You can connect your services to Restate Cloud in several ways, depending on where they run:

Connecting services in private environments

You can connect services that run in a locked-down private environment to Restate Cloud using a secure tunnel. This allows you to expose your services to Restate Cloud without opening up ports to the public internet. You can deploy the tunnel client in your environment and make it appear as if your Restate Cloud environment is inside your private network. This allows you to use native access control mechanisms, like VPC Security Groups and Kubernetes network policies, to manage access.

1. Create a Restate Cloud environment

Open the Restate Cloud UI and create a new environment. Note the environment id (env_...) and request signing key (under security -> HTTP services: publickeyv1_...), as you will need them later. Create a "Full" scope API key with a descriptive name for the tunnel client and copy the key for later.

2. Setup the CLI

Next, we need to set up a CLI profile to connect to our Restate Cloud environment. Log in to Restate Cloud using the CLI: 
restate cloud login
Set up a new CLI profile for your environment: 
restate cloud env configure
Tell the CLI to use the new environment: 
restate config use-env <name>

3. Run the tunnel

The tunnel can be hosted as a cloud VM in your VPC, a sidecar to your service, or a dedicated pod in your container orchestrator. You can deploy multiple copies for redundancy. To run the tunnel: 
# export RESTATE_ENVIRONMENT_ID=env_...
# export RESTATE_BEARER_TOKEN=key_...
# export RESTATE_TUNNEL_NAME=test-tunnel
# export RESTATE_SIGNING_PUBLIC_KEY=publickeyv1_...
# export RESTATE_CLOUD_REGION=eu

docker run \
  -e RESTATE_ENVIRONMENT_ID \
  -e RESTATE_BEARER_TOKEN \
  -e RESTATE_TUNNEL_NAME \
  -e RESTATE_SIGNING_PUBLIC_KEY \
  -e RESTATE_CLOUD_REGION \
  -p 8080:8080 \
  -p 9090:9090 \
  -p 9070:9070
  -it ghcr.io/restatedev/restate-cloud-tunnel-client:latest

4. Run a Restate service

Follow the quickstart to run a Restate service locally. 
restate example typescript-hello-world
cd typescript-hello-world
npm install
npm run dev

5. Register your service

If your setup is correct, you can now register your service with the Restate Cloud environment: 
restate deployments register https://tunnel.eu.restate.cloud:9080/<no-prefix-env-id>/<tunnel-name>/http/<remote-fqdn>/<remote-port>
  • Use just the numeric environment id here (without the env_ prefix).
  • The tunnel name must match the name provided to the tunnel client
  • The remote fqdn and port must resolve to the Restate service endpoint (e.g. localhost:9080) from the perspective of the tunnel client
For example, if your service is running on localhost:9080 and your environment id is env_20d1231jyphzkm8, you can register it like this: 
restate deployments register https://tunnel.eu.restate.cloud:9080/20d1231jyphzkm8/test-tunnel/http/localhost/9080

6. Test your service

You can now test your service by invoking it via Restate Cloud: 
curl localhost:8080/Greeter/greet --json '{"name": "Sarah"}'

How does it work?

  • Restate CLI is communicating with your Restate environment at https://*.eu.restate.cloud:9070 using your user ID token and asks the admin API to perform a discovery at the special tunnel URL.
  • The Restate Cloud end of the tunnel receives the request from your environment and forwards the traffic to the tunnel container.
  • The tunnel container is forwarding the traffic to the Restate service endpoint.
Invocation overview

Connecting AWS Lambda services

To invoke services running on AWS Lambda, Restate Cloud needs to assume an AWS identity in the same account that the Lambda is deployed to. Create a new role that has permission to invoke your Lambda handlers, and give it the following trust policy.
The Restate Cloud role is distinct from the Lambda function’s execution role. The execution role is assumed by your function to perform its work. A dedicated invoker role is needed to grant Restate Cloud permission to invoke service handlers functions in your account, and nothing more.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::654654156625:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::654654156625:role/RestateCloud",
                    "sts:ExternalId": "${ENVIRONMENT_ID}"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::654654156625:root"
            },
            "Action": "sts:TagSession"
        }
    ]
}
You can now register your Lambda through the new role: 
restate deployments register <LAMBDA_FUNCTION_ARN> --assume-role-arn <ROLE_ARN>
If something isn’t working, the environment logs in the cloud UI may help you find the issue.
Securing your services:If your Lambda has an appropriate trust policy as described above, you do not need to secure incoming requests any further. If you choose to however, the identity verification checks will work on Lambda endpoints as well.

Public endpoint with request signing

Restate can invoke your services over the public internet. For production use cases HTTPS must be used between Restate and your services. You can terminate TLS at the service endpoint directly, but it’s likely easier to use a fronting load balancer like an AWS NLB. You must secure access to your service so that only Restate can call it. The easiest way to do this is with our native request identity feature. All requests to your service will be signed with a unique environment-specific private key. You can find the corresponding public key in the environment settings UI, under HTTP Services. It is safe to include this public key directly in your service code. Have a look at the SDK serving documentation to learn how for TS, Java, Kotlin, Python, Go, and Rust.