Improve the Networking Reference diagram

ptgott · ptgott · commit 79e96f1e9c2f · 2026-02-19T15:05:30.000-05:00
- Separate the Linux server icon from the main agent pool to indicate
  that the agent runs on the server.
- Show a Kubernetes cluster separately from the main agent pool to
  indicate that the agent can be in the cluster.
diff --git a/docs/pages/reference/deployment/networking.mdx b/docs/pages/reference/deployment/networking.mdx
@@ -44,34 +44,66 @@ group public_net(carbon-network-public)[Public Internet]
 group dmz_net(carbon-network-public)[DMZ or Public Subnet]
 group private_net(carbon-virtual-private-cloud)[Private Network]
 group private_net2(carbon-virtual-private-cloud)[Private Network]
+group k8s_net(carbon-virtual-private-cloud)[Kubernetes Cluster in Private Network]
 
 %% Services
 service user(carbon-user)[User] in public_net
 service proxy(teleport-logo-purple)[Teleport Proxy Service] in dmz_net
 service auth(teleport-logo-purple)[Teleport Auth Service] in private_net2
-service ssh_node(carbon-bare-metal-server)[SSH Nodes] in private_net
-service db(carbon-db2-database)[Databases] in private_net
+
+%% Core Private Services
 service agent(teleport-logo-purple)[Teleport Agents] in private_net
-service k8s(logos-kubernetes)[Kubernetes Clusters] in private_net
+service ssh_node(teleport-logo-purple)[Teleport SSH Service on a Linux Server] in private_net
+
+%% Destination Endpoints
+service db(carbon-db2-database)[Databases] in private_net
 service windows(carbon-virtual-desktop)[Windows Desktops] in private_net
 service webapp(carbon-code)[Web Applications] in private_net
 
-%% Connections
-junction agentconn in private_net
-junction agentconn2 in private_net
+%% Kubernetes Group Services
+service k8s_agent(teleport-logo-purple)[Teleport Agent] in k8s_net
+service k8s_pods(logos-kubernetes)[Kubernetes Pods] in k8s_net
+
+%% Routing Junctions
+junction p_conn in private_net
+junction j_mid in private_net
+junction j_top in private_net
+junction j_bot in private_net
 
-user:B --> T:proxy
+%% Buffer junctions for spacing
+junction j_usr_buf
+junction j_proxy_agent_buf
 
-agent:L --> R:proxy
+%% Control Plane & Edge Connections
+user:R -- L:j_usr_buf
+j_usr_buf:R --> L:proxy
 auth:T --> B:proxy
 
-agent:R -- L:agentconn
-agentconn:T --> B:ssh_node
-agentconn:B --> T:db
-agentconn2:L -- R:agentconn
-agentconn2:T --> B:k8s
-agentconn2:B --> T:windows
-agentconn2:R --> L:webapp
+%% Kubernetes Cluster routing 
+%% Moved K8s group above the Proxy
+k8s_agent:B --> T:proxy
+k8s_agent:T --> B:k8s_pods
+
+%% Reverse tunnel flow into the Proxy Service
+%% p_conn:L --> R:proxy
+
+p_conn:L -- R:j_proxy_agent_buf
+j_proxy_agent_buf:L --> R:proxy
+
+%% Positioning Teleport Agents above the SSH Service on a Linux Server
+%% service
+agent:B -- T:p_conn
+ssh_node:T -- B:p_conn
+
+%% Vertical bus creation for endpoints
+agent:R -- L:j_mid
+j_mid:T -- B:j_top
+j_mid:B -- T:j_bot
+
+%% Vertically aligned destination endpoints
+j_top:R --> L:db
+j_mid:R --> L:windows
+j_bot:R --> L:webapp
 ```
 
 ## Public addresses
