Skip to main content

Networking

Runlayer implements a secure, scalable network architecture designed for enterprise environments with comprehensive security controls and high availability.

Network Architecture

VPC Design

Network Segmentation

  • Public Subnets: Load balancers and NAT gateways
  • Private Subnets: Application services and caching
  • Database Subnets: Isolated database tier
  • Multi-AZ: Cross-availability zone redundancy

Security Groups

Security groups act as stateful firewalls between tiers. Only the load balancer is reachable from outside the VPC; each internal tier accepts traffic exclusively from the tier in front of it, so the database and cache are never directly exposed. When VPC peering is configured, the backend security group is extended to allow traffic from validated peer CIDRs (see VPC Peering below).

Application Tier

  • Inbound: HTTPS (443) from Load Balancer
  • Outbound: Database ports to DB security group

Database Tier

  • Inbound: PostgreSQL (5432) from Application tier
  • Outbound: None (default deny)

Cache Tier

  • Inbound: Redis (6379) from Application tier
  • Outbound: None (default deny)

IP Allowlisting

Two complementary options restrict which source IPs can reach the deployment:
  • WAF IP Allowlisting (ECS deployments): application-level IPv4/IPv6 CIDR allowlisting at the WAF, with CloudWatch metrics and audit trails. Non-allowlisted traffic is blocked before other WAF rules execute.
  • Security Groups: network-level IP restrictions at the load balancer. EKS deployments use security group-based restrictions.
See Security → Network Access Control for configuration details.

VPC Peering

To connect Runlayer to a private network — for example, so the gateway can reach MCP servers or internal APIs inside your existing VPC — the ECS Terraform module supports VPC peering:
  • When to use it: internal API access from Runlayer to a customer VPC, multi-VPC architectures with centralized services, or hybrid setups with on-premises connectivity.
  • How it’s secured: every connection must specify the peer’s AWS account ID (peer_owner_id); connections are validated before acceptance, routes are configured only for validated connections, and backend security groups allow traffic only from validated peer CIDRs.
  • Prerequisites: the peer VPC initiates the peering connection; you supply the connection ID, peer CIDR, and peer account ID. Peering requires the module to create the VPC (not existing_vpc_id).
  • Private access without peering: for VPN, Transit Gateway, or other private networks, the dual ALB setup exposes an internal load balancer restricted to configured CIDRs.
Full configuration examples (including dual ALB and private hosted zone association) are in the Terraform deployment guide.

Load Balancing

Application Load Balancer

  • SSL Termination: TLS 1.2+ with modern cipher suites
  • Health Checks: Application-level health monitoring
  • Sticky Sessions: Session affinity for stateful operations
  • WAF Integration: Web Application Firewall protection

DNS and SSL

Domain Configuration

  • Custom Domains: Support for your organization’s domains
  • SSL Certificates: Automated certificate management
  • DNS Routing: Route 53 integration for high availability (ALIAS record is created automatically when ACM DNS validation is enabled)
  • ACM Validation: When automatic validation is enabled, hosted_zone_name must reference the Route53 hosted zone in the current AWS account so Terraform can create both the _acme-challenge validation records and the ALIAS record, even if the certificate is for a deeper subdomain.

Enterprise Networking Services

For advanced networking requirements, including:
  • Custom VPC Design - Tailored network architecture
  • Hybrid Connectivity - VPN and Direct Connect integration
  • Network Security - Advanced firewall and intrusion detection
  • Performance Optimization - Network performance tuning
  • Compliance Networking - Regulatory compliance network design
  • Multi-Region Networking - Global network architecture

Enterprise Networking Services

Contact our network architects for custom networking design and implementation

Network Monitoring

CloudWatch Metrics

  • Network Performance: Latency, throughput, packet loss
  • Security Events: Intrusion attempts, blocked connections
  • Load Balancer Metrics: Request rates, error rates, response times

VPC Flow Logs

  • Traffic Analysis: Detailed network flow information
  • Security Monitoring: Anomaly detection and threat analysis
  • Compliance Logging: Network activity audit trails

Best Practices

  • Least Privilege: Minimal required network access
  • Defense in Depth: Multiple layers of network security
  • Encryption in Transit: All network communication encrypted
  • Network Segmentation: Isolated tiers with controlled access
  • Regular Audits: Periodic network security reviews
Contact our networking team for detailed network design, security hardening, and performance optimization.