On-Prem Relay Connector
The Vulcan Relay enables full discovery of on-premises infrastructure β no VPN, no inbound firewall rules required. A lightweight relay runs inside your network and establishes an outbound-only connection (port 443) to Vulcan SaaS. All scanning and agent traffic tunnels through this secure connection.
Architectureβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Vulcan SaaS β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββ β
β β Credential β β Task β β WebSocket Hub β β
β β Store ββββ Dispatcher ββββ β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββ¬ββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββ
β
WSS (port 443, outbound only)
β
βββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββ
β Your Network βΌ β
β ββββββββββββββββββββββββββ β
β β vulcan-relay β β
β β :8443 (local HTTPS) β β
β ββββ¬βββββββ¬βββββββ¬ββββββββ β
β β β β β
β βββββββββββββββββββββββββ β ββββββββββββ β
β βΌ βΌ βΌ β
β ββββββββββββββββ βββββββββββββββββββββββ ββββββββββ β
β β vCenter β β Switches / Routers β βServers β β
β β (govmomi) β β (SNMP / SSH) β β(WinRM) β β
β ββββββββββββββββ βββββββββββββββββββββββ ββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Why Use a Relay?β
| Traditional Approach | With Relay |
|---|---|
| VPN tunnel to cloud | No VPN needed |
| Inbound firewall rules | Outbound-only (port 443) |
| Complex network config | Single container deployment |
| Credentials in multiple places | Credentials stay in Vulcan SaaS |
| Agents need internet access | Agents work through relay proxy |
What the Relay Can Scanβ
VMware vSphereβ
- Connects to vCenter via HTTPS (govmomi)
- Discovers: ESXi hosts, VMs, datastores, resource pools, virtual switches, clusters
Linux Servers (SSH)β
- Discovers: OS info, packages, running services, listening ports, firewall rules, users
Network Devices (SNMP)β
- Supports SNMP v2c and v3
- Discovers: interfaces, ARP tables, routing tables, CDP/LLDP neighbors, VLANs
- Compatible with Cisco, Juniper, Palo Alto, Fortinet, and any RFC-compliant device
Windows Servers (WinRM)β
- Connects via WinRM (HTTP or HTTPS)
- Discovers: services, installed software, listening ports, firewall rules, local users
Agent-Through-Relay Proxyβ
On-premises agents can connect through the relay instead of reaching Vulcan SaaS directly. This means on-prem agents also require zero inbound firewall rules.
The relay exposes a local HTTPS API on port :8443. Agents configured with INFRACAST_API_URL=https://<relay-ip>:8443 communicate with Vulcan through the relay's WebSocket tunnel.
The relay auto-generates a self-signed TLS certificate on first start for the local API.
Quick Startβ
1. Create a Relay Tokenβ
In the Vulcan UI:
- Go to Settings β Relay Connectors
- Click Create Relay
- Give it a name (e.g., "Headquarters")
- Copy the enrollment token (shown only once)
Or via API:
curl -X POST https://api.infracast.io/api/v1/tenants/{tenantId}/relays/tokens \
-H "Authorization: Bearer $TOKEN" \
-d '{"name": "HQ Relay"}'
2. Install the Relayβ
One-line install (Linux systemd β recommended):
curl -sSL https://api.infracast.io/install/relay | sudo bash -s -- \
--token "your-token-here" \
--relay-id "your-relay-id"
Docker:
docker run -d --name vulcan-relay \
--restart unless-stopped \
-p 8443:8443 \
-e RELAY_TOKEN="your-token-here" \
-e RELAY_ID="your-relay-id" \
ghcr.io/azgardtek/vulcan-relay:latest
Manual binary:
curl -Lo vulcan-relay https://github.com/azgardtek/vulcan/releases/latest/download/vulcan-relay-linux-amd64
chmod +x vulcan-relay
RELAY_TOKEN="<token>" RELAY_ID="<id>" ./vulcan-relay
Copy from UI
The Settings β Relay Connectors page shows all three install commands with your token and relay ID pre-filled and a copy-to-clipboard button.
3. Verify Connectionβ
The relay will appear as Online in Settings β Relay Connectors within a few seconds of starting.
4. Run a Discovery Scanβ
From Settings β Relay Connectors, click Scan on your relay and choose a provider:
- Select VMware vSphere, SSH (Linux), SNMP (Network), or WinRM (Windows)
- Fill in the connection details for your target
- Click Run Scan
Results appear in your asset graph just like any other discovery.
