One of the simplest setups many organizations use is to isolate data centers and provide a Puppetserver for each data center. Some organizations have data centers across the world, whether in the cloud in regions, or on site in various locations. Providing a compile master to these individual data centers is a fairly simple task and only requires a few things:

• The agent is aware of compile master FQDN and has network connectivity to it
• Compile master has connectivity back to the primary master, sometimes called Master of Masters

In this setup, during provisioning an agent would reach out to the local compile master for it's agent installation. On a Puppet Enterprise installation, the agent can simply run curl -k https://<compile_master>:8140/packages/current/install.bash command during provisioning, and it will retrieve an agent thanks to the pe_repo classification found in the PE Master node group. This agent will not need network connectivity to PuppetDB, the Primary Master, or the PE console, as information will be handled by the compile master in the middle.

The following infographic from Puppet shows the necessary firewall connections required for each component in a large environment installation of Puppet Enterprise:

These same ports remain true in an open source installation, although the node classifier API endpoint will not be available from the Puppet console.

If a single data center grows so large that it needs multiple compile masters, or we want to centralize our compile masters for every data center, we'll instead need to focus on load balancing. Everything in this section still applies in a load balanced cluster, but there are a few new pieces to work with behind a load balancer.