Networking
Runlayer implements a secure, scalable network architecture designed for enterprise environments with comprehensive security controls and high availability.Network Architecture
VPC Design
Network Segmentation
- Public Subnets: Load balancers and NAT gateways
- Private Subnets: Application services and caching
- Database Subnets: Isolated database tier
- Multi-AZ: Cross-availability zone redundancy
Security Groups
Security groups act as stateful firewalls between tiers. Only the load balancer is reachable from outside the VPC; each internal tier accepts traffic exclusively from the tier in front of it, so the database and cache are never directly exposed. When VPC peering is configured, the backend security group is extended to allow traffic from validated peer CIDRs (see VPC Peering below).Application Tier
- Inbound: HTTPS (443) from Load Balancer
- Outbound: Database ports to DB security group
Database Tier
- Inbound: PostgreSQL (5432) from Application tier
- Outbound: None (default deny)
Cache Tier
- Inbound: Redis (6379) from Application tier
- Outbound: None (default deny)
IP Allowlisting
Two complementary options restrict which source IPs can reach the deployment:- WAF IP Allowlisting (ECS deployments): application-level IPv4/IPv6 CIDR allowlisting at the WAF, with CloudWatch metrics and audit trails. Non-allowlisted traffic is blocked before other WAF rules execute.
- Security Groups: network-level IP restrictions at the load balancer. EKS deployments use security group-based restrictions.
VPC Peering
To connect Runlayer to a private network — for example, so the gateway can reach MCP servers or internal APIs inside your existing VPC — the ECS Terraform module supports VPC peering:- When to use it: internal API access from Runlayer to a customer VPC, multi-VPC architectures with centralized services, or hybrid setups with on-premises connectivity.
- How it’s secured: every connection must specify the peer’s AWS account ID (
peer_owner_id); connections are validated before acceptance, routes are configured only for validated connections, and backend security groups allow traffic only from validated peer CIDRs. - Prerequisites: the peer VPC initiates the peering connection; you supply the connection ID, peer CIDR, and peer account ID. Peering requires the module to create the VPC (not
existing_vpc_id). - Private access without peering: for VPN, Transit Gateway, or other private networks, the dual ALB setup exposes an internal load balancer restricted to configured CIDRs.
Load Balancing
Application Load Balancer
- SSL Termination: TLS 1.2+ with modern cipher suites
- Health Checks: Application-level health monitoring
- Sticky Sessions: Session affinity for stateful operations
- WAF Integration: Web Application Firewall protection
DNS and SSL
Domain Configuration
- Custom Domains: Support for your organization’s domains
- SSL Certificates: Automated certificate management
- DNS Routing: Route 53 integration for high availability (ALIAS record is created automatically when ACM DNS validation is enabled)
- ACM Validation: When automatic validation is enabled,
hosted_zone_namemust reference the Route53 hosted zone in the current AWS account so Terraform can create both the_acme-challengevalidation records and the ALIAS record, even if the certificate is for a deeper subdomain.
Enterprise Networking Services
For advanced networking requirements, including:- Custom VPC Design - Tailored network architecture
- Hybrid Connectivity - VPN and Direct Connect integration
- Network Security - Advanced firewall and intrusion detection
- Performance Optimization - Network performance tuning
- Compliance Networking - Regulatory compliance network design
- Multi-Region Networking - Global network architecture
Enterprise Networking Services
Contact our network architects for custom networking design and implementation
Network Monitoring
CloudWatch Metrics
- Network Performance: Latency, throughput, packet loss
- Security Events: Intrusion attempts, blocked connections
- Load Balancer Metrics: Request rates, error rates, response times
VPC Flow Logs
- Traffic Analysis: Detailed network flow information
- Security Monitoring: Anomaly detection and threat analysis
- Compliance Logging: Network activity audit trails
Best Practices
- Least Privilege: Minimal required network access
- Defense in Depth: Multiple layers of network security
- Encryption in Transit: All network communication encrypted
- Network Segmentation: Isolated tiers with controlled access
- Regular Audits: Periodic network security reviews