Appliance Provisioning¶

The Appliance Container Provider mode allows you to deploy a provisioning environment with outbound traffic.

Unlike the direct mode, the appliance acts as a bridge initiating an outbound WebSocket connection to the Reemo infrastructure. This architecture allows Reemo to manage your local containers.

Note

Infrastructure and mode selection:

This feature requires specific infrastructure, and the Appliance mode must be selected when creating the provider (this choice is final).
If your network is not restricted and allows a direct connection (via a public IP or VPN), the Appliance mode is not necessary. See creating a direct provider instead.

Deployment Modes¶

The Appliance product is divided into two distinct components:

Connector: manages and communicates with the Reemo infrastructure.
Provision: executes the sandboxes (chromium, ssh, etc.).

Depending on your security and load requirements, you can use one or more servers.

Use the following table to choose the mode suited to your needs:

Criterion	Standard mode	Advanced mode
Number of machines	1	more than 1
Network complexity	Simple	Moderate
Sandbox isolation	On the same host	Dedicated host
Independent scaling	No	Yes
Recommended for	PoC, simple deployments	Production, isolated environments

Standard mode: Connector + Provision on a single machine.

┌─────────────────────────────────────┐
│            Host server              │
│  ┌───────────────────────────────┐  │
│  │    Connector + Provision      │  │
│  └───────────────────────────────┘  │
└─────────────────────────────────────┘
              │ (Outbound only)
              ▼
         Reemo Cloud

Advanced mode: Connector and Provision on two separate machines.

┌──────────────────────┐      ┌──────────────────────┐
│      Connector       │      │      Provision       │
│ (portal management)  │─────▶│     (sandboxes)      │
└──────────────────────┘      └──────────────────────┘
           │                             │
           ▼                             ▼
      Reemo Cloud                   Reemo Cloud

Hardware and Software Prerequisites¶

OS: Ubuntu 20.04+, Debian 11+, RHEL 8+, Rocky Linux 8+
Disk: 100 GB available
Software: No prerequisites. Docker is installed automatically by the script.

Sizing (CPU/RAM)

Note

These values are minimum estimates. Plan for a 20 to 30% margin to absorb load peaks and system operations (cache, logs, etc.).

Connector Component (always required)

Component	CPU	RAM
Connector only	2 vCPU	4 GB

Provision Component (depending on the sandboxes used)

To be added to the Connector resources, per simultaneous session:

Sandbox type	CPU per session	RAM per session
SSH	1 vCPU	200 MB
Chromium	1 vCPU	600 MB

Sizing examples

Standard mode — Connector + Provision on the same machine:

Use case	Total vCPU	Total RAM
Connector only (no sessions)	2	4 GB
Connector + 5 SSH sessions	7	5 GB
Connector + 5 Chromium sessions	7	7 GB
Connector + 10 Chromium sessions	12	10 GB

Advanced mode — Connector and Provision on two separate machines:

Type	vCPU	RAM
Connector	2	4 GB
Provision (5 Chromium sessions)	5	3 GB
Provision (10 SSH sessions)	10	2 GB

Network flows to open¶

Warning

These flows must be opened before starting the installation, otherwise connectivity checks will fail and the installation will be aborted.

All flows are outbound only: no inbound opening is required from the Internet to your machines.

Choose the transport protocol according to your network constraints:

WebRTC (recommended): best performance, requires UDP
WebSocket: if your network blocks UDP or imposes a single HTTP proxy

WebRTC Protocol

Source	Destination	Protocol / Port
Connector	Reemo infra	TCP / 8443, 8444, 8446
Connector	`registry.reemo.io`	TCP / 443
Connector	`registry-auth.reemo.io`	TCP / 443
Connector	`downloads.reemo.io`	TCP / 443
Connector	`turn.cloudflare.com`	UDP/TCP / 3478

Optional — direct UDP connection (best performance)

To enable direct mode (without TURN relay):

Source	Destination	Source ports	Dest. ports	Protocol
Connector	Internet	58200–58400	1024–65535	UDP

WebSocket Protocol

Use this if your network does not allow WebRTC or blocks UDP.

Source	Destination	Protocol / Port
Connector	Reemo infra	TCP / 8443, 8444, 8446
Connector	relayws environment	TCP / 443

WebRTC Protocol

From the Connector machine

Source	Destination	Protocol / Port
Connector	Reemo infra	TCP / 8443, 8444, 8446
Connector	`registry.reemo.io`	TCP / 443
Connector	`registry-auth.reemo.io`	TCP / 443
Connector	`downloads.reemo.io`	TCP / 443

From the Provision machine

Source	Destination	Protocol / Port
Provision	`registry.reemo.io`	TCP / 443
Provision	`registry-auth.reemo.io`	TCP / 443
Provision	`turn.cloudflare.com`	UDP/TCP / 3478

Optional — direct UDP connection

Source	Destination	Source ports	Dest. ports	Protocol
Provision	Internet	58200–58400	1024–65535	UDP

WebSocket Protocol

From the Connector machine

Source	Destination	Protocol / Port
Connector	Reemo infra	TCP / 8443, 8444, 8446
Connector	`registry.reemo.io`	TCP / 443
Connector	`registry-auth.reemo.io`	TCP / 443

From the Provision machine

Source	Destination	Protocol / Port
Provision	`registry.reemo.io`	TCP / 443
Provision	`registry-auth.reemo.io`	TCP / 443
Provision	relayws environment	TCP / 443

Note

Source UDP port range (58200–58400): This range is configurable and can be adapted according to your strict firewall rules.

Installation and deployment guides¶

Once your architecture is chosen and your network flows are opened, proceed to deploy the appliance. Choose the guide corresponding to your environment:

dns

Standard installation

Recommended for a simple installation on a single machine

appliance-install-std.html

hub

Advanced installation

Intended for clusters (Kubernetes, Swarm) and architectures separating the Connector from Provisioning

appliance-install-adv.html