In controller+target setups, there are a few different mechanisms that AMP can use to communicate between the controller (that the user has browsed to) and the individual instance being managed:
Via Target (Default)
In this mode, the controller will ask the target to proxy the request. This is the simplest mode to use as it only requires that there’s a line of communication between the controller and the target. It doesn’t require that the target or the instances are accessible to the outside world. It doesn’t require any extra configuration to use and is set up by default.
This setup however has the highest latency and creates the highest amount of extra load, since the controller handles 100% of all instance traffic and each target also handles that connection, in effect a double proxy.
Direct from Controller
Direct mode skips the target as a middle-man, and the controller connects directly to the instance. This avoids some of the latency, but requires that the controller can connect directly to the instances (which means they cannot be bound to 127.0.0.1). Using this mode also requires that extra firewall rules are put in place on the targets to make sure that only the controller can access the instances and that they’re not exposed to the outside world.
Bypass Controller
Bypass controller eliminates the load on the controller when managing instances by allowing the browser to communicate directly with the target ADS instances. This requires that every target ADS instance is accessible publicly, is configured for use with HTTPS and have their CORS Origin setting configured to be the domain that the controller is accessed at. The target ADS instance then passes the request to the individual instance.
This option results in a good balance of latency, and avoiding putting excess load on the controller with only moderate configuration requirements.
This mode is recommended for large deployments with larger number of instances where the users are connecting directly to the controller to manage instances.