Relay Management UIβ
Settings β Relay Connectors provides:
- Token management β create tokens, see active relays, revoke individual tokens instantly
- Connection status β online/offline indicator with last-seen timestamp per relay
- Test connectivity β send a probe through the relay to verify it can reach a target host/port
- Dispatch scans β provider-specific config forms for each scan type (vSphere, SSH, SNMP, WinRM)
- Copy-to-clipboard β all install commands are pre-configured and ready to paste
Security Modelβ
Credential Handlingβ
- Credentials are stored only in Vulcan SaaS (AES-256-GCM encrypted at rest)
- When a scan runs, credentials are sent to the relay over TLS
- The relay holds credentials only in memory during execution
- Credentials are never written to disk on the relay
Network Securityβ
- Outbound-only: The relay initiates the connection to Vulcan (no inbound rules)
- TLS encrypted: All communication uses WSS (WebSocket Secure)
- Token authentication: Relays authenticate with enrollment tokens
- Instant revocation: Revoking a token immediately disconnects the relay
If a Relay Is Compromisedβ
- Revoke its token in the UI β immediate disconnect
- The attacker gains no stored credentials (none on disk)
- Deploy a new relay with a fresh token
Configurationβ
Environment Variablesβ
| Variable | Required | Description |
|---|---|---|
RELAY_TOKEN | Yes | Enrollment token from Vulcan |
RELAY_ID | Yes | Unique relay identifier |
RELAY_SERVER | No | Vulcan WebSocket URL (default: wss://api.infracast.io/ws/relay) |
RELAY_NAME | No | Friendly name (default: hostname) |
RELAY_LOCAL_API_PORT | No | Local HTTPS API port for agent proxy (default: 8443) |
Network Requirementsβ
| Direction | Port | Destination | Purpose |
|---|---|---|---|
| Outbound | 443 | api.infracast.io | Vulcan SaaS connection |
| Internal | 22 | Linux servers | SSH scanning |
| Internal | 161 | Network devices | SNMP scanning |
| Internal | 5985/5986 | Windows servers | WinRM scanning |
| Internal | 443 | vCenter | vSphere scanning |
| Local only | 8443 | β | Agent proxy API (not internet-exposed) |
Resource Requirementsβ
- CPU: 0.5 vCPU minimum
- Memory: 256 MB minimum
- Disk: 50 MB for binary/container
High Availabilityβ
Deploy multiple relays for redundancy or to cover different network segments:
# DC1 relay
docker run -d --name vulcan-relay-dc1 \
-e RELAY_TOKEN="$TOKEN_DC1" -e RELAY_ID="$ID_DC1" \
-e RELAY_NAME="DC1 Primary" \
ghcr.io/azgardtek/vulcan-relay:latest
# DR site relay
docker run -d --name vulcan-relay-dr \
-e RELAY_TOKEN="$TOKEN_DR" -e RELAY_ID="$ID_DR" \
-e RELAY_NAME="DR Site" \
ghcr.io/azgardtek/vulcan-relay:latest
Each relay appears independently in the UI. You can target specific relays for specific scans.
Troubleshootingβ
Relay Shows "Offline"β
- Check the container/service is running:
docker psorsystemctl status vulcan-relay - Verify outbound connectivity to
api.infracast.io:443 - Check the token hasn't been revoked
- Review logs:
docker logs vulcan-relayorjournalctl -u vulcan-relay
Discovery Tasks Timeoutβ
- Verify the relay has network access to the target (use Test Connection in the UI)
- Check credentials are correct
- Ensure the target allows connections from the relay's IP
Connection Keeps Droppingβ
- Check for proxy or firewall intercepting WebSocket connections
- Ensure no aggressive connection timeout policies between relay and
api.infracast.io - Update to the latest relay version
Agents Can't Connect to Relayβ
- Verify port 8443 is reachable from the agent host to the relay host
- Agent must use
INFRACAST_INSECURE_SKIP_VERIFY=truefor the self-signed cert (or install the relay cert) - Check
docker logs vulcan-relayfor[local-api]error messages
API Referenceβ
List Relaysβ
GET /api/v1/tenants/{tenantId}/relays
Create Relay Tokenβ
POST /api/v1/tenants/{tenantId}/relays/tokens
{"name": "HQ Relay"}
Response includes pre-built install commands:
{
"relay_id": "abc123",
"token": "secret-token",
"docker_cmd": "docker run ...",
"install_cmd": "curl -sSL https://api.infracast.io/install/relay | sudo bash -s -- --token ...",
"systemd_cmd": "..."
}
Revoke Relay Tokenβ
DELETE /api/v1/tenants/{tenantId}/relays/tokens/{relayId}
Test Connectivity Through Relayβ
POST /api/v1/tenants/{tenantId}/relays/{relayId}/test
{"target": "10.0.1.50", "port": 443, "protocol": "https"}
Dispatch Scan Through Relayβ
POST /api/v1/tenants/{tenantId}/relays/{relayId}/tasks
{
"provider": "vsphere",
"config": {
"vcenter_url": "https://vcenter.internal",
"username": "readonly@vsphere.local",
"password": "secret"
},
"timeout": 300
}
Supported provider values: vsphere, ssh, snmp, winrm
Install Scriptβ
GET /install/relay?relay_id=abc123&token=secret-token
Returns a pre-configured shell script for the specified relay.