst).
+Reverst is unique in that it leverages HTTP/3 and the QUIC protocol to establish secure, reliable, and performant connections for tunnels.
+Keep your eyes peeled for our upcoming blog on how and why we choose to build our reverse tunnels in this way.
+
+We deploy and scale multiple instances of Reverst on our infrastructure for establishing and managing these tunnels for you.
+All while tightly integrating them with the Flipt Cloud user interface, authentication, and instance management system.