Skip to main content
Solved

Leader Nodes Configuration Inquiry For Edge Clients Inside DMZ

  • February 28, 2026
  • 13 replies
  • 5 views
M
This message originated from Cribl Community Slack.
Click here to view the original link.

Do people typically spin up Leader nodes inside of a DMZ to control Edge clients in there?

Best answer by Brandon McCombs

Your question was about controlling the Edge clients so Outpost will do that and avoid punching holes in the firewall for each Edge client for purposes of controlling them because Outpost will serve as their application-level proxy for that. It won't change what has to be opened in the firewall for Edge to do data collection and forwarding.

13 replies

B
Use Outpost. That can help reduce the # of hosts communicating into/out of the DMZ by sending through Outpost. Config deployment requests will go through Outpost to hit the leader but will bypas Outpost if those requests go to the CDN.
M
Right - but still need a dedicated host, right? It just may not be a Leader node, it will be an Outpost node
M
Can I do PQ on an Outpost node? I'm thinking Edge --> Outpost (with PQ) --> || --> Stream WG
Y
  • Yirmi
  • Participating Frequently
  • February 28, 2026
@user RE PQ. Outpost is used for the control plane, not the data plane (at least per my understanding).
M
Maybe - but then im at a loss for the benefit for No handing out firewall rules like candy on Halloween because I still have to do that for Edge connections to my Network
Y
  • Yirmi
  • Participating Frequently
  • February 28, 2026
so if you wanted to proxy the data plane you would still need a proxy (e.g. Squid)
M
Right - so i'm still punching holes in the firewall for data-plane stuff. Just not management stuff. Perhaps missed opportunity, or i'm not thinking about it correctly.
Y
  • Yirmi
  • Participating Frequently
  • February 28, 2026
Could you host a WG in your DMZ and send data from your Edge nodes there?
B
Your question was about controlling the Edge clients so Outpost will do that and avoid punching holes in the firewall for each Edge client for purposes of controlling them because Outpost will serve as their application-level proxy for that. It won't change what has to be opened in the firewall for Edge to do data collection and forwarding.
M
Right - but Cribl is propping up Outpost with verbiage that doesnt exactly fit the mold. This is misleading

Links for this message:
image.png
Y
  • Yirmi
  • Participating Frequently
  • February 28, 2026
I'm working off of this page . Outpost does solve a pain point for me... setting up and managing a SOCKS proxy - which is often more difficult to get than a web proxy. . For the data plane, a worker group for aggregation in the DMZ (+ Outpost for control plane) would be one way to minimize the number of agents directly going out over the internet. Outpost + a web proxy is another alternative. . A cookbook for highly secured environments would be useful. Thanks for the blog idea @user :slightly_smiling_face:
M
Yes, luckily, I do have a WG already for this reason. But I have many other places that do not have a WG setup yet. You could almost limit the amount of data processing done by an Outpost node to strictly pass thru mode only. Then I wouldnt need a WG downstream.
M
Just saying, the code is already there.
Terms & ConditionsAccessibility statement