> ## Documentation Index
> Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Networking

> Network architecture and configuration for Runlayer

# Networking

Runlayer implements a secure, scalable network architecture designed for enterprise environments with comprehensive security controls and high availability.

## Network Architecture

### VPC Design

```mermaid theme={null}
graph TB
    subgraph "VPC (10.0.0.0/16)"
        subgraph "Public Subnets"
            ALB[Application Load Balancer]
            NAT[NAT Gateway]
        end

        subgraph "Private Subnets"
            ECS[ECS Services]
            RDS[(RDS Database)]
            Cache[(ElastiCache)]
        end

        subgraph "Database Subnets"
            DB1[(DB Primary)]
            DB2[(DB Standby)]
        end
    end

    Internet[Internet] --> ALB
    ALB --> ECS
    ECS --> RDS
    ECS --> Cache
    ECS --> NAT
    NAT --> Internet
```

### Network Segmentation

* **Public Subnets**: Load balancers and NAT gateways
* **Private Subnets**: Application services and caching
* **Database Subnets**: Isolated database tier
* **Multi-AZ**: Cross-availability zone redundancy

## Security Groups

Security groups act as stateful firewalls between tiers. Only the load balancer is reachable from outside the VPC; each internal tier accepts traffic exclusively from the tier in front of it, so the database and cache are never directly exposed. When VPC peering is configured, the backend security group is extended to allow traffic from validated peer CIDRs (see [VPC Peering](#vpc-peering) below).

### Application Tier

* **Inbound**: HTTPS (443) from Load Balancer
* **Outbound**: Database ports to DB security group

### Database Tier

* **Inbound**: PostgreSQL (5432) from Application tier
* **Outbound**: None (default deny)

### Cache Tier

* **Inbound**: Redis (6379) from Application tier
* **Outbound**: None (default deny)

### IP Allowlisting

Two complementary options restrict which source IPs can reach the deployment:

* **WAF IP Allowlisting** (ECS deployments): application-level IPv4/IPv6 CIDR allowlisting at the WAF, with CloudWatch metrics and audit trails. Non-allowlisted traffic is blocked before other WAF rules execute.
* **Security Groups**: network-level IP restrictions at the load balancer. EKS deployments use security group-based restrictions.

See [Security → Network Access Control](/infrastructure/security) for configuration details.

## VPC Peering

To connect Runlayer to a private network — for example, so the gateway can reach MCP servers or internal APIs inside your existing VPC — the ECS Terraform module supports VPC peering:

* **When to use it**: internal API access from Runlayer to a customer VPC, multi-VPC architectures with centralized services, or hybrid setups with on-premises connectivity.
* **How it's secured**: every connection must specify the peer's AWS account ID (`peer_owner_id`); connections are validated before acceptance, routes are configured only for validated connections, and backend security groups allow traffic only from validated peer CIDRs.
* **Prerequisites**: the peer VPC initiates the peering connection; you supply the connection ID, peer CIDR, and peer account ID. Peering requires the module to create the VPC (not `existing_vpc_id`).
* **Private access without peering**: for VPN, Transit Gateway, or other private networks, the dual ALB setup exposes an internal load balancer restricted to configured CIDRs.

Full configuration examples (including dual ALB and private hosted zone association) are in the [Terraform deployment guide](/deployment/terraform).

## Load Balancing

### Application Load Balancer

* **SSL Termination**: TLS 1.2+ with modern cipher suites
* **Health Checks**: Application-level health monitoring
* **Sticky Sessions**: Session affinity for stateful operations
* **WAF Integration**: Web Application Firewall protection

## DNS and SSL

### Domain Configuration

* **Custom Domains**: Support for your organization's domains
* **SSL Certificates**: Automated certificate management
* **DNS Routing**: Route 53 integration for high availability (ALIAS record is created automatically when ACM DNS validation is enabled)
* **ACM Validation**: When automatic validation is enabled, `hosted_zone_name` must reference the Route53 hosted zone in the current AWS account so Terraform can create both the `_acme-challenge` validation records and the ALIAS record, even if the certificate is for a deeper subdomain.

## Enterprise Networking Services

For advanced networking requirements, including:

* **Custom VPC Design** - Tailored network architecture
* **Hybrid Connectivity** - VPN and Direct Connect integration
* **Network Security** - Advanced firewall and intrusion detection
* **Performance Optimization** - Network performance tuning
* **Compliance Networking** - Regulatory compliance network design
* **Multi-Region Networking** - Global network architecture

<Card title="Enterprise Networking Services" icon="network-wired" href="mailto:support@runlayer.com">
  Contact our network architects for custom networking design and implementation
</Card>

## Network Monitoring

### CloudWatch Metrics

* **Network Performance**: Latency, throughput, packet loss
* **Security Events**: Intrusion attempts, blocked connections
* **Load Balancer Metrics**: Request rates, error rates, response times

### VPC Flow Logs

* **Traffic Analysis**: Detailed network flow information
* **Security Monitoring**: Anomaly detection and threat analysis
* **Compliance Logging**: Network activity audit trails

## Best Practices

* **Least Privilege**: Minimal required network access
* **Defense in Depth**: Multiple layers of network security
* **Encryption in Transit**: All network communication encrypted
* **Network Segmentation**: Isolated tiers with controlled access
* **Regular Audits**: Periodic network security reviews

Contact our networking team for detailed network design, security hardening, and performance optimization.
