[Backport 5.0] Cloud private code host support docs (#49832)

github-actions[bot] · filiphaftek · web-flow · commit 75ba00490796 · 2023-03-22T08:37:56.000-07:00
[issue](sourcegraph/pr-faqs#69) Private code hosts support documentation. ## Test plan Not required for docs change. <br> Backport 9365a50 from #49748 Co-authored-by: Filip Haftek <filiphaftek@gmail.com>
diff --git a/doc/cloud/index.md b/doc/cloud/index.md
@@ -75,6 +75,32 @@ Sourcegraph Cloud instances are deployed in one of Google Cloud Platform data ce
 
 More details about the locations and data storage can be found in [our handbook](https://handbook.sourcegraph.com/departments/cloud/technical-docs/multi-region/)
 
+### Private Code Host support
+
+Private Code Hosts refer to code hosts that are not publicly accessible, such as a GitHub or GitLab instance protected by a VPN.
+
+Sourcegraph Cloud connects to customer code hosts from 2 public NAT IPs. Customers can add the dedicated IPs for their Sourcegraph Cloud instance to an IP allowlist on their private code host.
+
+#### Code host on AWS without public access
+
+As part of the [Enterprise tier](https://about.sourcegraph.com/pricing), Sourcegraph Cloud offers customers that have code hosts without public access deployed on AWS a [highly available site-to-site VPN solution](https://cloud.google.com/network-connectivity/docs/vpn/tutorials/create-ha-vpn-connections-google-cloud-aws) with [AWS Private Link](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) inside AWS's network, so that access to a private code host never occurs over the public internet.
+
+Solution architecture:
+<img src="https://sourcegraphstatic.com/private-code-host-solution-vpn-aws-private-link.png" class="screenshot">
+
+Advantages of the site-to-site GCP to AWS VPN include:
+- encrypted connection between Sourcegraph Cloud and customer code host
+- multiple tunnels to provide high availability between Cloud
+instance and customer code host
+
+Advantages of AWS Private Link include:
+- connectivity to customer VPC is only available inside AWS network
+-  ability to select AWS Principal (AWS Account or more granular) that can connect to customer code host
+- allows customer to control incoming connections
+- supports private DNS
+
+When a customer has private code hosts inside the AWS VPC and needs to expose it for Sourcegraph managed AWS VPC, customers can follow [AWS Documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html)
+
 ### Health monitoring, support, and SLAs
 
 - Instance performance and health [monitored](../admin/observability/index.md) by our team's on-call engineers.
