Tillered Docs
Concepts

Node Types

Understanding TEN, CEN, and FTN node types and how they connect in a Tillered Cloud network

Tillered Cloud uses three node types to build overlay networks. Each type has a specific role and determines the direction traffic flows through the tunnel.

TEN (Tillered Entry Node)

A TEN sits on your local network where traffic originates. It accepts traffic from your firewall via policy-based routing and forwards it through the Tillered overlay to exit nodes.

TENs only initiate outbound connections. They connect to CENs and FTNs but never accept inbound tunnel connections. This makes them suitable for on-premises deployments behind NAT or restrictive firewalls.

Use a TEN when: you need to send traffic from a local site to a remote cloud or data centre, and do not need return-path transparency.

CEN (Cloud Exit Node)

A CEN is deployed in a cloud region (AWS, Azure, Equinix Metal) where traffic exits to the internet or remote services. It accepts inbound tunnel connections from TENs and FTNs but does not initiate connections itself.

Each CEN creates a virtual interface on every connected entry node. The private IP assigned to that interface becomes the gateway address you use in firewall policy routes.

Use a CEN when: you need a cloud-based exit point for traffic originating from on-premises entry nodes.

FTN (Full Tillered Node)

An FTN functions as both entry and exit. It initiates connections to CENs and other FTNs, and also accepts inbound connections from TENs and other FTNs. This bidirectional capability is what enables transparent mode.

Because an FTN can handle traffic in both directions, it preserves the original source IP through the tunnel. A TEN-to-CEN link cannot do this because the return path has no tunnel to carry the response back with the original addressing intact.

Use an FTN when: you need bidirectional connectivity between sites, or when you need transparent networking that preserves source IPs.

Connection directionality

The mesh that Tillered Cloud builds within a network is directional, not all-to-all. The rules are:

TEN  -->  CEN     (entry to exit)
TEN  -->  FTN     (entry to full node)
FTN  -->  CEN     (full node to exit)
FTN <-->  FTN     (full node to full node, bidirectional)

TENs and CENs never connect directly to nodes of the same type. FTN-to-FTN links are the only bidirectional connections in the mesh.

Provisioning

After you register a node, it checks in with the Tillered centralised server and receives its configuration automatically. The node may reboot during this process. Once provisioning completes, the node status in the Hub changes to Provisioned.

Nodes check in periodically to pick up configuration changes. When you add or remove nodes from a network, the affected nodes reconfigure themselves on the next check-in without manual intervention.

Account

Manage your organisation, members, profile, and billing in the Tillered Hub

Networks

How Tillered Cloud networks group nodes and automatically build service link meshes

On this page

TEN (Tillered Entry Node)CEN (Cloud Exit Node)FTN (Full Tillered Node)Connection directionalityProvisioning